The previous commit had:
- one obvious mistake (-f NULL with default -e runs nothing)
- one unforeseen issue: OPENSSL_NEXT skips static ECDH
- arguably scope creep: the stated goal was to simplify the full
invocation (in particular, make it obvious that everything is run
without having to remember the default value of EXCLUDE), but it also
made an unrelated change: running most tests with OPENSSL_NEXT (hence
the previous point).
This commit should fix all this, in particular it switches back to
running most tests with OPENSSL and using OPENSSL_NEXT only when needed.
Hopefully in the future we'll do the opposite: most tests will run with
a recent OpenSSL, and only those that need an older one will use
something older. But that will be another PR.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We actually only need two invocations.
This also moves all the default tests to OPENSSL_NEXT, which is good
because OPENSSL is ancient.
I have no idea why NULL doesn't work with OPENSSL_NEXT (1.1.1a) server,
because according to the manpage [1], "ALL,COMPLEMENTOFALL" (which is
what we are using) should do it, and indeed
$OPENSSL_NEXT ciphers "ALL,COMPLEMENTOFALL" | tr ':' '\n'
lists NULL ciphersuites, and also they work client-side with
OPENSSL_NEXT...
[1] https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
Also, while at it, remove partial invocation (only non-default) from one
component, as we already have a full invocation in the same config (plus
ASan) in another component.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Skipping DTLS 1.2 with old versions was already done, but now properly
test support only once and use the results.
Note that historically, this script's policy was that it's the user's
job to find the right value of -e (EXCLUDE) for their version for
OpenSSL & config. Now it's a weird mix of that and the script doing some
detection and skipping.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Fix documentation of mbedtls_ssl_session_set()
regarding its dependency on MBEDTLS_SSL_SESSION_TICKETS
in TLS 1.3 case.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
It was eventually decided to not support multiple
tickets in TLS 1.3 ClientHello messages thus
removing the parts in mbedtls_ssl_session_set()
documentation that were anticipating that.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Fix documentation of mbedtls_ssl_session_get()
regarding its interaction with session
ticket enablement.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The API has eventually not been changed to
return multiple tickets through multiple
subsequent call to it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Fix documentation of mbedtls_ssl_session_save()
regarding its dependency on MBEDTLS_SSL_SESSION_TICKETS
in TLS 1.3 session case.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add tests where we explicitely check that
tickets are ignored on client side when
the support is not enabled.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
We use logical '&&' everywhere, let's be consistent.
(Unless I'm mistaken, binary '&' happens to give the same results for
booleans so this wasn't an actual bug, just style/readability issue.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- "in-driver" test should depend on the present
of a driver.
- add new counter in key manangement driver test
hook which counts the calls of generate_key.
- We only care about the hits when processing
`psa_generate_key`.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
If the wrapped key has a PKCS1 v1.5 signature algorithm, then try
to call sign_ext() to perform PSA RSS. Of course this will fail
because it's not supported by the wrapped key.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
In case of opaque keys skip the check of the supported primary/enrollment
algorithms. Just try to perfom the signature and if the wrapped key
does not support RSA PSS the operation will fail automatically.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
