Merge branch 'psa_cipher_integration' into development-psa-proposed
This commit is contained in:
commit
a0a96a0c56
3 changed files with 191 additions and 31 deletions
|
@ -54,6 +54,19 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
|
||||||
|
|
||||||
#define MAX_KEY_BYTES 32 /* 256 bits */
|
#define MAX_KEY_BYTES 32 /* 256 bits */
|
||||||
|
|
||||||
|
#define TICKET_KEY_NAME_BYTES 4
|
||||||
|
#define TICKET_IV_BYTES 12
|
||||||
|
#define TICKET_CRYPT_LEN_BYTES 2
|
||||||
|
#define TICKET_AUTH_TAG_BYTES 16
|
||||||
|
|
||||||
|
#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
|
||||||
|
TICKET_IV_BYTES + \
|
||||||
|
TICKET_CRYPT_LEN_BYTES + \
|
||||||
|
TICKET_AUTH_TAG_BYTES )
|
||||||
|
#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
|
||||||
|
TICKET_IV_BYTES + \
|
||||||
|
TICKET_CRYPT_LEN_BYTES )
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Generate/update a key
|
* Generate/update a key
|
||||||
*/
|
*/
|
||||||
|
@ -141,11 +154,27 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
||||||
if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
|
if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
|
ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
|
||||||
{
|
cipher_info, TICKET_AUTH_TAG_BYTES );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
return( ret );
|
||||||
|
/* We don't yet expect to support all ciphers through PSA,
|
||||||
|
* so allow fallback to ordinary mbedtls_cipher_setup(). */
|
||||||
|
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
|
||||||
|
cipher_info, TICKET_AUTH_TAG_BYTES );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
return( ret );
|
||||||
|
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
|
||||||
|
|
||||||
if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
|
if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
|
||||||
( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
|
( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
|
||||||
|
@ -278,6 +307,7 @@ static int ssl_load_session( mbedtls_ssl_session *session,
|
||||||
* The key_name, iv, and length of encrypted_state are the additional
|
* The key_name, iv, and length of encrypted_state are the additional
|
||||||
* authenticated data.
|
* authenticated data.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
int mbedtls_ssl_ticket_write( void *p_ticket,
|
int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
const mbedtls_ssl_session *session,
|
const mbedtls_ssl_session *session,
|
||||||
unsigned char *start,
|
unsigned char *start,
|
||||||
|
@ -289,9 +319,9 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||||
mbedtls_ssl_ticket_key *key;
|
mbedtls_ssl_ticket_key *key;
|
||||||
unsigned char *key_name = start;
|
unsigned char *key_name = start;
|
||||||
unsigned char *iv = start + 4;
|
unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
|
||||||
unsigned char *state_len_bytes = iv + 12;
|
unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
|
||||||
unsigned char *state = state_len_bytes + 2;
|
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
|
||||||
unsigned char *tag;
|
unsigned char *tag;
|
||||||
size_t clear_len, ciph_len;
|
size_t clear_len, ciph_len;
|
||||||
|
|
||||||
|
@ -302,7 +332,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
|
|
||||||
/* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
|
/* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
|
||||||
* in addition to session itself, that will be checked when writing it. */
|
* in addition to session itself, that will be checked when writing it. */
|
||||||
if( end - start < 4 + 12 + 2 + 16 )
|
if( end - start < TICKET_MIN_LEN )
|
||||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
#if defined(MBEDTLS_THREADING_C)
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
@ -317,9 +347,9 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
|
|
||||||
*ticket_lifetime = ctx->ticket_lifetime;
|
*ticket_lifetime = ctx->ticket_lifetime;
|
||||||
|
|
||||||
memcpy( key_name, key->name, 4 );
|
memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
|
||||||
|
|
||||||
if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 )
|
if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Dump session state */
|
/* Dump session state */
|
||||||
|
@ -335,8 +365,11 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
/* Encrypt and authenticate */
|
/* Encrypt and authenticate */
|
||||||
tag = state + clear_len;
|
tag = state + clear_len;
|
||||||
if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
|
if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
|
||||||
iv, 12, key_name, 4 + 12 + 2,
|
iv, TICKET_IV_BYTES,
|
||||||
state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 )
|
/* Additional data: key name, IV and length */
|
||||||
|
key_name, TICKET_ADD_DATA_LEN,
|
||||||
|
state, clear_len, state, &ciph_len,
|
||||||
|
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
|
||||||
{
|
{
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
@ -346,7 +379,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
*tlen = 4 + 12 + 2 + 16 + ciph_len;
|
*tlen = TICKET_MIN_LEN + ciph_len;
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
#if defined(MBEDTLS_THREADING_C)
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
@ -385,17 +418,16 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
|
||||||
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||||
mbedtls_ssl_ticket_key *key;
|
mbedtls_ssl_ticket_key *key;
|
||||||
unsigned char *key_name = buf;
|
unsigned char *key_name = buf;
|
||||||
unsigned char *iv = buf + 4;
|
unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
|
||||||
unsigned char *enc_len_p = iv + 12;
|
unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
|
||||||
unsigned char *ticket = enc_len_p + 2;
|
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
|
||||||
unsigned char *tag;
|
unsigned char *tag;
|
||||||
size_t enc_len, clear_len;
|
size_t enc_len, clear_len;
|
||||||
|
|
||||||
if( ctx == NULL || ctx->f_rng == NULL )
|
if( ctx == NULL || ctx->f_rng == NULL )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
/* See mbedtls_ssl_ticket_write() */
|
if( len < TICKET_MIN_LEN )
|
||||||
if( len < 4 + 12 + 2 + 16 )
|
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
#if defined(MBEDTLS_THREADING_C)
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
@ -409,7 +441,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
|
||||||
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
|
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
|
||||||
tag = ticket + enc_len;
|
tag = ticket + enc_len;
|
||||||
|
|
||||||
if( len != 4 + 12 + 2 + enc_len + 16 )
|
if( len != TICKET_MIN_LEN + enc_len )
|
||||||
{
|
{
|
||||||
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
@ -425,9 +457,13 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Decrypt and authenticate */
|
/* Decrypt and authenticate */
|
||||||
if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12,
|
if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
|
||||||
key_name, 4 + 12 + 2, ticket, enc_len,
|
iv, TICKET_IV_BYTES,
|
||||||
ticket, &clear_len, tag, 16 ) ) != 0 )
|
/* Additional data: key name, IV and length */
|
||||||
|
key_name, TICKET_ADD_DATA_LEN,
|
||||||
|
ticket, enc_len,
|
||||||
|
ticket, &clear_len,
|
||||||
|
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
|
||||||
{
|
{
|
||||||
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
|
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
|
||||||
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
|
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
|
||||||
|
|
|
@ -632,6 +632,9 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
|
||||||
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
int psa_fallthrough;
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
unsigned char tmp[64];
|
unsigned char tmp[64];
|
||||||
unsigned char keyblk[256];
|
unsigned char keyblk[256];
|
||||||
unsigned char *key1;
|
unsigned char *key1;
|
||||||
|
@ -640,6 +643,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
unsigned char *mac_dec;
|
unsigned char *mac_dec;
|
||||||
size_t mac_key_len;
|
size_t mac_key_len;
|
||||||
size_t iv_copy_len;
|
size_t iv_copy_len;
|
||||||
|
size_t taglen = 0;
|
||||||
const mbedtls_cipher_info_t *cipher_info;
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
const mbedtls_md_info_t *md_info;
|
const mbedtls_md_info_t *md_info;
|
||||||
|
|
||||||
|
@ -899,7 +903,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
cipher_info->mode == MBEDTLS_MODE_CCM ||
|
cipher_info->mode == MBEDTLS_MODE_CCM ||
|
||||||
cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
|
cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
|
||||||
{
|
{
|
||||||
size_t taglen, explicit_ivlen;
|
size_t explicit_ivlen;
|
||||||
|
|
||||||
transform->maclen = 0;
|
transform->maclen = 0;
|
||||||
mac_key_len = 0;
|
mac_key_len = 0;
|
||||||
|
@ -1119,6 +1123,43 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
|
||||||
|
/* Only use PSA-based ciphers for TLS-1.2.
|
||||||
|
* That's relevant at least for TLS-1.0, where
|
||||||
|
* we assume that mbedtls_cipher_crypt() updates
|
||||||
|
* the structure field for the IV, which the PSA-based
|
||||||
|
* implementation currently doesn't. */
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
|
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
|
{
|
||||||
|
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
|
||||||
|
cipher_info, taglen );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based encryption cipher context" ) );
|
||||||
|
psa_fallthrough = 0;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
|
||||||
|
psa_fallthrough = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
psa_fallthrough = 1;
|
||||||
|
#else
|
||||||
|
psa_fallthrough = 1;
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
if( psa_fallthrough == 1 )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
|
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
|
||||||
cipher_info ) ) != 0 )
|
cipher_info ) ) != 0 )
|
||||||
{
|
{
|
||||||
|
@ -1126,6 +1167,42 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
/* Only use PSA-based ciphers for TLS-1.2.
|
||||||
|
* That's relevant at least for TLS-1.0, where
|
||||||
|
* we assume that mbedtls_cipher_crypt() updates
|
||||||
|
* the structure field for the IV, which the PSA-based
|
||||||
|
* implementation currently doesn't. */
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
|
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
|
{
|
||||||
|
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
|
||||||
|
cipher_info, taglen );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based decryption cipher context" ) );
|
||||||
|
psa_fallthrough = 0;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
|
||||||
|
psa_fallthrough = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
psa_fallthrough = 1;
|
||||||
|
#else
|
||||||
|
psa_fallthrough = 1;
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
if( psa_fallthrough == 1 )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
|
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
|
||||||
cipher_info ) ) != 0 )
|
cipher_info ) ) != 0 )
|
||||||
{
|
{
|
||||||
|
|
|
@ -185,6 +185,12 @@ requires_config_value_at_most() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
requires_ciphersuite_enabled() {
|
||||||
|
if [ -z "$($P_CLI --help | grep $1)" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# skip next test if OpenSSL doesn't support FALLBACK_SCSV
|
# skip next test if OpenSSL doesn't support FALLBACK_SCSV
|
||||||
requires_openssl_with_fallback_scsv() {
|
requires_openssl_with_fallback_scsv() {
|
||||||
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
|
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
|
||||||
|
@ -519,14 +525,6 @@ run_test() {
|
||||||
SKIP_NEXT="YES"
|
SKIP_NEXT="YES"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# should we skip?
|
|
||||||
if [ "X$SKIP_NEXT" = "XYES" ]; then
|
|
||||||
SKIP_NEXT="NO"
|
|
||||||
echo "SKIP"
|
|
||||||
SKIPS=$(( $SKIPS + 1 ))
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
|
|
||||||
# does this test use a proxy?
|
# does this test use a proxy?
|
||||||
if [ "X$1" = "X-p" ]; then
|
if [ "X$1" = "X-p" ]; then
|
||||||
PXY_CMD="$2"
|
PXY_CMD="$2"
|
||||||
|
@ -541,6 +539,26 @@ run_test() {
|
||||||
CLI_EXPECT="$3"
|
CLI_EXPECT="$3"
|
||||||
shift 3
|
shift 3
|
||||||
|
|
||||||
|
# Check if server forces ciphersuite
|
||||||
|
FORCE_CIPHERSUITE=$(echo "$SRV_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
|
||||||
|
if [ ! -z "$FORCE_CIPHERSUITE" ]; then
|
||||||
|
requires_ciphersuite_enabled $FORCE_CIPHERSUITE
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check if client forces ciphersuite
|
||||||
|
FORCE_CIPHERSUITE=$(echo "$CLI_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
|
||||||
|
if [ ! -z "$FORCE_CIPHERSUITE" ]; then
|
||||||
|
requires_ciphersuite_enabled $FORCE_CIPHERSUITE
|
||||||
|
fi
|
||||||
|
|
||||||
|
# should we skip?
|
||||||
|
if [ "X$SKIP_NEXT" = "XYES" ]; then
|
||||||
|
SKIP_NEXT="NO"
|
||||||
|
echo "SKIP"
|
||||||
|
SKIPS=$(( $SKIPS + 1 ))
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
# fix client port
|
# fix client port
|
||||||
if [ -n "$PXY_CMD" ]; then
|
if [ -n "$PXY_CMD" ]; then
|
||||||
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
|
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
|
||||||
|
@ -734,6 +752,23 @@ run_test() {
|
||||||
rm -f $SRV_OUT $CLI_OUT $PXY_OUT
|
rm -f $SRV_OUT $CLI_OUT $PXY_OUT
|
||||||
}
|
}
|
||||||
|
|
||||||
|
run_test_psa() {
|
||||||
|
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||||
|
run_test "PSA-supported ciphersuite: $1" \
|
||||||
|
"$P_SRV debug_level=1 force_version=tls1_2" \
|
||||||
|
"$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \
|
||||||
|
0 \
|
||||||
|
-c "Successfully setup PSA-based decryption cipher context" \
|
||||||
|
-c "Successfully setup PSA-based encryption cipher context" \
|
||||||
|
-s "Successfully setup PSA-based decryption cipher context" \
|
||||||
|
-s "Successfully setup PSA-based encryption cipher context" \
|
||||||
|
-C "Failed to setup PSA-based cipher context"\
|
||||||
|
-S "Failed to setup PSA-based cipher context"\
|
||||||
|
-s "Protocol is TLSv1.2" \
|
||||||
|
-S "error" \
|
||||||
|
-C "error"
|
||||||
|
}
|
||||||
|
|
||||||
cleanup() {
|
cleanup() {
|
||||||
rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
|
rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
|
||||||
test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
|
test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
|
||||||
|
@ -880,6 +915,18 @@ run_test "Opaque key for client authentication" \
|
||||||
-S "error" \
|
-S "error" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
|
# Test ciphersuites which we expect to be fully supported by PSA Crypto
|
||||||
|
# and check that we don't fall back to Mbed TLS' internal crypto primitives.
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
|
||||||
|
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
|
||||||
|
|
||||||
# Test current time in ServerHello
|
# Test current time in ServerHello
|
||||||
requires_config_enabled MBEDTLS_HAVE_TIME
|
requires_config_enabled MBEDTLS_HAVE_TIME
|
||||||
run_test "ServerHello contains gmt_unix_time" \
|
run_test "ServerHello contains gmt_unix_time" \
|
||||||
|
|
Loading…
Reference in a new issue