yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #7082 from valeriosetti/issue6861

Browse source 
driver-only ECDSA: add ssl-opt.sh testing with testing parity
This commit is contained in:
Manuel Pégourié-Gonnard 2023-03-08 16:45:38 +01:00 committed by GitHub
commit 289e5baa83
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 123 additions and 113 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
library/ssl_misc.h
View file

@ -55,6 +55,7 @@
#include "mbedtls/ecjpake.h"
#endif
#include "mbedtls/pk.h"
#include "common.h"
/* Shorthand for restartable ECC */
@ -2279,7 +2280,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
const uint16_t sig_alg)
{
switch (sig_alg) {
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
break;
@ -2292,7 +2293,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECDSA_C */
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
#if defined(MBEDTLS_PKCS1_V21)
#if defined(PSA_WANT_ALG_SHA_256)
@ -2448,7 +2449,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
break;
#endif
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
case MBEDTLS_SSL_SIG_ECDSA:
break;
#endif

8
library/ssl_tls.c
View file

@ -5406,7 +5406,7 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
}
#if defined(MBEDTLS_PK_C) && \
(defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C))
(defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME))
/*
* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
*/
@ -5417,7 +5417,7 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
return MBEDTLS_SSL_SIG_RSA;
}
#endif
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
return MBEDTLS_SSL_SIG_ECDSA;
}
@ -5445,7 +5445,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
case MBEDTLS_SSL_SIG_RSA:
return MBEDTLS_PK_RSA;
#endif
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
case MBEDTLS_SSL_SIG_ECDSA:
return MBEDTLS_PK_ECDSA;
#endif
@ -5453,7 +5453,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
return MBEDTLS_PK_NONE;
}
}
#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_PK_CAN_ECDSA_SOME ) */
/*
* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX

6
programs/ssl/ssl_server2.c
View file

@ -69,6 +69,8 @@ int main(void)
#include "test/psa_crypto_helpers.h"
#endif
#include "mbedtls/pk.h"
/* Size of memory to be allocated for the heap, when using the library's memory
* management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */
#define MEMORY_HEAP_SIZE 120000
@ -2652,7 +2654,7 @@ usage:
}
key_cert_init = 2;
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
if ((ret = mbedtls_x509_crt_parse(&srvcert2,
(const unsigned char *) mbedtls_test_srv_crt_ec,
mbedtls_test_srv_crt_ec_len)) != 0) {
@ -2669,7 +2671,7 @@ usage:
goto exit;
}
key_cert_init2 = 2;
#endif /* MBEDTLS_ECDSA_C */
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)

4
programs/ssl/ssl_test_common_source.c
View file

@ -272,7 +272,7 @@ int send_cb(void *ctx, unsigned char const *buf, size_t len)
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
@ -289,7 +289,7 @@ int send_cb(void *ctx, unsigned char const *buf, size_t len)
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), \
((hash << 8) | MBEDTLS_SSL_SIG_RSA),
#endif
#elif defined(MBEDTLS_ECDSA_C)
#elif defined(MBEDTLS_PK_CAN_ECDSA_SOME)
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA),
#elif defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)

6
tests/scripts/all.sh
View file

@ -2165,7 +2165,8 @@ component_test_psa_crypto_config_accel_ecdsa_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
make test
# TODO: ssl-opt.sh (currently doesn't pass) - #6861
msg "test: ssl-opt.sh"
tests/ssl-opt.sh
}
# Keep in sync with component_test_psa_crypto_config_accel_ecdsa_use_psa.
@ -2184,7 +2185,8 @@ component_test_psa_crypto_config_reference_ecdsa_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA"
make test
# TODO: ssl-opt.sh (when the accel component is ready) - #6861
msg "test: ssl-opt.sh"
tests/ssl-opt.sh
}
component_test_psa_crypto_config_accel_ecdh () {

205
tests/ssl-opt.sh
View file

@ -221,6 +221,15 @@ skip_next_test() {
SKIP_NEXT="YES"
}
# Check if the required configuration ($1) is enabled
is_config_enabled()
{
case $CONFIGS_ENABLED in
*" $1"[\ =]*) return 0;;
*) return 1;;
esac
}
# skip next test if the flag is not enabled in mbedtls_config.h
requires_config_enabled() {
case $CONFIGS_ENABLED in
@ -272,6 +281,9 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() {
if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2
then
@ -351,9 +363,12 @@ requires_ciphersuite_enabled() {
esac
}
# detect_required_features CMD [RUN_TEST_OPTION...]
# If CMD (call to a TLS client or server program) requires certain features,
# arrange to only run the following test case if those features are enabled.
# Automatically detect required features based on command line parameters.
# Parameters are:
# - $1 = command line (call to a TLS client or server program)
# - $2 = client/server
# - $3 = TLS version (TLS12 or TLS13)
# - $4 = run test options
detect_required_features() {
case "$1" in
*\ force_version=*)
@ -378,6 +393,28 @@ detect_required_features() {
requires_config_enabled MBEDTLS_SSL_ALPN;;
esac
case "$1" in
*server5*|\
*server7*)
if [ "$3" = "TLS13" ]; then
# In case of TLS13 the support for ECDSA is enough
requires_pk_alg "ECDSA"
else
# For TLS12 requirements are different between server and client
if [ "$2" = "server" ]; then
# If the server uses "server5*" certificates, then an ECDSA based
# key exchange is required
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
elif [ "$2" = "client" ]; then
# Otherwise for the client it is enough to have any certificate
# based authentication + support for ECDSA
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
requires_pk_alg "ECDSA"
fi
fi
;;
esac
unset tmp
}
@ -460,12 +497,9 @@ check_for_hash_alg()
{
CURR_ALG="INVALID";
USE_PSA="NO"
case $CONFIGS_ENABLED in
*" MBEDTLS_USE_PSA_CRYPTO"[\ =]*)
USE_PSA="YES";
;;
*) :;;
esac
if is_config_enabled "MBEDTLS_USE_PSA_CRYPTO"; then
USE_PSA="YES";
fi
if [ $USE_PSA = "YES" ]; then
CURR_ALG=PSA_WANT_ALG_${1}
else
@ -517,6 +551,23 @@ requires_hash_alg() {
fi
}
# Skip next test if the given pk alg is not enabled
requires_pk_alg() {
case $1 in
ECDSA)
if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
requires_config_enabled PSA_WANT_ALG_ECDSA
else
requires_config_enabled MBEDTLS_ECDSA_C
fi
;;
*)
echo "Unknown/unimplemented case $1 in requires_pk_alg"
exit 1
;;
esac
}
# skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@ -1390,6 +1441,33 @@ do_run_test_once() {
fi
}
# Detect if the current test is going to use TLS 1.3.
# $1 and $2 contain the server and client command lines, respectively.
#
# Note: this function only provides some guess about TLS version by simply
# looking at the server/client command lines. Even thought this works
# for the sake of tests' filtering (especially in conjunction with the
# detect_required_features() function), it does NOT guarantee that the
# result is accurate. It does not check other conditions, such as:
# - MBEDTLS_SSL_PROTO_TLS1_x can be disabled to selectively remove
# TLS 1.2/1.3 suppport
# - we can force a ciphersuite which contains "WITH" in its name, meaning
# that we are going to use TLS 1.2
# - etc etc
get_tls_version() {
case $1 in
*tls1_3*|*tls13*)
echo "TLS13"
return;;
esac
case $2 in
*tls1_3*|*tls13*)
echo "TLS13"
return;;
esac
echo "TLS12"
}
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
# Options: -s pattern pattern that must be present in server output
# -c pattern pattern that must be present in client output
@ -1448,8 +1526,9 @@ run_test() {
# If the client or server requires certain features that can be detected
# from their command-line arguments, check that they're enabled.
detect_required_features "$SRV_CMD" "$@"
detect_required_features "$CLI_CMD" "$@"
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@"
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@"
# If we're in a PSK-only build and the test can be adapted to PSK, do that.
maybe_adapt_for_psk "$@"
@ -1813,7 +1892,6 @@ run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
run_test "TLS: password protected client key" \
"$P_SRV auth_mode=required" \
@ -1822,7 +1900,6 @@ run_test "TLS: password protected client key" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
run_test "TLS: password protected server key" \
"$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
@ -1831,7 +1908,6 @@ run_test "TLS: password protected server key" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "TLS: password protected server key, two certificates" \
@ -1854,7 +1930,6 @@ run_test "CA callback on client" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
run_test "CA callback on server" \
"$P_SRV auth_mode=required" \
@ -1870,7 +1945,7 @@ run_test "CA callback on server" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
run_test "Opaque key for client authentication: ECDHE-ECDSA" \
"$P_SRV auth_mode=required crt_file=data_files/server5.crt \
@ -1889,7 +1964,6 @@ run_test "Opaque key for client authentication: ECDHE-ECDSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "Opaque key for client authentication: ECDHE-RSA" \
@ -1928,7 +2002,7 @@ run_test "Opaque key for client authentication: DHE-RSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: ECDHE-ECDSA" \
"$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
@ -1945,7 +2019,6 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: ECDH-" \
"$P_SRV force_version=tls12 auth_mode=required key_opaque=1\
@ -1963,7 +2036,6 @@ run_test "Opaque key for server authentication: ECDH-" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: invalid key: decrypt with ECC key, no async" \
@ -1998,7 +2070,6 @@ run_test "Opaque key for server authentication: invalid key: ecdh with RSA ke
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key, async" \
@ -2015,7 +2086,6 @@ run_test "Opaque key for server authentication: invalid alg: decrypt with ECC
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
@ -2033,7 +2103,6 @@ run_test "Opaque key for server authentication: invalid alg: ecdh with RSA ke
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_CCM_C
run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \
@ -2050,7 +2119,7 @@ run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
run_test "Opaque keys for server authentication: EC keys with different algs, force ECDHE-ECDSA" \
@ -2071,7 +2140,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs,
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_384
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \
@ -2092,7 +2160,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs,
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_384
requires_config_enabled MBEDTLS_CCM_C
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
@ -2176,7 +2243,6 @@ run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: ECDHE-RSA" \
@ -2194,7 +2260,6 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: DHE-RSA" \
@ -2246,7 +2311,6 @@ run_test "Opaque key for server authentication: RSA-" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \
@ -2263,7 +2327,6 @@ run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
@ -2285,7 +2348,6 @@ run_test "Opaque keys for server authentication: RSA keys with different algs
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_384
requires_config_enabled MBEDTLS_GCM_C
@ -2309,7 +2371,7 @@ run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
@ -2330,7 +2392,6 @@ run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "Opaque key for client/server authentication: ECDHE-RSA" \
@ -2351,7 +2412,6 @@ run_test "Opaque key for client/server authentication: ECDHE-RSA" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
run_test "Opaque key for client/server authentication: DHE-RSA" \
@ -2436,7 +2496,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
requires_pk_alg "ECDSA"
requires_hash_alg SHA_256
run_test "Single supported algorithm sending: mbedtls client" \
"$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
@ -2446,7 +2507,6 @@ run_test "Single supported algorithm sending: mbedtls client" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
requires_hash_alg SHA_256
run_test "Single supported algorithm sending: openssl client" \
@ -5298,7 +5358,6 @@ run_test "Authentication: server badcert, client required" \
-c "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server badcert, client optional" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -5342,7 +5401,6 @@ run_test "Authentication: server goodcert, client required, no trusted CA" \
requires_config_enabled MBEDTLS_ECP_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=data_files/server5.key \
crt_file=data_files/server5.ku-ka.crt" \
@ -5354,7 +5412,6 @@ run_test "Authentication: server ECDH p256v1, client required, p256v1 unsuppo
requires_config_enabled MBEDTLS_ECP_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=data_files/server5.key \
crt_file=data_files/server5.ku-ka.crt" \
@ -5365,7 +5422,6 @@ run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsuppo
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server badcert, client none" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -5522,7 +5578,6 @@ run_test "Authentication: client no cert, server optional" \
-S "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: openssl client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$O_CLI" \
@ -5534,7 +5589,6 @@ run_test "Authentication: openssl client no cert, server optional" \
-S "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: client no cert, openssl server optional" \
"$O_SRV -verify 10 -tls1_2" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \
@ -5546,7 +5600,6 @@ run_test "Authentication: client no cert, openssl server optional" \
-C "! mbedtls_ssl_handshake returned"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: client no cert, openssl server required" \
"$O_SRV -Verify 10 -tls1_2" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \
@ -5672,7 +5725,6 @@ run_test "Authentication: do not send CA list in CertificateRequest" \
-S "requested DN"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: send CA list in CertificateRequest, client self signed" \
"$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@ -5726,7 +5778,6 @@ run_test "Authentication: send alt hs DN hints in CertificateRequest" \
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server badcert, client required" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -5740,7 +5791,6 @@ run_test "Authentication, CA callback: server badcert, client required" \
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server badcert, client optional" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -5762,7 +5812,6 @@ run_test "Authentication, CA callback: server badcert, client optional" \
requires_config_enabled MBEDTLS_ECP_C
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=data_files/server5.key \
crt_file=data_files/server5.ku-ka.crt" \
@ -5776,7 +5825,6 @@ run_test "Authentication, CA callback: server ECDH p256v1, client required, p
requires_config_enabled MBEDTLS_ECP_C
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=data_files/server5.key \
crt_file=data_files/server5.ku-ka.crt" \
@ -5815,7 +5863,6 @@ run_test "Authentication, CA callback: client SHA384, server required" \
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client badcert, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -5840,7 +5887,6 @@ run_test "Authentication, CA callback: client badcert, server required" \
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client cert not trusted, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@ -5861,7 +5907,6 @@ run_test "Authentication, CA callback: client cert not trusted, server requir
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client badcert, server optional" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -6643,6 +6688,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \
-C "Ciphersuite is "
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
"$P_SRV key_file=data_files/server5.key \
crt_file=data_files/server5.ku-ds.crt" \
@ -9044,6 +9090,10 @@ run_test "SSL async private: error in resume then operate correctly" \
# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
# Note: the function "detect_required_features()" is not able to detect more than
# one "force_ciphersuite" per client/server and it only picks the 2nd one.
# Therefore the 1st one is added explicitly here
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
run_test "SSL async private: cancel after start then fall back to transparent key" \
"$P_SRV \
async_operations=s async_private_delay1=1 async_private_error=-2 \
@ -9063,6 +9113,10 @@ run_test "SSL async private: cancel after start then fall back to transparent
# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
# Note: the function "detect_required_features()" is not able to detect more than
# one "force_ciphersuite" per client/server and it only picks the 2nd one.
# Therefore the 1st one is added explicitly here
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
run_test "SSL async private: sign, error in resume then fall back to transparent key" \
"$P_SRV \
async_operations=s async_private_delay1=1 async_private_error=-3 \
@ -9158,7 +9212,6 @@ run_test "Force a non ECC ciphersuite in the server side" \
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Force an ECC ciphersuite in the client side" \
"$P_SRV debug_level=3" \
@ -9172,7 +9225,6 @@ run_test "Force an ECC ciphersuite in the client side" \
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Force an ECC ciphersuite in the server side" \
"$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
@ -9448,7 +9500,6 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 4096
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9470,7 +9521,6 @@ run_test "DTLS fragmenting: none (for reference)" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9496,7 +9546,6 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \
# `client-initiated, server only (max_frag_len)` below.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 4096
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9518,7 +9567,6 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9547,7 +9595,6 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
# negotiated MFL are sent.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9570,7 +9617,6 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9599,7 +9645,6 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
# negotiated MFL are sent.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -9622,7 +9667,6 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 4096
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: none (for reference) (MTU)" \
@ -9643,7 +9687,6 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 4096
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: client (MTU)" \
@ -9664,7 +9707,6 @@ run_test "DTLS fragmenting: client (MTU)" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: server (MTU)" \
@ -9685,7 +9727,6 @@ run_test "DTLS fragmenting: server (MTU)" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: both (MTU=1024)" \
@ -9708,9 +9749,7 @@ run_test "DTLS fragmenting: both (MTU=1024)" \
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
requires_max_content_len 2048
@ -9742,8 +9781,6 @@ run_test "DTLS fragmenting: both (MTU=512)" \
not_with_valgrind
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
requires_max_content_len 2048
@ -9768,8 +9805,6 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \
only_with_valgrind
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
requires_max_content_len 2048
@ -9796,7 +9831,6 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
@ -9824,8 +9858,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
requires_max_content_len 2048
@ -9852,7 +9884,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 2048
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
@ -9877,8 +9908,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
requires_max_content_len 2048
@ -9915,8 +9944,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
requires_max_content_len 2048
@ -9945,9 +9972,7 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_CHACHAPOLY_C
requires_max_content_len 2048
@ -9978,9 +10003,7 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
@ -10012,9 +10035,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CCM_C
@ -10046,9 +10067,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
@ -10081,9 +10100,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_hash_alg SHA_256
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
@ -10113,8 +10130,6 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
client_needs_more_time 2
@ -10139,8 +10154,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_GCM_C
client_needs_more_time 2
@ -10168,7 +10181,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
# pleases other implementations, so we don't need the peer to fragment
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_gnutls
requires_max_content_len 2048
run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
@ -10190,7 +10202,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
# GnuTLS continue the connection nonetheless.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_gnutls
requires_not_i686
requires_max_content_len 2048
@ -10205,7 +10216,6 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 2048
run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
"$O_SRV -dtls1_2 -verify 10" \
@ -10219,7 +10229,6 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_max_content_len 2048
run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
"$P_SRV dtls=1 debug_level=2 \
@ -10237,7 +10246,6 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
requires_gnutls_next
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
client_needs_more_time 4
requires_max_content_len 2048
run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
@ -10254,7 +10262,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
requires_gnutls_next
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
client_needs_more_time 4
requires_max_content_len 2048
run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
@ -10272,7 +10279,6 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
requires_openssl_next
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
client_needs_more_time 4
requires_max_content_len 2048
run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
@ -10291,7 +10297,6 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
skip_next_test
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
client_needs_more_time 4
requires_max_content_len 2048
run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \