Remove further ECDH tests

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>

tests/ssl-opt.sh

@@ -2306,22 +2306,7 @@ run_test    "Opaque key for server authentication: ECDHE-ECDSA" \
             -C "error"
 
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_hash_alg SHA_256
-run_test    "Opaque key for server authentication: ECDH-" \
-            "$P_SRV auth_mode=required key_opaque=1\
-             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\
-             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \
-            "$P_CLI force_version=tls12" \
-            0 \
-            -c "Verifying peer X.509 certificate... ok" \
-            -c "Ciphersuite is TLS-ECDH-" \
-            -s "key types: Opaque, none" \
-            -s "Ciphersuite is TLS-ECDH-" \
-            -S "error" \
-            -C "error"
-
-requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_config_enabled PSA_WANT_ALG_ECDSA
+requires_config_enabled MBEDTLS_ECDSA_C
 requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
 requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
 requires_hash_alg SHA_256
@@ -6103,31 +6088,6 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.3"
          -C "x509_verify_cert() returned -" \
          -C "X509 - Certificate verification failed"
 
-# The purpose of the next two tests is to test the client's behaviour when receiving a server
-# certificate with an unsupported elliptic curve. This should usually not happen because
-# the client informs the server about the supported curves - it does, though, in the
-# corner case of a static ECDH suite, because the server doesn't check the curve on that
-# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
-# different means to have the server ignoring the client's supported curve list.
-
-run_test    "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
-             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
-            "$P_CLI force_version=tls12 debug_level=3 auth_mode=required groups=secp521r1" \
-            1 \
-            -c "bad certificate (EC key curve)"\
-            -c "! Certificate verification flags"\
-            -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
-
-run_test    "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
-             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
-            "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional groups=secp521r1" \
-            1 \
-            -c "bad certificate (EC key curve)"\
-            -c "! Certificate verification flags"\
-            -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
-
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: client SHA256, server required" \
             "$P_SRV auth_mode=required" \
@@ -6480,33 +6440,6 @@ run_test    "Authentication, CA callback: server badcert, client none" \
             -C "! mbedtls_ssl_handshake returned" \
             -C "X509 - Certificate verification failed"
 
-# The purpose of the next two tests is to test the client's behaviour when receiving a server
-# certificate with an unsupported elliptic curve. This should usually not happen because
-# the client informs the server about the supported curves - it does, though, in the
-# corner case of a static ECDH suite, because the server doesn't check the curve on that
-# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
-# different means to have the server ignoring the client's supported curve list.
-
-run_test    "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
-             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
-            "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required groups=secp521r1" \
-            1 \
-            -c "use CA callback for X.509 CRT verification" \
-            -c "bad certificate (EC key curve)" \
-            -c "! Certificate verification flags" \
-            -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
-
-run_test    "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
-             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
-            "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional groups=secp521r1" \
-            1 \
-            -c "use CA callback for X.509 CRT verification" \
-            -c "bad certificate (EC key curve)"\
-            -c "! Certificate verification flags"\
-            -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
-
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication, CA callback: client SHA384, server required" \
             "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
@@ -7911,14 +7844,6 @@ run_test    "keyUsage srv 1.2: ECC, digitalSignature -> ECDHE-ECDSA" \
             0 \
             -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
 
-
-run_test    "keyUsage srv 1.2: ECC, keyAgreement -> ECDH-" \
-            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
-             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
-            "$P_CLI" \
-            0 \
-            -c "Ciphersuite is TLS-ECDH-"
-
 run_test    "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \
             "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
              crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \