From 535cd1790bf160d173fbac9553ec7c1dd3acf9d5 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Tue, 8 Mar 2022 06:50:12 -0500
Subject: [PATCH 01/12] Add a curves argument to mocked ssl tests

This will be used to force a curve in certain tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 74e60ae08..4717264d3 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -876,7 +876,8 @@ exit:
 int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg,
                            mbedtls_test_message_socket_context *dtls_context,
                            mbedtls_test_message_queue *input_queue,
-                           mbedtls_test_message_queue *output_queue )
+                           mbedtls_test_message_queue *output_queue,
+                           const mbedtls_ecp_group_id *curves )
 {
     int ret = -1;
 
@@ -936,6 +937,9 @@ int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg,
                                        MBEDTLS_SSL_PRESET_DEFAULT );
     TEST_ASSERT( ret == 0 );
 
+    if( curves != NULL )
+        mbedtls_ssl_conf_curves( &(ep->conf), curves );
+
     ret = mbedtls_ssl_setup( &( ep->ssl ), &( ep->conf ) );
     TEST_ASSERT( ret == 0 );
 
@@ -1712,7 +1716,7 @@ void perform_handshake( handshake_test_options* options )
         TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
                                             options->pk_alg, &client_context,
                                             &client_queue,
-                                            &server_queue ) == 0 );
+                                            &server_queue, NULL ) == 0 );
 #if defined(MBEDTLS_TIMING_C)
         mbedtls_ssl_set_timer_cb( &client.ssl, &timer_client,
                                   mbedtls_timing_set_delay,
@@ -1723,7 +1727,7 @@ void perform_handshake( handshake_test_options* options )
     {
         TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
                                             options->pk_alg, NULL, NULL,
-                                            NULL ) == 0 );
+                                            NULL, NULL ) == 0 );
     }
 
     if( options->client_min_version != TEST_SSL_MINOR_VERSION_NONE )
@@ -1758,7 +1762,7 @@ void perform_handshake( handshake_test_options* options )
         TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
                                             options->pk_alg, &server_context,
                                             &server_queue,
-                                            &client_queue) == 0 );
+                                            &client_queue, NULL ) == 0 );
 #if defined(MBEDTLS_TIMING_C)
         mbedtls_ssl_set_timer_cb( &server.ssl, &timer_server,
                                   mbedtls_timing_set_delay,
@@ -1768,7 +1772,8 @@ void perform_handshake( handshake_test_options* options )
     else
     {
         TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
-                                            options->pk_alg, NULL, NULL, NULL ) == 0 );
+                                            options->pk_alg, NULL, NULL,
+                                            NULL, NULL ) == 0 );
     }
 
     mbedtls_ssl_conf_authmode( &server.conf, options->srv_auth_mode );
@@ -4154,14 +4159,14 @@ void mbedtls_endpoint_sanity( int endpoint_type )
     int ret = -1;
 
     ret = mbedtls_endpoint_init( NULL, endpoint_type, MBEDTLS_PK_RSA,
-                                 NULL, NULL, NULL );
+                                 NULL, NULL, NULL, NULL );
     TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
 
     ret = mbedtls_endpoint_certificate_init( NULL, MBEDTLS_PK_RSA );
     TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
 
     ret = mbedtls_endpoint_init( &ep, endpoint_type, MBEDTLS_PK_RSA,
-                                 NULL, NULL, NULL );
+                                 NULL, NULL, NULL, NULL );
     TEST_ASSERT( ret == 0 );
 
 exit:
@@ -4177,13 +4182,13 @@ void move_handshake_to_state(int endpoint_type, int state, int need_pass)
     int ret = -1;
 
     ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA,
-                                 NULL, NULL, NULL );
+                                 NULL, NULL, NULL, NULL );
     TEST_ASSERT( ret == 0 );
 
     ret = mbedtls_endpoint_init( &second_ep,
                             ( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ?
                             MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
-                                 MBEDTLS_PK_RSA, NULL, NULL, NULL );
+                                 MBEDTLS_PK_RSA, NULL, NULL, NULL, NULL );
     TEST_ASSERT( ret == 0 );
 
     ret = mbedtls_mock_socket_connect( &(base_ep.socket),

From b4eedf7a234f9ee5a0e16e4743ca1ef8fa0e8eb9 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Fri, 15 Apr 2022 05:41:14 -0400
Subject: [PATCH 02/12] Test failing raw_key_agreement in ssl mock tests

Force a bitflip in server key to make the raw key
agreement fail, and then verify that no key slots
are left open at the end. Use a Weierstrass curve
to have a high chance of failure upon encountering
such bitflip.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.data     |  3 ++
 tests/suites/test_suite_ssl.function | 76 ++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index fe7d97825..15d9c5f85 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -10683,3 +10683,6 @@ ssl_cf_memcpy_offset:0:255:32
 # we could get this with 255-bytes plaintext and untruncated SHA-384
 Constant-flow memcpy from offset: large
 ssl_cf_memcpy_offset:100:339:48
+
+Raw key agreement fail
+raw_key_agreement_fail:
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 4717264d3..8bf1cacd9 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4555,3 +4555,79 @@ exit:
     mbedtls_free( src );
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
+void raw_key_agreement_fail( )
+{
+    enum { BUFFSIZE = 17000 };
+    mbedtls_endpoint client, server;
+    mbedtls_psa_stats_t stats;
+
+#if defined(MBEDTLS_TIMING_C)
+    mbedtls_timing_delay_context timer_client, timer_server;
+#endif
+    mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP256R1,
+                                          MBEDTLS_ECP_DP_NONE };
+
+    mbedtls_test_message_queue server_queue, client_queue;
+    mbedtls_test_message_socket_context server_context, client_context;
+
+    mbedtls_message_socket_init( &server_context );
+    mbedtls_message_socket_init( &client_context );
+
+    USE_PSA_INIT( );
+
+    /* Client side, force SECP256R1 to make one key bitflip fail
+     * the raw key agreement. Flipping one bit with a Weierstrass
+     * curve (as opposed to a Montgomery curve) has a high chance of
+     * making it invalid. */
+    TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
+                                        MBEDTLS_PK_RSA, &client_context,
+                                        &client_queue,
+                                        &server_queue, curve_list ) == 0 );
+#if defined(MBEDTLS_TIMING_C)
+    mbedtls_ssl_set_timer_cb( &client.ssl, &timer_client,
+                              mbedtls_timing_set_delay,
+                              mbedtls_timing_get_delay );
+#endif
+
+    /* Server side */
+    TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
+                                        MBEDTLS_PK_RSA, &server_context,
+                                        &server_queue,
+                                        &client_queue, NULL ) == 0 );
+#if defined(MBEDTLS_TIMING_C)
+    mbedtls_ssl_set_timer_cb( &server.ssl, &timer_server,
+                              mbedtls_timing_set_delay,
+                              mbedtls_timing_get_delay );
+#endif
+
+    TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
+                                              &(server.socket),
+                                              BUFFSIZE ) == 0 );
+
+    TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
+                                                  &(server.ssl),
+                                                  MBEDTLS_SSL_CLIENT_KEY_EXCHANGE )
+                 ==  0 );
+
+    /* Force a simulated bitflip in the server key. to make the
+     * raw key agreement in ssl_write_client_key_exchange fail. */
+    (client.ssl).handshake->ecdh_psa_peerkey[5] ^= 0x02;
+
+    TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
+                                                  &(server.ssl),
+                                                  MBEDTLS_SSL_HANDSHAKE_OVER )
+                 !=  0 );
+
+    mbedtls_psa_get_stats( &stats );
+
+    /* Make sure that the key slot is destroyed properly in case of failure. */
+    TEST_ASSERT( stats.empty_slots == MBEDTLS_PSA_KEY_SLOT_COUNT );
+
+exit:
+    mbedtls_endpoint_free( &client, &client_context );
+    mbedtls_endpoint_free( &server, &server_context );
+    USE_PSA_DONE( );
+}
+/* END_CASE */

From 8985e1ff80b03a139a4a8227ecc182d6319ef9fa Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Fri, 15 Apr 2022 05:42:54 -0400
Subject: [PATCH 03/12] Update raw key agreement test dependencies

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8bf1cacd9..0eb68bd1c 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4556,7 +4556,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
 void raw_key_agreement_fail( )
 {
     enum { BUFFSIZE = 17000 };

From 577939a2682901580bfcf163acf8bfb4fc4525ac Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Fri, 15 Apr 2022 05:45:44 -0400
Subject: [PATCH 04/12] Tests: add missing requirements for the raw key
 agreement test

SECP384R1 is needed for the default loaded
certificate.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 0eb68bd1c..44be82449 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4556,7 +4556,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CTR_DRBG_C:MBEDTLS_ECP_C */
 void raw_key_agreement_fail( )
 {
     enum { BUFFSIZE = 17000 };

From 2582ba3a529073a3fa5fa93a234bf59cbb307d13 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Thu, 31 Mar 2022 06:30:54 -0400
Subject: [PATCH 05/12] Change the number of expected free key slots

Development TLS code now uses PSA to generate an
ECDH private key. Although this would not be required
in 2.28 branch, it is backported for compatibility.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 44be82449..90dc1776f 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4562,6 +4562,7 @@ void raw_key_agreement_fail( )
     enum { BUFFSIZE = 17000 };
     mbedtls_endpoint client, server;
     mbedtls_psa_stats_t stats;
+    size_t free_slots_before = -1;
 
 #if defined(MBEDTLS_TIMING_C)
     mbedtls_timing_delay_context timer_client, timer_server;
@@ -4611,6 +4612,11 @@ void raw_key_agreement_fail( )
                                                   MBEDTLS_SSL_CLIENT_KEY_EXCHANGE )
                  ==  0 );
 
+    mbedtls_psa_get_stats( &stats );
+    /* Save the number of slots in use up to this point.
+     * With PSA, one can be used for the ECDH private key. */
+    free_slots_before = stats.empty_slots;
+    
     /* Force a simulated bitflip in the server key. to make the
      * raw key agreement in ssl_write_client_key_exchange fail. */
     (client.ssl).handshake->ecdh_psa_peerkey[5] ^= 0x02;
@@ -4623,11 +4629,15 @@ void raw_key_agreement_fail( )
     mbedtls_psa_get_stats( &stats );
 
     /* Make sure that the key slot is destroyed properly in case of failure. */
-    TEST_ASSERT( stats.empty_slots == MBEDTLS_PSA_KEY_SLOT_COUNT );
+    TEST_ASSERT( free_slots_before == stats.empty_slots );
 
 exit:
     mbedtls_endpoint_free( &client, &client_context );
     mbedtls_endpoint_free( &server, &server_context );
+    
+    mbedtls_psa_get_stats( &stats );
+    TEST_ASSERT( stats.empty_slots == MBEDTLS_PSA_KEY_SLOT_COUNT );
+    
     USE_PSA_DONE( );
 }
 /* END_CASE */

From 99f6778b600b835661626a0ed3bd5fad19bc9546 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Thu, 31 Mar 2022 07:17:18 -0400
Subject: [PATCH 06/12] Change the bit to flip to guarantee failure

For weistrass curves the pair is encoded as 0x04 || x || y.
Flipping one of the bits in the first byte should be a sure failure.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 90dc1776f..d540c594b 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4616,10 +4616,10 @@ void raw_key_agreement_fail( )
     /* Save the number of slots in use up to this point.
      * With PSA, one can be used for the ECDH private key. */
     free_slots_before = stats.empty_slots;
-    
+
     /* Force a simulated bitflip in the server key. to make the
      * raw key agreement in ssl_write_client_key_exchange fail. */
-    (client.ssl).handshake->ecdh_psa_peerkey[5] ^= 0x02;
+    (client.ssl).handshake->ecdh_psa_peerkey[0] ^= 0x02;
 
     TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
                                                   &(server.ssl),
@@ -4634,10 +4634,10 @@ void raw_key_agreement_fail( )
 exit:
     mbedtls_endpoint_free( &client, &client_context );
     mbedtls_endpoint_free( &server, &server_context );
-    
+
     mbedtls_psa_get_stats( &stats );
     TEST_ASSERT( stats.empty_slots == MBEDTLS_PSA_KEY_SLOT_COUNT );
-    
+
     USE_PSA_DONE( );
 }
 /* END_CASE */

From 86029e04b415806c6d2d7ff05cde4337dedf94a4 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Fri, 15 Apr 2022 06:50:56 -0400
Subject: [PATCH 07/12] Remove RSA & DTLS dependency in raw key agreement test

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 36 ++++++----------------------
 1 file changed, 7 insertions(+), 29 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index d540c594b..9be76f045 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4556,7 +4556,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CTR_DRBG_C:MBEDTLS_ECP_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CTR_DRBG_C:MBEDTLS_ECP_C:MBEDTLS_ECDSA_C */
 void raw_key_agreement_fail( )
 {
     enum { BUFFSIZE = 17000 };
@@ -4564,18 +4564,8 @@ void raw_key_agreement_fail( )
     mbedtls_psa_stats_t stats;
     size_t free_slots_before = -1;
 
-#if defined(MBEDTLS_TIMING_C)
-    mbedtls_timing_delay_context timer_client, timer_server;
-#endif
     mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP256R1,
                                           MBEDTLS_ECP_DP_NONE };
-
-    mbedtls_test_message_queue server_queue, client_queue;
-    mbedtls_test_message_socket_context server_context, client_context;
-
-    mbedtls_message_socket_init( &server_context );
-    mbedtls_message_socket_init( &client_context );
-
     USE_PSA_INIT( );
 
     /* Client side, force SECP256R1 to make one key bitflip fail
@@ -4583,25 +4573,13 @@ void raw_key_agreement_fail( )
      * curve (as opposed to a Montgomery curve) has a high chance of
      * making it invalid. */
     TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
-                                        MBEDTLS_PK_RSA, &client_context,
-                                        &client_queue,
-                                        &server_queue, curve_list ) == 0 );
-#if defined(MBEDTLS_TIMING_C)
-    mbedtls_ssl_set_timer_cb( &client.ssl, &timer_client,
-                              mbedtls_timing_set_delay,
-                              mbedtls_timing_get_delay );
-#endif
+                                        MBEDTLS_PK_ECDSA, NULL, NULL,
+                                        NULL, curve_list ) == 0 );
 
     /* Server side */
     TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
-                                        MBEDTLS_PK_RSA, &server_context,
-                                        &server_queue,
-                                        &client_queue, NULL ) == 0 );
-#if defined(MBEDTLS_TIMING_C)
-    mbedtls_ssl_set_timer_cb( &server.ssl, &timer_server,
-                              mbedtls_timing_set_delay,
-                              mbedtls_timing_get_delay );
-#endif
+                                        MBEDTLS_PK_ECDSA, NULL, NULL,
+                                        NULL, NULL ) == 0 );
 
     TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
                                               &(server.socket),
@@ -4632,8 +4610,8 @@ void raw_key_agreement_fail( )
     TEST_ASSERT( free_slots_before == stats.empty_slots );
 
 exit:
-    mbedtls_endpoint_free( &client, &client_context );
-    mbedtls_endpoint_free( &server, &server_context );
+    mbedtls_endpoint_free( &client, NULL );
+    mbedtls_endpoint_free( &server, NULL );
 
     mbedtls_psa_get_stats( &stats );
     TEST_ASSERT( stats.empty_slots == MBEDTLS_PSA_KEY_SLOT_COUNT );

From 703a88916b211b89b266368a535453bd4d2258ee Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 7 Apr 2022 20:43:05 +0200
Subject: [PATCH 08/12] Remove redundant empty slot count check

USE_PSA_DONE() already checks that there are no used key slots.

The call to TEST_ASSERT() wouldn't have worked properly on failure anyway,
since it would jump back to the exit label.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 9be76f045..9378f2f6c 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4613,9 +4613,6 @@ exit:
     mbedtls_endpoint_free( &client, NULL );
     mbedtls_endpoint_free( &server, NULL );
 
-    mbedtls_psa_get_stats( &stats );
-    TEST_ASSERT( stats.empty_slots == MBEDTLS_PSA_KEY_SLOT_COUNT );
-
     USE_PSA_DONE( );
 }
 /* END_CASE */

From 6dd489cb15d29219c7793ad57c9de11193d30503 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 15 Apr 2022 05:54:40 -0400
Subject: [PATCH 09/12] raw_key_agreement_fail: Add a nominal run

Ensure that the nominal run works properly, so that it's apparent that the
injected failure is responsible for the failure of the handshake.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/suites/test_suite_ssl.data     |  7 +++++--
 tests/suites/test_suite_ssl.function | 25 +++++++++++++++----------
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 15d9c5f85..cc88d90da 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -10684,5 +10684,8 @@ ssl_cf_memcpy_offset:0:255:32
 Constant-flow memcpy from offset: large
 ssl_cf_memcpy_offset:100:339:48
 
-Raw key agreement fail
-raw_key_agreement_fail:
+Raw key agreement: nominal
+raw_key_agreement_fail:0
+
+Raw key agreement: bad server key
+raw_key_agreement_fail:1
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 9378f2f6c..d6ce82a52 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4557,7 +4557,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CTR_DRBG_C:MBEDTLS_ECP_C:MBEDTLS_ECDSA_C */
-void raw_key_agreement_fail( )
+void raw_key_agreement_fail( int bad_server_ecdhe_key )
 {
     enum { BUFFSIZE = 17000 };
     mbedtls_endpoint client, server;
@@ -4595,19 +4595,24 @@ void raw_key_agreement_fail( )
      * With PSA, one can be used for the ECDH private key. */
     free_slots_before = stats.empty_slots;
 
-    /* Force a simulated bitflip in the server key. to make the
-     * raw key agreement in ssl_write_client_key_exchange fail. */
-    (client.ssl).handshake->ecdh_psa_peerkey[0] ^= 0x02;
+    if( bad_server_ecdhe_key )
+    {
+        /* Force a simulated bitflip in the server key. to make the
+         * raw key agreement in ssl_write_client_key_exchange fail. */
+        (client.ssl).handshake->ecdh_psa_peerkey[0] ^= 0x02;
+    }
 
-    TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
-                                                  &(server.ssl),
-                                                  MBEDTLS_SSL_HANDSHAKE_OVER )
-                 !=  0 );
+    TEST_EQUAL( mbedtls_move_handshake_to_state( &(client.ssl),
+                                                 &(server.ssl),
+                                                 MBEDTLS_SSL_HANDSHAKE_OVER ),
+                bad_server_ecdhe_key ? MBEDTLS_ERR_SSL_HW_ACCEL_FAILED : 0 );
 
     mbedtls_psa_get_stats( &stats );
 
-    /* Make sure that the key slot is destroyed properly in case of failure. */
-    TEST_ASSERT( free_slots_before == stats.empty_slots );
+    /* Make sure that the key slot is already destroyed in case of failure,
+     * without waiting to close the connection. */
+    if( bad_server_ecdhe_key )
+        TEST_EQUAL( free_slots_before, stats.empty_slots );
 
 exit:
     mbedtls_endpoint_free( &client, NULL );

From ee9488d3f01969143772726b816018befd0ee21e Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Fri, 15 Apr 2022 06:51:56 -0400
Subject: [PATCH 10/12] Prefer TEST_EQUAL over TEST_ASSERT in test suites

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index d6ce82a52..cea935783 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4572,23 +4572,23 @@ void raw_key_agreement_fail( int bad_server_ecdhe_key )
      * the raw key agreement. Flipping one bit with a Weierstrass
      * curve (as opposed to a Montgomery curve) has a high chance of
      * making it invalid. */
-    TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
+    TEST_EQUAL( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
                                         MBEDTLS_PK_ECDSA, NULL, NULL,
-                                        NULL, curve_list ) == 0 );
+                                        NULL, curve_list ), 0 );
 
     /* Server side */
-    TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
+    TEST_EQUAL( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
                                         MBEDTLS_PK_ECDSA, NULL, NULL,
-                                        NULL, NULL ) == 0 );
+                                        NULL, NULL ), 0 );
 
-    TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
+    TEST_EQUAL( mbedtls_mock_socket_connect( &(client.socket),
                                               &(server.socket),
-                                              BUFFSIZE ) == 0 );
+                                              BUFFSIZE ), 0 );
 
-    TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
+    TEST_EQUAL( mbedtls_move_handshake_to_state( &(client.ssl),
                                                   &(server.ssl),
                                                   MBEDTLS_SSL_CLIENT_KEY_EXCHANGE )
-                 ==  0 );
+                 , 0 );
 
     mbedtls_psa_get_stats( &stats );
     /* Save the number of slots in use up to this point.

From 9cb14d4ce24c56403bcc3956f2bbf59eebc8051c Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Thu, 14 Apr 2022 08:51:41 -0400
Subject: [PATCH 11/12] tests: fix bitflip comment

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index cea935783..ca88b98b7 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4569,9 +4569,8 @@ void raw_key_agreement_fail( int bad_server_ecdhe_key )
     USE_PSA_INIT( );
 
     /* Client side, force SECP256R1 to make one key bitflip fail
-     * the raw key agreement. Flipping one bit with a Weierstrass
-     * curve (as opposed to a Montgomery curve) has a high chance of
-     * making it invalid. */
+     * the raw key agreement. Flipping the first byte makes the
+     * required 0x04 identifier invalid. */
     TEST_EQUAL( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
                                         MBEDTLS_PK_ECDSA, NULL, NULL,
                                         NULL, curve_list ), 0 );

From 96bf3d13f367721031f1b1fabd55d652d27b241b Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Fri, 15 Apr 2022 07:35:16 -0400
Subject: [PATCH 12/12] Add missing MBEDTLS_ECP_C dependency

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 tests/suites/test_suite_ssl.function | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index ca88b98b7..09a2df298 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -937,8 +937,12 @@ int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg,
                                        MBEDTLS_SSL_PRESET_DEFAULT );
     TEST_ASSERT( ret == 0 );
 
+#if defined(MBEDTLS_ECP_C)
     if( curves != NULL )
         mbedtls_ssl_conf_curves( &(ep->conf), curves );
+#else
+    (void) curves;
+#endif
 
     ret = mbedtls_ssl_setup( &( ep->ssl ), &( ep->conf ) );
     TEST_ASSERT( ret == 0 );