From 26cdf6ee2b0ac1595034ae510bfd290564302c0e Mon Sep 17 00:00:00 2001
From: Ben Taylor <ben.taylor@linaro.org>
Date: Thu, 11 Sep 2025 07:52:53 +0100
Subject: [PATCH] Re-adding tests for ECDH

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
---
 tests/ssl-opt.sh | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 22377b8d04..2b10cde5a1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2357,6 +2357,52 @@ run_test    "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA"
             -S "error" \
             -C "error"
 
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_hash_alg SHA_256
+run_test    "Opaque key for server authentication: ECDH-" \
+            "$P_SRV auth_mode=required key_opaque=1\
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \
+            "$P_CLI force_version=tls12" \
+            0 \
+            -c "Verifying peer X.509 certificate... ok" \
+            -c "Ciphersuite is TLS-ECDH-" \
+            -s "key types: Opaque, none" \
+            -s "Ciphersuite is TLS-ECDH-" \
+            -S "error" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled PSA_WANT_ALG_ECDSA
+requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_hash_alg SHA_256
+run_test    "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
+             debug_level=1" \
+            "$P_CLI force_version=tls12" \
+            1 \
+            -s "key types: Opaque, none" \
+            -s "error" \
+            -c "error" \
+            -c "Public key type mismatch"
+
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_hash_alg SHA_256
+run_test    "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
+             debug_level=1" \
+            "$P_CLI force_version=tls12" \
+            1 \
+            -s "key types: Opaque, none" \
+            -s "got ciphersuites in common, but none of them usable" \
+            -s "error" \
+            -c "error"
+
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
 requires_config_enabled MBEDTLS_SSL_SRV_C