From 4bb98be277192dcc43e2f9842d111b083073e912 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 7 May 2025 14:21:20 +0100 Subject: [PATCH 01/19] initial remove of MBEDTLS_USE_PSA_CRYPTO Signed-off-by: Ben Taylor --- programs/fuzz/fuzz_client.c | 4 - programs/fuzz/fuzz_dtlsclient.c | 4 - programs/fuzz/fuzz_dtlsserver.c | 4 - programs/fuzz/fuzz_server.c | 10 +-- programs/fuzz/fuzz_x509crl.c | 10 +-- programs/fuzz/fuzz_x509crt.c | 8 +- programs/fuzz/fuzz_x509csr.c | 10 +-- programs/pkey/gen_key.c | 4 - programs/pkey/pk_sign.c | 4 - programs/pkey/pk_verify.c | 4 - programs/pkey/rsa_sign_pss.c | 4 - programs/pkey/rsa_verify_pss.c | 4 - programs/ssl/ssl_client2.c | 65 ++-------------- programs/ssl/ssl_server2.c | 76 +++---------------- programs/ssl/ssl_test_lib.c | 6 +- programs/ssl/ssl_test_lib.h | 21 +----- programs/x509/cert_app.c | 4 - programs/x509/cert_req.c | 4 - programs/x509/cert_write.c | 4 - programs/x509/crl_app.c | 4 - programs/x509/load_roots.c | 4 - programs/x509/req_app.c | 4 - tests/include/test/ssl_helpers.h | 9 --- tests/src/test_helpers/ssl_helpers.c | 108 --------------------------- 24 files changed, 33 insertions(+), 346 deletions(-) diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 440c0245f..184057048 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -78,12 +78,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -179,9 +177,7 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else (void) Data; diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index 7a1da13c3..ca7626d5b 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -61,12 +61,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -124,9 +122,7 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else (void) Data; diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 98a70216e..4f159fbef 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -58,12 +58,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) mbedtls_ssl_config_init(&conf); mbedtls_ssl_cookie_init(&cookie_ctx); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -166,9 +164,7 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else (void) Data; diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 05b7480cb..40fd9caa0 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -67,12 +67,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_init(&ticket_ctx); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -194,19 +192,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) exit: #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free(&ticket_ctx); -#endif +#endif /* (MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) */ mbedtls_entropy_free(&entropy); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) mbedtls_x509_crt_free(&srvcert); mbedtls_pk_free(&pkey); -#endif +#endif /* (MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) */ mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif -#else +#else /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ (void) Data; (void) Size; #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 92e0f5d12..ae0f85282 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) unsigned char buf[4096]; mbedtls_x509_crl_init(&crl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_x509_crl_parse(&crl, Data, Size); #if !defined(MBEDTLS_X509_REMOVE_INFO) if (ret == 0) { ret = mbedtls_x509_crl_info((char *) buf, sizeof(buf) - 1, " ", &crl); } -#else +#else /* MBEDTLS_X509_REMOVE_INFO */ ((void) ret); ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) exit: mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_x509_crl_free(&crl); -#else +#else /* MBEDTLS_X509_CRL_PARSE_C */ (void) Data; (void) Size; -#endif +#endif /* MBEDTLS_X509_CRL_PARSE_C */ return 0; } diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index c99ae2e7b..709fd200f 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -12,12 +12,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) unsigned char buf[4096]; mbedtls_x509_crt_init(&crt); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_x509_crt_parse(&crt, Data, Size); #if !defined(MBEDTLS_X509_REMOVE_INFO) if (ret == 0) { @@ -28,15 +26,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) exit: mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_x509_crt_free(&crt); -#else +#else /* MBEDTLS_X509_CRT_PARSE_C */ (void) Data; (void) Size; -#endif +#endif /* MBEDTLS_X509_CRT_PARSE_C */ return 0; } diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index 4ab071f1c..1c26e6f08 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) unsigned char buf[4096]; mbedtls_x509_csr_init(&csr); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_x509_csr_parse(&csr, Data, Size); #if !defined(MBEDTLS_X509_REMOVE_INFO) if (ret == 0) { ret = mbedtls_x509_csr_info((char *) buf, sizeof(buf) - 1, " ", &csr); } -#else +#else /* !MBEDTLS_X509_REMOVE_INFO */ ((void) ret); ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) exit: mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_x509_csr_free(&csr); -#else +#else /* MBEDTLS_X509_CSR_PARSE_C */ (void) Data; (void) Size; -#endif +#endif /* MBEDTLS_X509_CSR_PARSE_C */ return 0; } diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 94604ceeb..ba3553438 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -257,14 +257,12 @@ int main(int argc, char *argv[]) mbedtls_ctr_drbg_init(&ctr_drbg); memset(buf, 0, sizeof(buf)); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -473,9 +471,7 @@ exit: mbedtls_pk_free(&key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c index 551173e49..4ddb473c0 100644 --- a/programs/pkey/pk_sign.c +++ b/programs/pkey/pk_sign.c @@ -55,14 +55,12 @@ int main(int argc, char *argv[]) mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_pk_init(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc != 3) { mbedtls_printf("usage: mbedtls_pk_sign \n"); @@ -139,9 +137,7 @@ exit: mbedtls_pk_free(&pk); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_ERROR_C) if (exit_code != MBEDTLS_EXIT_SUCCESS) { diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c index 507812e35..27aff441a 100644 --- a/programs/pkey/pk_verify.c +++ b/programs/pkey/pk_verify.c @@ -47,14 +47,12 @@ int main(int argc, char *argv[]) mbedtls_pk_init(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc != 3) { mbedtls_printf("usage: mbedtls_pk_verify \n"); @@ -115,9 +113,7 @@ int main(int argc, char *argv[]) exit: mbedtls_pk_free(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_ERROR_C) if (exit_code != MBEDTLS_EXIT_SUCCESS) { diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 8f605b56b..d94daf397 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -57,14 +57,12 @@ int main(int argc, char *argv[]) mbedtls_pk_init(&pk); mbedtls_ctr_drbg_init(&ctr_drbg); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc != 3) { mbedtls_printf("usage: rsa_sign_pss \n"); @@ -153,9 +151,7 @@ exit: mbedtls_pk_free(&pk); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c index 97f9d186e..15049203e 100644 --- a/programs/pkey/rsa_verify_pss.c +++ b/programs/pkey/rsa_verify_pss.c @@ -51,14 +51,12 @@ int main(int argc, char *argv[]) mbedtls_pk_init(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc != 3) { mbedtls_printf("usage: rsa_verify_pss \n"); @@ -131,9 +129,7 @@ int main(int argc, char *argv[]) exit: mbedtls_pk_free(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d5e7fdf30..b76055ed5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -9,9 +9,7 @@ #include "ssl_test_lib.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main(void) @@ -145,7 +143,7 @@ int main(void) #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -172,7 +170,6 @@ int main(void) " psk=%%s default: \"\" (disabled)\n" \ " The PSK values are in hex, without 0x.\n" \ " psk_identity=%%s default: \"Client_identity\"\n" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -185,7 +182,6 @@ int main(void) " with prepopulated key slots instead of importing raw key material.\n" #else #define USAGE_PSK_SLOT "" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -309,14 +305,9 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#define USAGE_ECJPAKE \ - " ecjpake_pw=%%s default: none (disabled)\n" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -488,9 +479,7 @@ struct options { const char *crt_file; /* the file with the client certificate */ const char *key_file; /* the file with the client key */ int key_opaque; /* handle private key as if it were opaque */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -498,9 +487,7 @@ struct options { const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ const char *ecjpake_pw; /* the EC J-PAKE password */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ -#endif int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -824,16 +811,12 @@ int main(int argc, char *argv[]) const char *pers = "ssl_client2"; -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t alg = 0; psa_key_attributes_t key_attributes; #endif psa_status_t status; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) - psa_status_t status; -#endif rng_context_t rng; mbedtls_ssl_context ssl; @@ -850,9 +833,7 @@ int main(int argc, char *argv[]) mbedtls_x509_crt clicert; mbedtls_pk_context pkey; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ -#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ char *p, *q; const int *list; @@ -877,10 +858,9 @@ int main(int argc, char *argv[]) MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); @@ -907,7 +887,6 @@ int main(int argc, char *argv[]) memset((void *) alpn_list, 0, sizeof(alpn_list)); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -915,7 +894,6 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -942,17 +920,13 @@ int main(int argc, char *argv[]) opt.key_opaque = DFL_KEY_OPAQUE; opt.key_pwd = DFL_KEY_PWD; opt.psk = DFL_PSK; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.ecjpake_pw = DFL_ECJPAKE_PW; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; -#endif opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -1127,7 +1101,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1152,11 +1126,9 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1167,11 +1139,9 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } -#endif else if (strcmp(p, "ec_max_ops") == 0) { opt.ec_max_ops = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { @@ -1500,7 +1470,6 @@ usage: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (opt.psk == NULL) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -1515,7 +1484,6 @@ usage: goto usage; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -1550,7 +1518,6 @@ usage: } } -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -1562,7 +1529,6 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -1786,7 +1752,6 @@ usage: goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t usage = 0; @@ -1805,7 +1770,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key type: %s)\n", strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ? @@ -2006,7 +1970,6 @@ usage: #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { key_attributes = psa_key_attributes_init(); psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); @@ -2027,7 +1990,6 @@ usage: goto exit; } } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -2098,7 +2060,6 @@ usage: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -2124,7 +2085,6 @@ usage: } mbedtls_printf("using opaque password\n"); } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -3206,13 +3166,10 @@ exit: mbedtls_x509_crt_free(&clicert); mbedtls_x509_crt_free(&cacert); mbedtls_pk_free(&pkey); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); -#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -3229,11 +3186,9 @@ exit: } } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && - MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -3252,9 +3207,8 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -3262,14 +3216,11 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); -#endif rng_free(&rng); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 639fe5616..cb933e7e6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -53,9 +53,7 @@ int main(void) #include #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" -#endif #include "mbedtls/pk.h" #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) @@ -205,7 +203,7 @@ int main(void) #else #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -248,7 +246,6 @@ int main(void) " The PSK values are in hex, without 0x.\n" \ " id1,psk1[,id2,psk2[,...]]\n" \ " psk_identity=%%s default: \"Client_identity\"\n" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -270,7 +267,6 @@ int main(void) " with prepopulated key slots instead of importing raw key material.\n" #else #define USAGE_PSK_SLOT "" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -419,14 +415,9 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#define USAGE_ECJPAKE \ - " ecjpake_pw=%%s default: none (disabled)\n" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -641,10 +632,8 @@ struct options { int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ int async_private_error; /* inject error in async private callback */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; int psk_list_opaque; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -652,9 +641,7 @@ struct options { const char *psk_identity; /* the pre-shared key identity */ char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ -#endif int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ @@ -962,9 +949,7 @@ struct _psk_entry { const char *name; size_t key_len; unsigned char key[MBEDTLS_PSK_MAX_LEN]; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t slot; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ psk_entry *next; }; @@ -976,7 +961,6 @@ static int psk_free(psk_entry *head) psk_entry *next; while (head != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; mbedtls_svc_key_id_t const slot = head->slot; @@ -986,7 +970,6 @@ static int psk_free(psk_entry *head) return status; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ next = head->next; mbedtls_free(head); @@ -1052,11 +1035,9 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, while (cur != NULL) { if (name_len == strlen(cur->name) && memcmp(name, cur->name, name_len) == 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) { return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); } else -#endif return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); } @@ -1302,7 +1283,6 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, psa_algorithm_t alg, @@ -1326,7 +1306,6 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, return PSA_SUCCESS; } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) static int report_cid_usage(mbedtls_ssl_context *ssl, @@ -1543,10 +1522,8 @@ int main(int argc, char *argv[]) io_ctx_t io_ctx; unsigned char *buf = 0; #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; psk_entry *psk_info = NULL; @@ -1574,10 +1551,8 @@ int main(int argc, char *argv[]) mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ -#endif int key_cert_init = 0, key_cert_init2 = 0; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1609,10 +1584,9 @@ int main(int argc, char *argv[]) unsigned char *context_buf = NULL; size_t context_buf_len = 0; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; @@ -1621,9 +1595,7 @@ int main(int argc, char *argv[]) int i; char *p, *q; const int *list; -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t status; -#endif unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_iv[8]; const char *eap_tls_label = "client EAP encryption"; @@ -1684,7 +1656,6 @@ int main(int argc, char *argv[]) mbedtls_ssl_cookie_init(&cookie_ctx); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -1692,7 +1663,6 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -1731,19 +1701,15 @@ int main(int argc, char *argv[]) opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2; opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR; opt.psk = DFL_PSK; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; -#endif opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; @@ -1924,7 +1890,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1973,13 +1939,11 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } else if (strcmp(p, "psk_list_opaque") == 0) { opt.psk_list_opaque = atoi(q); } -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1992,11 +1956,9 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } -#endif else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); @@ -2367,7 +2329,6 @@ usage: goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (strlen(opt.psk) == 0) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -2397,7 +2358,6 @@ usage: goto usage; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2427,7 +2387,6 @@ usage: opt.min_version = ciphersuite_info->min_tls_version; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -2439,7 +2398,6 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2732,7 +2690,6 @@ usage: #endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t psa_usage = 0; @@ -2768,7 +2725,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name(&pkey) : "none", @@ -3182,7 +3138,6 @@ usage: #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* The algorithm has already been determined earlier. */ status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len); @@ -3199,7 +3154,6 @@ usage: goto exit; } } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -3213,7 +3167,6 @@ usage: } if (opt.psk_list != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_list_opaque != 0) { psk_entry *cur_psk; for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) { @@ -3227,7 +3180,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info); } @@ -3384,7 +3336,6 @@ reset: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -3410,7 +3361,6 @@ reset: } mbedtls_printf("using opaque password\n"); } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -4253,11 +4203,9 @@ exit: mbedtls_pk_free(&pkey); mbedtls_x509_crt_free(&srvcert2); mbedtls_pk_free(&pkey2); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); psa_destroy_key(key_slot2); #endif -#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) { @@ -4269,8 +4217,7 @@ exit: } #endif -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -4284,11 +4231,9 @@ exit: (int) status); } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && - MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -4307,9 +4252,8 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -4317,12 +4261,10 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } -#endif /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \ - && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index f9a640252..ad3feb65b 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -83,13 +83,11 @@ void rng_init(rng_context_t *rng) int rng_seed(rng_context_t *rng, int reproducible, const char *pers) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (reproducible) { mbedtls_fprintf(stderr, - "MBEDTLS_USE_PSA_CRYPTO does not support reproducible mode.\n"); + "reproducible mode is not supported.\n"); return -1; } -#endif #if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) /* The PSA crypto RNG does its own seeding. */ (void) rng; @@ -217,7 +215,6 @@ int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2) return 0; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) int key_opaque_set_alg_usage(const char *alg1, const char *alg2, psa_algorithm_t *psa_alg1, psa_algorithm_t *psa_alg2, @@ -301,7 +298,6 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor return 0; } #endif /* MBEDTLS_PK_C */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback(void *data, mbedtls_x509_crt const *child, diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index c001a2afa..ea5dbecb8 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -14,9 +14,8 @@ #include "mbedtls/md.h" #undef HAVE_RNG -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \ - (defined(MBEDTLS_USE_PSA_CRYPTO) || \ - defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)) +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \ + defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) #define HAVE_RNG #elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C) #define HAVE_RNG @@ -55,10 +54,8 @@ #include "mbedtls/base64.h" #include "test/certs.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#endif #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) #include "mbedtls/memory_buffer_alloc.h" @@ -108,7 +105,7 @@ void my_debug(void *ctx, int level, mbedtls_time_t dummy_constant_time(mbedtls_time_t *time); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) /* If MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is defined, the SSL test programs will use * mbedtls_psa_get_random() rather than entropy+DRBG as a random generator. * @@ -121,14 +118,6 @@ mbedtls_time_t dummy_constant_time(mbedtls_time_t *time); * where the test programs use the PSA RNG while the PSA RNG is itself based * on entropy+DRBG, and at least one configuration where the test programs * do not use the PSA RNG even though it's there. - * - * A simple choice that meets the constraints is to use the PSA RNG whenever - * MBEDTLS_USE_PSA_CRYPTO is enabled. There's no real technical reason the - * choice to use the PSA RNG in the test programs and the choice to use - * PSA crypto when TLS code needs crypto have to be tied together, but it - * happens to be a good match. It's also a good match from an application - * perspective: either PSA is preferred for TLS (both for crypto and for - * random generation) or it isn't. */ #define MBEDTLS_TEST_USE_PSA_CRYPTO_RNG #endif @@ -213,7 +202,6 @@ int rng_get(void *p_rng, unsigned char *output, size_t output_len); */ int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2); -#if defined(MBEDTLS_USE_PSA_CRYPTO) /** Parse given opaque key algorithms to obtain psa algs and usage * that will be passed to mbedtls_pk_wrap_as_opaque(). * @@ -259,9 +247,8 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2, psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id); #endif /* MBEDTLS_PK_C */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) /* The test implementation of the PSA external RNG is insecure. When * MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, before using any PSA crypto * function that makes use of an RNG, you must call diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index d9d5bb60a..c74750551 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -152,14 +152,12 @@ int main(int argc, char *argv[]) memset(&cacrl, 0, sizeof(mbedtls_x509_crl)); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -446,9 +444,7 @@ exit: #endif mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index e59772ffd..02fd56784 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -162,14 +162,12 @@ int main(int argc, char *argv[]) memset(buf, 0, sizeof(buf)); mbedtls_entropy_init(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -502,9 +500,7 @@ exit: mbedtls_pk_free(&key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ cur = opt.san_list; while (cur != NULL) { diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 3cabff4b5..fb55c3f29 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -326,14 +326,12 @@ int main(int argc, char *argv[]) memset(buf, 0, sizeof(buf)); memset(serial, 0, sizeof(serial)); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -1026,9 +1024,7 @@ exit: mbedtls_pk_free(&loaded_issuer_key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c index fee8b693c..bb518adee 100644 --- a/programs/x509/crl_app.c +++ b/programs/x509/crl_app.c @@ -60,14 +60,12 @@ int main(int argc, char *argv[]) */ mbedtls_x509_crl_init(&crl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -124,9 +122,7 @@ usage: exit: mbedtls_x509_crl_free(&crl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/x509/load_roots.c b/programs/x509/load_roots.c index 2ae7c9b01..34d350845 100644 --- a/programs/x509/load_roots.c +++ b/programs/x509/load_roots.c @@ -86,14 +86,12 @@ int main(int argc, char *argv[]) struct mbedtls_timing_hr_time timer; unsigned long ms; -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc <= 1) { mbedtls_printf(USAGE); @@ -159,9 +157,7 @@ int main(int argc, char *argv[]) exit_code = MBEDTLS_EXIT_SUCCESS; exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } #endif /* necessary configuration */ diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c index 2929d687d..b960818a0 100644 --- a/programs/x509/req_app.c +++ b/programs/x509/req_app.c @@ -60,14 +60,12 @@ int main(int argc, char *argv[]) */ mbedtls_x509_csr_init(&csr); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -124,9 +122,7 @@ usage: exit: mbedtls_x509_csr_free(&csr); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 5bfdedaaf..d019c5065 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -31,11 +31,9 @@ #include "mbedtls/ssl_cache.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ psa_to_ssl_errors, \ psa_generic_status_to_mbedtls) -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(PSA_WANT_KEY_TYPE_AES) @@ -751,18 +749,11 @@ int mbedtls_test_get_tls13_ticket( #define ECJPAKE_TEST_PWD "bla" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \ ret = (use_opaque_arg) ? \ mbedtls_ssl_set_hs_ecjpake_password_opaque(&ssl, pwd_slot) : \ mbedtls_ssl_set_hs_ecjpake_password(&ssl, pwd_string, pwd_len); \ TEST_EQUAL(ret, exp_ret_val) -#else -#define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \ - ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, \ - pwd_string, pwd_len); \ - TEST_EQUAL(ret, exp_ret_val) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define TEST_AVAILABLE_ECC(tls_id_, group_id_, psa_family_, psa_bits_) \ TEST_EQUAL(mbedtls_ssl_get_ecp_group_id_from_tls_id(tls_id_), \ diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 1eca6e496..83dac1741 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -644,11 +644,9 @@ static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep) ep->cert = NULL; } if (ep->pkey != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (mbedtls_pk_get_type(ep->pkey) == MBEDTLS_PK_OPAQUE) { psa_destroy_key(ep->pkey->priv_id); } -#endif mbedtls_pk_free(ep->pkey); mbedtls_free(ep->pkey); ep->pkey = NULL; @@ -725,9 +723,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, int i = 0; int ret = -1; int ok = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; -#endif if (ep == NULL) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -759,7 +755,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, TEST_EQUAL(load_endpoint_ecc(ep), 0); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opaque_alg != 0) { psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; /* Use a fake key usage to get a successful initial guess for the PSA attributes. */ @@ -776,11 +771,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, mbedtls_pk_init(ep->pkey); TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0); } -#else - (void) opaque_alg; - (void) opaque_alg2; - (void) opaque_usage; -#endif mbedtls_ssl_conf_ca_chain(&(ep->conf), ep->ca_chain, NULL); @@ -1212,7 +1202,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform, unsigned char *output, size_t *olen) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; size_t part_len; @@ -1246,10 +1235,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform, *olen += part_len; return 0; -#else - return mbedtls_cipher_crypt(&transform->cipher_ctx_enc, - iv, iv_len, input, ilen, output, olen); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && PSA_WANT_ALG_CBC_NO_PADDING && PSA_WANT_KEY_TYPE_AES */ @@ -1383,14 +1368,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, size_t key_bits = 0; int ret = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_type_t key_type; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_algorithm_t alg; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#else - mbedtls_cipher_info_t const *cipher_info; -#endif size_t keylen, maclen, ivlen = 0; unsigned char *key0 = NULL, *key1 = NULL; @@ -1422,58 +1403,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, memset(key0, 0x1, keylen); memset(key1, 0x2, keylen); -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - /* Pick cipher */ - cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type); - CHK(cipher_info != NULL); - CHK(mbedtls_cipher_info_get_iv_size(cipher_info) <= 16); - CHK(mbedtls_cipher_info_get_key_bitlen(cipher_info) % 8 == 0); - - /* Setup cipher contexts */ - CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_enc, cipher_info) == 0); - CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_dec, cipher_info) == 0); - CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_enc, cipher_info) == 0); - CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_dec, cipher_info) == 0); - -#if defined(MBEDTLS_CIPHER_MODE_CBC) - if (cipher_mode == MBEDTLS_MODE_CBC) { - CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_enc, - MBEDTLS_PADDING_NONE) == 0); - CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_dec, - MBEDTLS_PADDING_NONE) == 0); - CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_enc, - MBEDTLS_PADDING_NONE) == 0); - CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_dec, - MBEDTLS_PADDING_NONE) == 0); - } -#endif /* MBEDTLS_CIPHER_MODE_CBC */ - - CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_enc, key0, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_ENCRYPT) - == 0); - CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_dec, key1, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_DECRYPT) - == 0); - CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_enc, key1, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_ENCRYPT) - == 0); - CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_dec, key0, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_DECRYPT) - == 0); -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ - /* Setup MAC contexts */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) if (cipher_mode == MBEDTLS_MODE_CBC || cipher_mode == MBEDTLS_MODE_STREAM) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) hash_id); - CHK(md_info != NULL); -#endif maclen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) hash_id); CHK(maclen != 0); /* Pick hash keys */ @@ -1482,7 +1415,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, memset(md0, 0x5, maclen); memset(md1, 0x6, maclen); -#if defined(MBEDTLS_USE_PSA_CRYPTO) alg = mbedtls_md_psa_alg_from_type(hash_id); CHK(alg != 0); @@ -1523,21 +1455,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, CHK(psa_import_key(&attributes, md0, maclen, &t_out->psa_mac_dec) == PSA_SUCCESS); -#else - CHK(mbedtls_md_setup(&t_out->md_ctx_enc, md_info, 1) == 0); - CHK(mbedtls_md_setup(&t_out->md_ctx_dec, md_info, 1) == 0); - CHK(mbedtls_md_setup(&t_in->md_ctx_enc, md_info, 1) == 0); - CHK(mbedtls_md_setup(&t_in->md_ctx_dec, md_info, 1) == 0); - - CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_enc, - md0, maclen) == 0); - CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_dec, - md1, maclen) == 0); - CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_enc, - md1, maclen) == 0); - CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_dec, - md0, maclen) == 0); -#endif } #else ((void) hash_id); @@ -1657,7 +1574,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, t_out->out_cid_len = (uint8_t) cid0_len; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) status = mbedtls_ssl_cipher_to_psa(cipher_type, t_in->taglen, &alg, @@ -1720,7 +1636,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, goto cleanup; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ cleanup: @@ -1737,9 +1652,7 @@ cleanup: int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, mbedtls_ssl_transform *transform_out) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -#endif /* Serialized version of record header for MAC purposes */ unsigned char add_data[13]; @@ -1751,7 +1664,6 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, add_data[12] = (record->data_len >> 0) & 0xff; /* MAC with additional data */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) size_t sign_mac_length = 0; TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation, transform_out->psa_mac_enc, @@ -1767,26 +1679,13 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation, mac, sizeof(mac), &sign_mac_length)); -#else - TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, add_data, 13)); - TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, - record->buf + record->data_offset, - record->data_len)); - /* Use a temporary buffer for the MAC, because with the truncated HMAC - * extension, there might not be enough room in the record for the - * full-length MAC. */ - unsigned char mac[MBEDTLS_MD_MAX_SIZE]; - TEST_EQUAL(0, mbedtls_md_hmac_finish(&transform_out->md_ctx_enc, mac)); -#endif memcpy(record->buf + record->data_offset + record->data_len, mac, transform_out->maclen); record->data_len += transform_out->maclen; return 0; exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_abort(&operation); -#endif return -1; } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ @@ -1840,7 +1739,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, return -1; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE); size_t hash_size = 0; @@ -1851,12 +1749,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN, &hash_size); ret = PSA_TO_MBEDTLS_ERR(status); -#else - ret = mbedtls_md(mbedtls_md_info_from_type( - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), - tmp_crt.raw.p, tmp_crt.raw.len, - session->peer_cert_digest); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (ret != 0) { return ret; } From 6bcdd67f8321cef2e695220d4902a0ee2e0fbf58 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 2 Jun 2025 15:51:32 +0100 Subject: [PATCH 02/19] Update ssl progs to restore build Signed-off-by: Ben Taylor --- programs/ssl/ssl_client2.c | 65 ++++++++++++++++++++++++++++---- programs/ssl/ssl_server2.c | 76 +++++++++++++++++++++++++++++++++----- 2 files changed, 124 insertions(+), 17 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index b76055ed5..d5e7fdf30 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -9,7 +9,9 @@ #include "ssl_test_lib.h" +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main(void) @@ -143,7 +145,7 @@ int main(void) #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -170,6 +172,7 @@ int main(void) " psk=%%s default: \"\" (disabled)\n" \ " The PSK values are in hex, without 0x.\n" \ " psk_identity=%%s default: \"Client_identity\"\n" +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -182,6 +185,7 @@ int main(void) " with prepopulated key slots instead of importing raw key material.\n" #else #define USAGE_PSK_SLOT "" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -305,9 +309,14 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#define USAGE_ECJPAKE \ + " ecjpake_pw=%%s default: none (disabled)\n" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -479,7 +488,9 @@ struct options { const char *crt_file; /* the file with the client certificate */ const char *key_file; /* the file with the client key */ int key_opaque; /* handle private key as if it were opaque */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -487,7 +498,9 @@ struct options { const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ const char *ecjpake_pw; /* the EC J-PAKE password */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ +#endif int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -811,12 +824,16 @@ int main(int argc, char *argv[]) const char *pers = "ssl_client2"; +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t alg = 0; psa_key_attributes_t key_attributes; #endif psa_status_t status; +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) + psa_status_t status; +#endif rng_context_t rng; mbedtls_ssl_context ssl; @@ -833,7 +850,9 @@ int main(int argc, char *argv[]) mbedtls_x509_crt clicert; mbedtls_pk_context pkey; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; +#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ +#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ char *p, *q; const int *list; @@ -858,9 +877,10 @@ int main(int argc, char *argv[]) MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); @@ -887,6 +907,7 @@ int main(int argc, char *argv[]) memset((void *) alpn_list, 0, sizeof(alpn_list)); #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -894,6 +915,7 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -920,13 +942,17 @@ int main(int argc, char *argv[]) opt.key_opaque = DFL_KEY_OPAQUE; opt.key_pwd = DFL_KEY_PWD; opt.psk = DFL_PSK; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.ecjpake_pw = DFL_ECJPAKE_PW; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; +#endif opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -1101,7 +1127,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1126,9 +1152,11 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1139,9 +1167,11 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } +#endif else if (strcmp(p, "ec_max_ops") == 0) { opt.ec_max_ops = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { @@ -1470,6 +1500,7 @@ usage: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (opt.psk == NULL) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -1484,6 +1515,7 @@ usage: goto usage; } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -1518,6 +1550,7 @@ usage: } } +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -1529,6 +1562,7 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -1752,6 +1786,7 @@ usage: goto exit; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t usage = 0; @@ -1770,6 +1805,7 @@ usage: } } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key type: %s)\n", strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ? @@ -1970,6 +2006,7 @@ usage: #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { key_attributes = psa_key_attributes_init(); psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); @@ -1990,6 +2027,7 @@ usage: goto exit; } } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -2060,6 +2098,7 @@ usage: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -2085,6 +2124,7 @@ usage: } mbedtls_printf("using opaque password\n"); } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -3166,10 +3206,13 @@ exit: mbedtls_x509_crt_free(&clicert); mbedtls_x509_crt_free(&cacert); mbedtls_pk_free(&pkey); +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); +#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -3186,9 +3229,11 @@ exit: } } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && + MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -3207,8 +3252,9 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -3216,11 +3262,14 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ +#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); +#endif rng_free(&rng); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cb933e7e6..639fe5616 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -53,7 +53,9 @@ int main(void) #include #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" +#endif #include "mbedtls/pk.h" #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) @@ -203,7 +205,7 @@ int main(void) #else #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -246,6 +248,7 @@ int main(void) " The PSK values are in hex, without 0x.\n" \ " id1,psk1[,id2,psk2[,...]]\n" \ " psk_identity=%%s default: \"Client_identity\"\n" +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -267,6 +270,7 @@ int main(void) " with prepopulated key slots instead of importing raw key material.\n" #else #define USAGE_PSK_SLOT "" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -415,9 +419,14 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#define USAGE_ECJPAKE \ + " ecjpake_pw=%%s default: none (disabled)\n" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -632,8 +641,10 @@ struct options { int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ int async_private_error; /* inject error in async private callback */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; int psk_list_opaque; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -641,7 +652,9 @@ struct options { const char *psk_identity; /* the pre-shared key identity */ char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ +#endif int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ @@ -949,7 +962,9 @@ struct _psk_entry { const char *name; size_t key_len; unsigned char key[MBEDTLS_PSK_MAX_LEN]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t slot; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ psk_entry *next; }; @@ -961,6 +976,7 @@ static int psk_free(psk_entry *head) psk_entry *next; while (head != NULL) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; mbedtls_svc_key_id_t const slot = head->slot; @@ -970,6 +986,7 @@ static int psk_free(psk_entry *head) return status; } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ next = head->next; mbedtls_free(head); @@ -1035,9 +1052,11 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, while (cur != NULL) { if (name_len == strlen(cur->name) && memcmp(name, cur->name, name_len) == 0) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) { return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); } else +#endif return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); } @@ -1283,6 +1302,7 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, psa_algorithm_t alg, @@ -1306,6 +1326,7 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, return PSA_SUCCESS; } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) static int report_cid_usage(mbedtls_ssl_context *ssl, @@ -1522,8 +1543,10 @@ int main(int argc, char *argv[]) io_ctx_t io_ctx; unsigned char *buf = 0; #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; psk_entry *psk_info = NULL; @@ -1551,8 +1574,10 @@ int main(int argc, char *argv[]) mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; +#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ +#endif int key_cert_init = 0, key_cert_init2 = 0; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1584,9 +1609,10 @@ int main(int argc, char *argv[]) unsigned char *context_buf = NULL; size_t context_buf_len = 0; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; @@ -1595,7 +1621,9 @@ int main(int argc, char *argv[]) int i; char *p, *q; const int *list; +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t status; +#endif unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_iv[8]; const char *eap_tls_label = "client EAP encryption"; @@ -1656,6 +1684,7 @@ int main(int argc, char *argv[]) mbedtls_ssl_cookie_init(&cookie_ctx); #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -1663,6 +1692,7 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -1701,15 +1731,19 @@ int main(int argc, char *argv[]) opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2; opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR; opt.psk = DFL_PSK; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; +#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; +#endif opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; @@ -1890,7 +1924,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1939,11 +1973,13 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } else if (strcmp(p, "psk_list_opaque") == 0) { opt.psk_list_opaque = atoi(q); } +#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1956,9 +1992,11 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } +#endif else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); @@ -2329,6 +2367,7 @@ usage: goto exit; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (strlen(opt.psk) == 0) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -2358,6 +2397,7 @@ usage: goto usage; } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2387,6 +2427,7 @@ usage: opt.min_version = ciphersuite_info->min_tls_version; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -2398,6 +2439,7 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2690,6 +2732,7 @@ usage: #endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ } +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t psa_usage = 0; @@ -2725,6 +2768,7 @@ usage: } } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name(&pkey) : "none", @@ -3138,6 +3182,7 @@ usage: #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* The algorithm has already been determined earlier. */ status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len); @@ -3154,6 +3199,7 @@ usage: goto exit; } } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -3167,6 +3213,7 @@ usage: } if (opt.psk_list != NULL) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_list_opaque != 0) { psk_entry *cur_psk; for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) { @@ -3180,6 +3227,7 @@ usage: } } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info); } @@ -3336,6 +3384,7 @@ reset: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -3361,6 +3410,7 @@ reset: } mbedtls_printf("using opaque password\n"); } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -4203,9 +4253,11 @@ exit: mbedtls_pk_free(&pkey); mbedtls_x509_crt_free(&srvcert2); mbedtls_pk_free(&pkey2); +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); psa_destroy_key(key_slot2); #endif +#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) { @@ -4217,7 +4269,8 @@ exit: } #endif -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -4231,9 +4284,11 @@ exit: (int) status); } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && + MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -4252,8 +4307,9 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -4261,10 +4317,12 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } +#endif /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \ + && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif From 62278dc93d5845e1e8356edb25281bb78ce195f2 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 6 Jun 2025 08:17:22 +0100 Subject: [PATCH 03/19] remove MBEDTLS_USE_PSA_CRYPTO from ssl progs Signed-off-by: Ben Taylor --- programs/ssl/ssl_client2.c | 68 +++++---------------------------- programs/ssl/ssl_server2.c | 78 +++++--------------------------------- 2 files changed, 18 insertions(+), 128 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d5e7fdf30..8c0453d6e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -9,9 +9,7 @@ #include "ssl_test_lib.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main(void) @@ -145,7 +143,7 @@ int main(void) #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -172,7 +170,6 @@ int main(void) " psk=%%s default: \"\" (disabled)\n" \ " The PSK values are in hex, without 0x.\n" \ " psk_identity=%%s default: \"Client_identity\"\n" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -183,9 +180,6 @@ int main(void) " Note: This is to test integration of PSA-based opaque PSKs with\n" \ " Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \ " with prepopulated key slots instead of importing raw key material.\n" -#else -#define USAGE_PSK_SLOT "" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -309,14 +303,9 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#define USAGE_ECJPAKE \ - " ecjpake_pw=%%s default: none (disabled)\n" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -488,9 +477,7 @@ struct options { const char *crt_file; /* the file with the client certificate */ const char *key_file; /* the file with the client key */ int key_opaque; /* handle private key as if it were opaque */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -498,9 +485,7 @@ struct options { const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ const char *ecjpake_pw; /* the EC J-PAKE password */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ -#endif int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -824,16 +809,12 @@ int main(int argc, char *argv[]) const char *pers = "ssl_client2"; -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t alg = 0; psa_key_attributes_t key_attributes; #endif psa_status_t status; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) - psa_status_t status; -#endif rng_context_t rng; mbedtls_ssl_context ssl; @@ -850,9 +831,7 @@ int main(int argc, char *argv[]) mbedtls_x509_crt clicert; mbedtls_pk_context pkey; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ -#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ char *p, *q; const int *list; @@ -877,10 +856,9 @@ int main(int argc, char *argv[]) MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); @@ -907,7 +885,6 @@ int main(int argc, char *argv[]) memset((void *) alpn_list, 0, sizeof(alpn_list)); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -915,7 +892,6 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -942,17 +918,13 @@ int main(int argc, char *argv[]) opt.key_opaque = DFL_KEY_OPAQUE; opt.key_pwd = DFL_KEY_PWD; opt.psk = DFL_PSK; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.ecjpake_pw = DFL_ECJPAKE_PW; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; -#endif opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -1127,7 +1099,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1152,11 +1124,9 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1167,11 +1137,9 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } -#endif else if (strcmp(p, "ec_max_ops") == 0) { opt.ec_max_ops = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { @@ -1500,7 +1468,6 @@ usage: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (opt.psk == NULL) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -1515,7 +1482,6 @@ usage: goto usage; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -1550,7 +1516,6 @@ usage: } } -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -1562,7 +1527,6 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -1786,7 +1750,6 @@ usage: goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t usage = 0; @@ -1805,7 +1768,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key type: %s)\n", strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ? @@ -2006,7 +1968,6 @@ usage: #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { key_attributes = psa_key_attributes_init(); psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); @@ -2027,7 +1988,6 @@ usage: goto exit; } } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -2098,7 +2058,6 @@ usage: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -2124,7 +2083,6 @@ usage: } mbedtls_printf("using opaque password\n"); } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -3206,13 +3164,10 @@ exit: mbedtls_x509_crt_free(&clicert); mbedtls_x509_crt_free(&cacert); mbedtls_pk_free(&pkey); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); -#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -3229,11 +3184,9 @@ exit: } } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && - MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -3252,9 +3205,8 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -3262,12 +3214,10 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ - !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 639fe5616..e463c6304 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -53,9 +53,7 @@ int main(void) #include #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" -#endif #include "mbedtls/pk.h" #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) @@ -205,7 +203,7 @@ int main(void) #else #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -248,7 +246,6 @@ int main(void) " The PSK values are in hex, without 0x.\n" \ " id1,psk1[,id2,psk2[,...]]\n" \ " psk_identity=%%s default: \"Client_identity\"\n" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -268,9 +265,6 @@ int main(void) " Note: This is to test integration of PSA-based opaque PSKs with\n" \ " Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \ " with prepopulated key slots instead of importing raw key material.\n" -#else -#define USAGE_PSK_SLOT "" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -419,14 +413,9 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#define USAGE_ECJPAKE \ - " ecjpake_pw=%%s default: none (disabled)\n" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -641,10 +630,8 @@ struct options { int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ int async_private_error; /* inject error in async private callback */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; int psk_list_opaque; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -652,9 +639,7 @@ struct options { const char *psk_identity; /* the pre-shared key identity */ char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ -#endif int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ @@ -962,9 +947,7 @@ struct _psk_entry { const char *name; size_t key_len; unsigned char key[MBEDTLS_PSK_MAX_LEN]; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t slot; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ psk_entry *next; }; @@ -976,7 +959,6 @@ static int psk_free(psk_entry *head) psk_entry *next; while (head != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; mbedtls_svc_key_id_t const slot = head->slot; @@ -986,7 +968,6 @@ static int psk_free(psk_entry *head) return status; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ next = head->next; mbedtls_free(head); @@ -1052,11 +1033,9 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, while (cur != NULL) { if (name_len == strlen(cur->name) && memcmp(name, cur->name, name_len) == 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) { return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); } else -#endif return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); } @@ -1302,7 +1281,6 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, psa_algorithm_t alg, @@ -1326,7 +1304,6 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, return PSA_SUCCESS; } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) static int report_cid_usage(mbedtls_ssl_context *ssl, @@ -1543,10 +1520,8 @@ int main(int argc, char *argv[]) io_ctx_t io_ctx; unsigned char *buf = 0; #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; psk_entry *psk_info = NULL; @@ -1574,10 +1549,8 @@ int main(int argc, char *argv[]) mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ -#endif int key_cert_init = 0, key_cert_init2 = 0; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1609,10 +1582,9 @@ int main(int argc, char *argv[]) unsigned char *context_buf = NULL; size_t context_buf_len = 0; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; @@ -1621,9 +1593,7 @@ int main(int argc, char *argv[]) int i; char *p, *q; const int *list; -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t status; -#endif unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_iv[8]; const char *eap_tls_label = "client EAP encryption"; @@ -1684,7 +1654,6 @@ int main(int argc, char *argv[]) mbedtls_ssl_cookie_init(&cookie_ctx); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -1692,7 +1661,6 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -1731,19 +1699,15 @@ int main(int argc, char *argv[]) opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2; opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR; opt.psk = DFL_PSK; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; -#endif opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; @@ -1924,7 +1888,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1973,13 +1937,11 @@ usage: else if (strcmp(p, "psk") == 0) { opt.psk = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } else if (strcmp(p, "psk_list_opaque") == 0) { opt.psk_list_opaque = atoi(q); } -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1992,11 +1954,9 @@ usage: } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } -#endif else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); @@ -2367,7 +2327,6 @@ usage: goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (strlen(opt.psk) == 0) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -2397,7 +2356,6 @@ usage: goto usage; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2427,7 +2385,6 @@ usage: opt.min_version = ciphersuite_info->min_tls_version; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -2439,7 +2396,6 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2732,7 +2688,6 @@ usage: #endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t psa_usage = 0; @@ -2768,7 +2723,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name(&pkey) : "none", @@ -3182,7 +3136,6 @@ usage: #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* The algorithm has already been determined earlier. */ status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len); @@ -3199,7 +3152,6 @@ usage: goto exit; } } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -3213,7 +3165,6 @@ usage: } if (opt.psk_list != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_list_opaque != 0) { psk_entry *cur_psk; for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) { @@ -3227,7 +3178,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info); } @@ -3384,7 +3334,6 @@ reset: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -3410,7 +3359,6 @@ reset: } mbedtls_printf("using opaque password\n"); } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, @@ -4253,11 +4201,9 @@ exit: mbedtls_pk_free(&pkey); mbedtls_x509_crt_free(&srvcert2); mbedtls_pk_free(&pkey2); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); psa_destroy_key(key_slot2); #endif -#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) { @@ -4269,8 +4215,7 @@ exit: } #endif -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -4284,11 +4229,9 @@ exit: (int) status); } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && - MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -4307,9 +4250,8 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -4317,12 +4259,10 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } -#endif /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \ - && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif From 0f21429af5422e764f5bba3e4e49e3cf5fcf0670 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 6 Jun 2025 08:31:48 +0100 Subject: [PATCH 04/19] Correct ifdef logic Signed-off-by: Ben Taylor --- programs/ssl/ssl_test_lib.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index ea5dbecb8..fbb0efff8 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -14,8 +14,7 @@ #include "mbedtls/md.h" #undef HAVE_RNG -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \ - defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) #define HAVE_RNG #elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C) #define HAVE_RNG From 9020426b14ab2a84d5f186d97cdf9ef524bf39e8 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 9 Jun 2025 11:51:28 +0100 Subject: [PATCH 05/19] remove MBEDTLS_USE_PSA_CRYPTO from tests Signed-off-by: Ben Taylor --- tests/scripts/components-sanitizers.sh | 8 +-- tests/ssl-opt.sh | 9 ---- .../test_suite_constant_time_hmac.function | 51 ------------------- tests/suites/test_suite_ssl.data | 34 ++++++------- tests/suites/test_suite_ssl.function | 12 +---- tests/suites/test_suite_x509parse.data | 2 +- tests/suites/test_suite_x509write.data | 12 ++--- tests/suites/test_suite_x509write.function | 34 ++----------- 8 files changed, 33 insertions(+), 129 deletions(-) diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh index 45d0960a1..26b149f69 100644 --- a/tests/scripts/components-sanitizers.sh +++ b/tests/scripts/components-sanitizers.sh @@ -66,7 +66,7 @@ component_release_test_valgrind_constant_flow_no_asm () { # - or alternatively, build with debug info and manually run the offending # test suite with valgrind --track-origins=yes, then check if the origin # was TEST_CF_SECRET() or something else. - msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing" + msg "build: cmake release GCC, full config minus MBEDTLS_HAVE_ASM with constant flow testing" scripts/config.py full scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND scripts/config.py unset MBEDTLS_AESNI_C @@ -77,7 +77,7 @@ component_release_test_valgrind_constant_flow_no_asm () { # this only shows a summary of the results (how many of each type) # details are left in Testing//DynamicAnalysis.xml - msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM, valgrind + constant flow)" + msg "test: some suites (full minus MBEDTLS_HAVE_ASM, valgrind + constant flow)" make memcheck } @@ -150,7 +150,7 @@ component_test_memsan () { component_release_test_valgrind () { msg "build: Release (clang)" - # default config, in particular without MBEDTLS_USE_PSA_CRYPTO + # default config CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . make @@ -178,7 +178,7 @@ component_release_test_valgrind () { component_release_test_valgrind_psa () { msg "build: Release, full (clang)" - # full config, in particular with MBEDTLS_USE_PSA_CRYPTO + # full config scripts/config.py full CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . make diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c667cd14b..36bde20bf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9443,15 +9443,6 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# The following test cases for restartable ECDH come in two variants: -# * The "(USE_PSA)" variant expects the current behavior, which is the behavior -# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests -# the partial implementation where ECDH in TLS is not actually restartable. -# * The "(no USE_PSA)" variant expects the desired behavior. These test -# cases cannot currently pass because the implementation of restartable ECC -# in TLS is partial: ECDH is not actually restartable. This is the behavior -# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. -# # As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, # we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test # cases. diff --git a/tests/suites/test_suite_constant_time_hmac.function b/tests/suites/test_suite_constant_time_hmac.function index 0e870d80f..057d104d0 100644 --- a/tests/suites/test_suite_constant_time_hmac.function +++ b/tests/suites/test_suite_constant_time_hmac.function @@ -16,15 +16,10 @@ void ssl_cf_hmac(int hash) * Test the function mbedtls_ct_hmac() against a reference * implementation. */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_algorithm_t alg; psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -#else - mbedtls_md_context_t ctx, ref_ctx; - const mbedtls_md_info_t *md_info; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t out_len, block_size; size_t min_in_len, in_len, max_in_len, i; /* TLS additional data is 13 bytes (hence the "lucky 13" name) */ @@ -36,7 +31,6 @@ void ssl_cf_hmac(int hash) USE_PSA_INIT(); -#if defined(MBEDTLS_USE_PSA_CRYPTO) alg = PSA_ALG_HMAC(mbedtls_md_psa_alg_from_type(hash)); out_len = PSA_HASH_LENGTH(alg); @@ -47,36 +41,15 @@ void ssl_cf_hmac(int hash) PSA_KEY_USAGE_VERIFY_HASH); psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(alg)); psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); -#else - mbedtls_md_init(&ctx); - mbedtls_md_init(&ref_ctx); - - md_info = mbedtls_md_info_from_type(hash); - TEST_ASSERT(md_info != NULL); - out_len = mbedtls_md_get_size(md_info); - TEST_ASSERT(out_len != 0); - block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Use allocated out buffer to catch overwrites */ TEST_CALLOC(out, out_len); -#if defined(MBEDTLS_USE_PSA_CRYPTO) /* Set up dummy key */ memset(ref_out, 42, sizeof(ref_out)); TEST_EQUAL(PSA_SUCCESS, psa_import_key(&attributes, ref_out, out_len, &key)); -#else - /* Set up contexts with the given hash and a dummy key */ - TEST_EQUAL(0, mbedtls_md_setup(&ctx, md_info, 1)); - TEST_EQUAL(0, mbedtls_md_setup(&ref_ctx, md_info, 1)); - memset(ref_out, 42, sizeof(ref_out)); - TEST_EQUAL(0, mbedtls_md_hmac_starts(&ctx, ref_out, out_len)); - TEST_EQUAL(0, mbedtls_md_hmac_starts(&ref_ctx, ref_out, out_len)); - memset(ref_out, 0, sizeof(ref_out)); -#endif - /* * Test all possible lengths up to a point. The difference between * max_in_len and min_in_len is at most 255, and make sure they both vary @@ -101,22 +74,14 @@ void ssl_cf_hmac(int hash) /* Get the function's result */ TEST_CF_SECRET(&in_len, sizeof(in_len)); -#if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_EQUAL(0, mbedtls_ct_hmac(key, PSA_ALG_HMAC(alg), add_data, sizeof(add_data), data, in_len, min_in_len, max_in_len, out)); -#else - TEST_EQUAL(0, mbedtls_ct_hmac(&ctx, add_data, sizeof(add_data), - data, in_len, - min_in_len, max_in_len, - out)); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ TEST_CF_PUBLIC(&in_len, sizeof(in_len)); TEST_CF_PUBLIC(out, out_len); -#if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_setup(&operation, key, alg)); TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data, @@ -125,17 +90,6 @@ void ssl_cf_hmac(int hash) data, in_len)); TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_finish(&operation, out, out_len)); -#else - /* Compute the reference result */ - TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, add_data, - sizeof(add_data))); - TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, data, in_len)); - TEST_EQUAL(0, mbedtls_md_hmac_finish(&ref_ctx, ref_out)); - TEST_EQUAL(0, mbedtls_md_hmac_reset(&ref_ctx)); - - /* Compare */ - TEST_MEMORY_COMPARE(out, out_len, ref_out, out_len); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } mbedtls_free(data); @@ -143,13 +97,8 @@ void ssl_cf_hmac(int hash) } exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_abort(&operation); psa_destroy_key(key); -#else - mbedtls_md_free(&ref_ctx); - mbedtls_md_free(&ctx); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_free(data); mbedtls_free(out); diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 378c5339f..ec62c2cb2 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -440,23 +440,23 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_R handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque @@ -464,19 +464,19 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256 -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque @@ -484,15 +484,15 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDIN handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque @@ -500,19 +500,19 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_P handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_PSA_CRYPTO_C handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_PSA_CRYPTO_C handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Sending app data via TLS, MFL=512 without fragmentation @@ -3236,7 +3236,7 @@ depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED ssl_ecjpake_set_password:0 EC-JPAKE set opaque password -depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED ssl_ecjpake_set_password:1 Test Elliptic curves' info parsing diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 918edd5ac..c70080317 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3422,7 +3422,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ void test_multiple_psks_opaque(int mode) { /* @@ -3768,7 +3768,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ void raw_key_agreement_fail(int bad_server_ecdhe_key) { enum { BUFFSIZE = 17000 }; @@ -3941,11 +3941,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg) { mbedtls_ssl_context ssl; mbedtls_ssl_config conf; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT; -#else /* MBEDTLS_USE_PSA_CRYPTO */ - (void) use_opaque_arg; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = ""; size_t pwd_len = 0; int ret; @@ -3971,7 +3967,6 @@ void ssl_ecjpake_set_password(int use_opaque_arg) pwd_len = strlen(ECJPAKE_TEST_PWD); memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (use_opaque_arg) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -3998,16 +3993,13 @@ void ssl_ecjpake_set_password(int use_opaque_arg) PSA_ASSERT(psa_import_key(&attributes, pwd_string, pwd_len, &pwd_slot)); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* final check which should work without errors */ ECJPAKE_TEST_SET_PASSWORD(0); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (use_opaque_arg) { psa_destroy_key(pwd_slot); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_free(&ssl); mbedtls_ssl_config_free(&conf); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index c2a7f30fd..14e7afa74 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -900,7 +900,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_ x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1 x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #70 (v1 trusted CA) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 3860076d2..4d57a8fb6 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -123,23 +123,23 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.ca_noauthid.crt":1:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, key_usage -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, ns_cert_type -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, version 1 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, CA -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":2:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Full length serial @@ -159,7 +159,7 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINIST x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server5 ECDSA, Opaque -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server1 SHA1, SubjectAltNames diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index e0aad90a0..f42349cb5 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -15,8 +15,7 @@ #endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #include "mbedtls/psa_util.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) +#if defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) { unsigned char hash[PSA_HASH_MAX_SIZE]; @@ -53,7 +52,7 @@ cleanup: mbedtls_x509_csr_free(&csr); return ret; } -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ +#endif /* MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ #if defined(MBEDTLS_X509_CSR_WRITE_C) @@ -131,11 +130,6 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, mbedtls_x509write_csr req; unsigned char buf[4096]; int ret; -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - unsigned char check_buf[4000]; - FILE *f; - size_t olen = 0; -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ size_t pem_len = 0, buf_index; int der_len = -1; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; @@ -215,20 +209,10 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, TEST_ASSERT(buf[buf_index] == 0); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) // When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used (void) cert_req_check_file; buf[pem_len] = '\0'; TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0); -#else - f = fopen(cert_req_check_file, "r"); - TEST_ASSERT(f != NULL); - olen = fread(check_buf, 1, sizeof(check_buf), f); - fclose(f); - - TEST_ASSERT(olen >= pem_len - 1); - TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf)); TEST_ASSERT(der_len >= 0); @@ -237,14 +221,10 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) // When using PSA crypto, RNG isn't controllable, result length isn't // deterministic over multiple runs, removing a single byte isn't enough to // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case der_len /= 2; -#else - der_len -= 1; -#endif ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len)); TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); @@ -256,7 +236,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, int cert_type) { @@ -342,10 +322,8 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, int der_len = -1; FILE *f; mbedtls_test_rnd_pseudo_info rnd_info; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; -#endif mbedtls_pk_type_t issuer_key_type; mbedtls_x509_san_list san_ip; mbedtls_x509_san_list san_dns; @@ -409,7 +387,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, issuer_key_type = mbedtls_pk_get_type(&issuer_key); -#if defined(MBEDTLS_USE_PSA_CRYPTO) /* Turn the issuer PK context into an opaque one. */ if (pk_wrap == 2) { TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH, @@ -419,7 +396,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, mbedtls_pk_init(&issuer_key); TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (pk_wrap == 2) { TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE); @@ -570,14 +546,12 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_ASSERT(p < end); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) // When using PSA crypto, RNG isn't controllable, result length isn't // deterministic over multiple runs, removing a single byte isn't enough to // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case if (issuer_key_type != MBEDTLS_PK_RSA) { der_len /= 2; } else -#endif der_len -= 1; ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len)); @@ -592,9 +566,7 @@ exit: #if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) mbedtls_mpi_free(&serial_mpi); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_id); -#endif MD_OR_USE_PSA_DONE(); } /* END_CASE */ From a4915abc5628bd498dbe64272c9895141b9ef817 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 9 Jun 2025 13:30:39 +0100 Subject: [PATCH 06/19] fix code style issues Signed-off-by: Ben Taylor --- programs/ssl/ssl_client2.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 8c0453d6e..1ce4e46b1 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1123,8 +1123,7 @@ usage: #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ else if (strcmp(p, "psk") == 0) { opt.psk = q; - } - else if (strcmp(p, "psk_opaque") == 0) { + } else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) @@ -1136,11 +1135,9 @@ usage: opt.psk_identity = q; } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; - } - else if (strcmp(p, "ecjpake_pw_opaque") == 0) { + } else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); - } - else if (strcmp(p, "ec_max_ops") == 0) { + } else if (strcmp(p, "ec_max_ops") == 0) { opt.ec_max_ops = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); @@ -2082,8 +2079,7 @@ usage: goto exit; } mbedtls_printf("using opaque password\n"); - } else - { + } else { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, strlen(opt.ecjpake_pw))) != 0) { From 98ecfdb440aeccb714014a89286401bb08c88ea5 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 10 Jun 2025 07:47:13 +0100 Subject: [PATCH 07/19] corrected code style Signed-off-by: Ben Taylor --- programs/ssl/ssl_server2.c | 14 ++++++-------- tests/suites/test_suite_x509write.function | 5 +++-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e463c6304..28623bfc8 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1035,8 +1035,9 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, memcmp(name, cur->name, name_len) == 0) { if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) { return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); - } else - return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); + } else { + return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); + } } cur = cur->next; @@ -1936,8 +1937,7 @@ usage: #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ else if (strcmp(p, "psk") == 0) { opt.psk = q; - } - else if (strcmp(p, "psk_opaque") == 0) { + } else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } else if (strcmp(p, "psk_list_opaque") == 0) { opt.psk_list_opaque = atoi(q); @@ -1953,8 +1953,7 @@ usage: opt.psk_list = q; } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; - } - else if (strcmp(p, "ecjpake_pw_opaque") == 0) { + } else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { @@ -3358,8 +3357,7 @@ reset: goto exit; } mbedtls_printf("using opaque password\n"); - } else - { + } else { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, strlen(opt.ecjpake_pw))) != 0) { diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index f42349cb5..03746b404 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -551,8 +551,9 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case if (issuer_key_type != MBEDTLS_PK_RSA) { der_len /= 2; - } else - der_len -= 1; + } else { + der_len -= 1; + } ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len)); TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); From cdc191b50052db6d0aaa98e8c823240a7dafe53c Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 10 Jun 2025 14:52:38 +0100 Subject: [PATCH 08/19] Correct code style Signed-off-by: Ben Taylor --- programs/ssl/ssl_server2.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 28623bfc8..c5f22c411 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1037,7 +1037,7 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); } else { return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); - } + } } cur = cur->next; @@ -1955,8 +1955,7 @@ usage: opt.ecjpake_pw = q; } else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); - } - else if (strcmp(p, "force_ciphersuite") == 0) { + } else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); if (opt.force_ciphersuite[0] == 0) { From 39a68bf3472dce1c101bdd6ec5c9b424ea27a609 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 15 Jul 2025 13:34:55 +0100 Subject: [PATCH 09/19] removed additional references to USE_PSA in tests and comments Signed-off-by: Ben Taylor --- .../components-configuration-crypto.sh | 21 ++++---- tests/ssl-opt.sh | 52 +++++++------------ 2 files changed, 30 insertions(+), 43 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index da776e70b..c78e53244 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -16,7 +16,7 @@ component_test_psa_crypto_key_id_encodes_owner () { CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" make test } @@ -188,16 +188,16 @@ component_test_no_ctr_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" + msg "test: Full minus CTR_DRBG- main suites" make test # In this configuration, the TLS test programs use HMAC_DRBG. # The SSL tests are slow, so run a small subset, just enough to get # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" + msg "test: Full minus CTR_DRBG - compat.sh (subset)" tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } @@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" + msg "test: Full minus HMAC_DRBG - main suites" make test # Normally our ECDSA implementation uses deterministic ECDSA. But since @@ -218,12 +218,12 @@ component_test_no_hmac_drbg_use_psa () { # instead. # Test SSL with non-deterministic ECDSA. Only test features that # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private: sign' # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" + msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)" tests/compat.sh -m tls12 -t 'ECDSA' } @@ -247,16 +247,16 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -342,7 +342,6 @@ component_test_full_no_ccm () { msg "build: full no PSA_WANT_ALG_CCM" # Full config enables: - # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated scripts/config.py full diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 36bde20bf..201a78838 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9443,15 +9443,10 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, -# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test -# cases. - -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9462,11 +9457,9 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA enabled we expect only partial restartable behaviour: -# everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9477,8 +9470,7 @@ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# This works the same with & without USE_PSA as we never get to ECDH: -# we abort as soon as we determined the cert is bad. +# We abort as soon as we determined the cert is bad. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, badsign" \ @@ -9497,11 +9489,10 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -c "! mbedtls_ssl_handshake returned" \ -c "X509 - Certificate verification failed" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9517,11 +9508,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9537,11 +9528,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9557,11 +9547,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9577,11 +9567,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ +run_test "EC restart: DTLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9592,11 +9581,11 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: DTLS, max_ops=1000" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9607,11 +9596,10 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ +run_test "EC restart: TLS, max_ops=1000 no client auth" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \ @@ -9622,11 +9610,11 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# With USE_PSA enabled we expect only partial restartable behaviour: +# We expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled PSA_WANT_ECC_SECP_R1_256 -run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +run_test "EC restart: TLS, max_ops=1000 no client auth" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \ From 07687266b9f33d66b36885784cb9130e0ddb59ab Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 16 Jul 2025 08:03:43 +0100 Subject: [PATCH 10/19] restoring test comment that refer to USE_PSA Signed-off-by: Ben Taylor --- .../components-configuration-crypto.sh | 21 +++++----- tests/ssl-opt.sh | 42 ++++++++++++------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index c78e53244..da776e70b 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -16,7 +16,7 @@ component_test_psa_crypto_key_id_encodes_owner () { CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full config - PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" make test } @@ -188,16 +188,16 @@ component_test_no_ctr_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus CTR_DRBG- main suites" + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" make test # In this configuration, the TLS test programs use HMAC_DRBG. # The SSL tests are slow, so run a small subset, just enough to get # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)" + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - msg "test: Full minus CTR_DRBG - compat.sh (subset)" + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } @@ -210,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: Full minus HMAC_DRBG - main suites" + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" make test # Normally our ECDSA implementation uses deterministic ECDSA. But since @@ -218,12 +218,12 @@ component_test_no_hmac_drbg_use_psa () { # instead. # Test SSL with non-deterministic ECDSA. Only test features that # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)" + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|SSL async private: sign' # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)" + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" tests/compat.sh -m tls12 -t 'ECDSA' } @@ -247,16 +247,16 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -342,6 +342,7 @@ component_test_full_no_ccm () { msg "build: full no PSA_WANT_ALG_CCM" # Full config enables: + # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated scripts/config.py full diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 201a78838..0cf9e23cc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9443,10 +9443,15 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" +# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, +# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test +# cases. + +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000" \ +run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9457,9 +9462,11 @@ run_test "EC restart: TLS, max_ops=1000" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" +# With USE_PSA enabled we expect only partial restartable behaviour: +# everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000" \ +run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9470,7 +9477,8 @@ run_test "EC restart: TLS, max_ops=1000" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# We abort as soon as we determined the cert is bad. +# This works the same with & without USE_PSA as we never get to ECDH: +# we abort as soon as we determined the cert is bad. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, badsign" \ @@ -9489,10 +9497,11 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -c "! mbedtls_ssl_handshake returned" \ -c "X509 - Certificate verification failed" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9508,11 +9517,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9528,10 +9537,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9547,11 +9557,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ +run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ @@ -9567,10 +9577,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: DTLS, max_ops=1000" \ +run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9581,11 +9592,11 @@ run_test "EC restart: DTLS, max_ops=1000" \ -c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: DTLS, max_ops=1000" \ +run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ @@ -9596,10 +9607,11 @@ run_test "EC restart: DTLS, max_ops=1000" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" +# With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled PSA_WANT_ECC_SECP_R1_256 skip_next_test -run_test "EC restart: TLS, max_ops=1000 no client auth" \ +run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \ @@ -9610,11 +9622,11 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" -# We expect only partial restartable behaviour: +# With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test "EC restart: TLS, max_ops=1000 no client auth" \ +run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ debug_level=1 ec_max_ops=1000" \ From 6164e92d3b93b3544dd42ecf0dc447c0c268e4af Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 16 Jul 2025 08:06:28 +0100 Subject: [PATCH 11/19] Restore comment in ssl-opt.sh as it is still relevent Signed-off-by: Ben Taylor --- tests/ssl-opt.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0cf9e23cc..ef78ef0cd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9443,6 +9443,15 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" +# The following test cases for restartable ECDH come in two variants: +# * The "(USE_PSA)" variant expects the current behavior, which is the behavior +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests +# the partial implementation where ECDH in TLS is not actually restartable. +# * The "(no USE_PSA)" variant expects the desired behavior. These test +# cases cannot currently pass because the implementation of restartable ECC +# in TLS is partial: ECDH is not actually restartable. This is the behavior +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. +# # As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, # we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test # cases. From 8519c3e0bae71a7563f963203b5a7bda7aee64aa Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 16 Jul 2025 08:11:37 +0100 Subject: [PATCH 12/19] corrected copy paste error for MBEDTLS_USE_PSA_CRYPTO enabled/disabled Signed-off-by: Ben Taylor --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ef78ef0cd..d38e578de 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9445,12 +9445,12 @@ run_test "EC restart: TLS, max_ops=65535" \ # The following test cases for restartable ECDH come in two variants: # * The "(USE_PSA)" variant expects the current behavior, which is the behavior -# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. This tests # the partial implementation where ECDH in TLS is not actually restartable. # * The "(no USE_PSA)" variant expects the desired behavior. These test # cases cannot currently pass because the implementation of restartable ECC # in TLS is partial: ECDH is not actually restartable. This is the behavior -# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. # # As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, # we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test From a750e1be5fde58ab6ec0b2ad7b4b1f0933ac8f65 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 22 Jul 2025 14:27:47 +0100 Subject: [PATCH 13/19] Minor comment updates Signed-off-by: Ben Taylor --- programs/fuzz/fuzz_server.c | 2 +- programs/fuzz/fuzz_x509crl.c | 2 +- programs/ssl/ssl_test_lib.h | 15 --------------- 3 files changed, 2 insertions(+), 17 deletions(-) diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 40fd9caa0..03e33b708 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -199,7 +199,7 @@ exit: #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) mbedtls_x509_crt_free(&srvcert); mbedtls_pk_free(&pkey); -#endif /* (MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) */ +#endif /* MBEDTLS_X509_CRT_PARSE_C MBEDTLS_PEM_PARSE_C */ mbedtls_ssl_free(&ssl); mbedtls_psa_crypto_free(); #else /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index ae0f85282..af50e25f1 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -21,7 +21,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) if (ret == 0) { ret = mbedtls_x509_crl_info((char *) buf, sizeof(buf) - 1, " ", &crl); } -#else /* MBEDTLS_X509_REMOVE_INFO */ +#else /* !MBEDTLS_X509_REMOVE_INFO */ ((void) ret); ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index fbb0efff8..20dbe61df 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -104,22 +104,7 @@ void my_debug(void *ctx, int level, mbedtls_time_t dummy_constant_time(mbedtls_time_t *time); #endif -#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) -/* If MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is defined, the SSL test programs will use - * mbedtls_psa_get_random() rather than entropy+DRBG as a random generator. - * - * The constraints are: - * - Without the entropy module, the PSA RNG is the only option. - * - Without at least one of the DRBG modules, the PSA RNG is the only option. - * - The PSA RNG does not support explicit seeding, so it is incompatible with - * the reproducible mode used by test programs. - * - For good overall test coverage, there should be at least one configuration - * where the test programs use the PSA RNG while the PSA RNG is itself based - * on entropy+DRBG, and at least one configuration where the test programs - * do not use the PSA RNG even though it's there. - */ #define MBEDTLS_TEST_USE_PSA_CRYPTO_RNG -#endif /** A context for random number generation (RNG). */ From d5b655ab2141e49dfa7bbe9a1d9bffad91420674 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 22 Jul 2025 14:47:28 +0100 Subject: [PATCH 14/19] Re-add missing and Signed-off-by: Ben Taylor --- programs/fuzz/fuzz_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 03e33b708..9a5b80db7 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -199,7 +199,7 @@ exit: #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) mbedtls_x509_crt_free(&srvcert); mbedtls_pk_free(&pkey); -#endif /* MBEDTLS_X509_CRT_PARSE_C MBEDTLS_PEM_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_PEM_PARSE_C */ mbedtls_ssl_free(&ssl); mbedtls_psa_crypto_free(); #else /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ From 44703e4cc206fae78b92d95742a3ab3e43e1c576 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 23 Jul 2025 09:15:14 +0100 Subject: [PATCH 15/19] Update comment format Signed-off-by: Ben Taylor --- programs/fuzz/fuzz_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 9a5b80db7..3a5e502fe 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -192,7 +192,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) exit: #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free(&ticket_ctx); -#endif /* (MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */ mbedtls_entropy_free(&entropy); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); From 1e2e2ea36df143b324d06dd340f7d7c067d327e4 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 29 Jul 2025 13:19:27 +0100 Subject: [PATCH 16/19] Added back crypto treatment of certs as the keyfile is now passed in and the previous rng issue should no longer be relevent Signed-off-by: Ben Taylor --- tests/suites/test_suite_x509write.function | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 03746b404..edcc14d3f 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -130,6 +130,9 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, mbedtls_x509write_csr req; unsigned char buf[4096]; int ret; + unsigned char check_buf[4000]; + FILE *f; + size_t olen = 0; size_t pem_len = 0, buf_index; int der_len = -1; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; @@ -209,10 +212,14 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, TEST_ASSERT(buf[buf_index] == 0); } - // When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used - (void) cert_req_check_file; - buf[pem_len] = '\0'; - TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0); + f = fopen(cert_req_check_file, "r"); //open the file + TEST_ASSERT(f != NULL); //check the file has been opened. + olen = fread(check_buf, 1, sizeof(check_buf), f); // read the file + fclose(f); // close the file + + TEST_ASSERT(olen >= pem_len - 1); + TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); + der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf)); TEST_ASSERT(der_len >= 0); @@ -221,10 +228,7 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, goto exit; } - // When using PSA crypto, RNG isn't controllable, result length isn't - // deterministic over multiple runs, removing a single byte isn't enough to - // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case - der_len /= 2; + der_len -= 1; ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len)); TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); From dbea0a9cc541199bfd6f21cd6ad2d97c1142d959 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 29 Jul 2025 13:27:39 +0100 Subject: [PATCH 17/19] Remove additional unused no rng case Signed-off-by: Ben Taylor --- tests/suites/test_suite_x509write.function | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index edcc14d3f..89de9599a 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -550,14 +550,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_ASSERT(p < end); } - // When using PSA crypto, RNG isn't controllable, result length isn't - // deterministic over multiple runs, removing a single byte isn't enough to - // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case - if (issuer_key_type != MBEDTLS_PK_RSA) { - der_len /= 2; - } else { - der_len -= 1; - } + der_len -= 1; ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len)); TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); From 4df61d408d9bc6288e0430f8556e25f27deeefb0 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 29 Jul 2025 15:03:55 +0100 Subject: [PATCH 18/19] fix style issues Signed-off-by: Ben Taylor --- tests/suites/test_suite_x509write.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 89de9599a..c2ab27b01 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -217,8 +217,8 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, olen = fread(check_buf, 1, sizeof(check_buf), f); // read the file fclose(f); // close the file - TEST_ASSERT(olen >= pem_len - 1); - TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); + TEST_ASSERT(olen >= pem_len - 1); + TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf)); From c454b5b658092327cb97debd37023f7ea182d300 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 30 Jul 2025 07:54:31 +0100 Subject: [PATCH 19/19] Fix rebase failure Signed-off-by: Ben Taylor --- tests/ssl-opt.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d38e578de..60b970aef 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9474,7 +9474,7 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9529,7 +9529,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9569,7 +9569,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -9604,7 +9604,7 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ @@ -9634,7 +9634,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \ # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \ "$P_SRV groups=secp256r1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \