From eb342241a57f8ebddf0278416163ae3be2c519e7 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 29 Jan 2019 09:14:33 -0500 Subject: [PATCH 1/5] ssl_tls: use PSA to compute running handshake hash for TLS 1.2 --- include/mbedtls/ssl_internal.h | 12 +++ library/ssl_tls.c | 173 +++++++++++++++++++++++++++++---- 2 files changed, 168 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index fced2cbd7..58f9e3698 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -27,6 +27,10 @@ #include "ssl.h" #include "cipher.h" +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "psa/crypto.h" +#endif + #if defined(MBEDTLS_MD5_C) #include "md5.h" #endif @@ -370,11 +374,19 @@ struct mbedtls_ssl_handshake_params #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_operation_t fin_sha256_psa; +#else mbedtls_sha256_context fin_sha256; #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_operation_t fin_sha512_psa; +#else mbedtls_sha512_context fin_sha512; #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8fe93141f..159291fb6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1347,7 +1347,7 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - mbedtls_md5_finish_ret( &md5, hash ); + mbedtls_md5_finish_ret( &md5, hash ); mbedtls_sha1_finish_ret( &sha1, hash + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); @@ -1364,6 +1364,28 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) #if defined(MBEDTLS_SHA256_C) void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_status_t status; + psa_hash_operation_t sha256_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) ); + status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 32 ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); +#else mbedtls_sha256_context sha256; mbedtls_sha256_init( &sha256 ); @@ -1377,7 +1399,7 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); mbedtls_sha256_free( &sha256 ); - +#endif /* MBEDTLS_USE_PSA_CRYPTO */ return; } #endif /* MBEDTLS_SHA256_C */ @@ -1385,6 +1407,28 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32 #if defined(MBEDTLS_SHA512_C) void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_status_t status; + psa_hash_operation_t sha512_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) ); + status = psa_hash_clone( &ssl->handshake->fin_sha512_psa, &sha512_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha512_psa, hash, 48, &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 48 ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); +#else mbedtls_sha512_context sha512; mbedtls_sha512_init( &sha512 ); @@ -1398,7 +1442,7 @@ void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); mbedtls_sha512_free( &sha512 ); - +#endif /* MBEDTLS_USE_PSA_CRYPTO */ return; } #endif /* MBEDTLS_SHA512_C */ @@ -6169,11 +6213,19 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); +#else mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_setup( &ssl->handshake->fin_sha512_psa, PSA_ALG_SHA_384 ); +#else mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -6187,11 +6239,19 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); +#else mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha512_psa, buf, len ); +#else mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -6210,7 +6270,11 @@ static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); +#else mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); +#endif } #endif @@ -6218,7 +6282,11 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha512_psa, buf, len ); +#else mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); +#endif } #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -6374,13 +6442,44 @@ static void ssl_calc_finished_tls_sha256( { int len = 12; const char *sender; - mbedtls_sha256_context sha256; unsigned char padbuf[32]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_hash_operation_t sha256_psa; + psa_status_t status; +#else + mbedtls_sha256_context sha256; +#endif mbedtls_ssl_session *session = ssl->session_negotiate; if( !session ) session = ssl->session; + sender = ( from == MBEDTLS_SSL_IS_CLIENT ) + ? "client finished" + : "server finished"; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + sha256_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) ); + + status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 ); +#else + mbedtls_sha256_init( &sha256 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); @@ -6398,19 +6497,15 @@ static void ssl_calc_finished_tls_sha256( sha256.state, sizeof( sha256.state ) ); #endif - sender = ( from == MBEDTLS_SSL_IS_CLIENT ) - ? "client finished" - : "server finished"; - mbedtls_sha256_finish_ret( &sha256, padbuf ); + mbedtls_sha256_free( &sha256 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 32, buf, len ); MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - mbedtls_sha256_free( &sha256 ); - mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); @@ -6423,13 +6518,43 @@ static void ssl_calc_finished_tls_sha384( { int len = 12; const char *sender; - mbedtls_sha512_context sha512; unsigned char padbuf[48]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_hash_operation_t sha512_psa; + psa_status_t status; +#else + mbedtls_sha512_context sha512; +#endif mbedtls_ssl_session *session = ssl->session_negotiate; if( !session ) session = ssl->session; + sender = ( from == MBEDTLS_SSL_IS_CLIENT ) + ? "client finished" + : "server finished"; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + sha512_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) ); + + status = psa_hash_clone( &ssl->handshake->fin_sha512_psa, &sha512_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha512_psa, padbuf, sizeof( padbuf ), &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 ); +#else mbedtls_sha512_init( &sha512 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); @@ -6447,19 +6572,15 @@ static void ssl_calc_finished_tls_sha384( sha512.state, sizeof( sha512.state ) ); #endif - sender = ( from == MBEDTLS_SSL_IS_CLIENT ) - ? "client finished" - : "server finished"; - mbedtls_sha512_finish_ret( &sha512, padbuf ); + mbedtls_sha512_free( &sha512 ); +#endif ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 48, buf, len ); MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - mbedtls_sha512_free( &sha512 ); - mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); @@ -6770,13 +6891,23 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->fin_sha256_psa = psa_hash_operation_init(); + psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); +#else mbedtls_sha256_init( &handshake->fin_sha256 ); mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->fin_sha512_psa = psa_hash_operation_init(); + psa_hash_setup( &handshake->fin_sha512_psa, PSA_ALG_SHA_384 ); +#else mbedtls_sha512_init( &handshake->fin_sha512 ); mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ handshake->update_checksum = ssl_update_checksum_start; @@ -9079,11 +9210,19 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &handshake->fin_sha256_psa ); +#else mbedtls_sha256_free( &handshake->fin_sha256 ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &handshake->fin_sha512_psa ); +#else mbedtls_sha512_free( &handshake->fin_sha512 ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_DHM_C) From 972fba51ed382be9c5f0c672999bac20a73d7749 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 30 Jan 2019 03:29:12 -0500 Subject: [PATCH 2/5] ssl_tls: rename sha_512_psa to sha_384_psa --- include/mbedtls/ssl_internal.h | 2 +- library/ssl_tls.c | 26 +++++++++++++------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 58f9e3698..d9f98021d 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -382,7 +382,7 @@ struct mbedtls_ssl_handshake_params #endif #if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_operation_t fin_sha512_psa; + psa_hash_operation_t fin_sha384_psa; #else mbedtls_sha512_context fin_sha512; #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 159291fb6..c34ab624b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1410,17 +1410,17 @@ void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48 #if defined(MBEDTLS_USE_PSA_CRYPTO) size_t hash_size; psa_status_t status; - psa_hash_operation_t sha512_psa = psa_hash_operation_init(); + psa_hash_operation_t sha384_psa = psa_hash_operation_init(); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) ); - status = psa_hash_clone( &ssl->handshake->fin_sha512_psa, &sha512_psa ); + status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa ); if( status != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); return; } - status = psa_hash_finish( &sha512_psa, hash, 48, &hash_size ); + status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size ); if( status != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); @@ -6221,7 +6221,7 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_setup( &ssl->handshake->fin_sha512_psa, PSA_ALG_SHA_384 ); + psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); #else mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); #endif @@ -6247,7 +6247,7 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_update( &ssl->handshake->fin_sha512_psa, buf, len ); + psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len ); #else mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); #endif @@ -6283,7 +6283,7 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_update( &ssl->handshake->fin_sha512_psa, buf, len ); + psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len ); #else mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); #endif @@ -6521,7 +6521,7 @@ static void ssl_calc_finished_tls_sha384( unsigned char padbuf[48]; #if defined(MBEDTLS_USE_PSA_CRYPTO) size_t hash_size; - psa_hash_operation_t sha512_psa; + psa_hash_operation_t sha384_psa; psa_status_t status; #else mbedtls_sha512_context sha512; @@ -6536,18 +6536,18 @@ static void ssl_calc_finished_tls_sha384( : "server finished"; #if defined(MBEDTLS_USE_PSA_CRYPTO) - sha512_psa = psa_hash_operation_init(); + sha384_psa = psa_hash_operation_init(); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) ); - status = psa_hash_clone( &ssl->handshake->fin_sha512_psa, &sha512_psa ); + status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa ); if( status != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); return; } - status = psa_hash_finish( &sha512_psa, padbuf, sizeof( padbuf ), &hash_size ); + status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size ); if( status != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); @@ -6901,8 +6901,8 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #endif #if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) - handshake->fin_sha512_psa = psa_hash_operation_init(); - psa_hash_setup( &handshake->fin_sha512_psa, PSA_ALG_SHA_384 ); + handshake->fin_sha384_psa = psa_hash_operation_init(); + psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); #else mbedtls_sha512_init( &handshake->fin_sha512 ); mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 ); @@ -9218,7 +9218,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort( &handshake->fin_sha512_psa ); + psa_hash_abort( &handshake->fin_sha384_psa ); #else mbedtls_sha512_free( &handshake->fin_sha512 ); #endif From 2ad229725cf22ec118e2369c7dd453a9dce20d40 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 30 Jan 2019 03:32:12 -0500 Subject: [PATCH 3/5] ssl_tls: add psa_hash_abort when reseting checksum --- library/ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c34ab624b..0cfeb0930 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6214,6 +6214,7 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &ssl->handshake->fin_sha256_psa ); psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); #else mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 ); @@ -6221,6 +6222,7 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &ssl->handshake->fin_sha384_psa ); psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); #else mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); From 683d77e836378f48f3afff5c445f98e5566326e0 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 30 Jan 2019 03:50:42 -0500 Subject: [PATCH 4/5] ssl_opt: check client and server output for PSA calc verify in PSA tests Increase debug level to 2 in PSA tests and check for "PSA calc verify" to ensure that the PSA code is being run. --- tests/ssl-opt.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2ccecc4b1..9b35c3220 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -755,13 +755,15 @@ run_test() { run_test_psa() { requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSA-supported ciphersuite: $1" \ - "$P_SRV debug_level=1 force_version=tls1_2" \ - "$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \ + "$P_SRV debug_level=2 force_version=tls1_2" \ + "$P_CLI debug_level=2 force_version=tls1_2 force_ciphersuite=$1" \ 0 \ -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ + -c "PSA calc verify" \ -s "Successfully setup PSA-based decryption cipher context" \ -s "Successfully setup PSA-based encryption cipher context" \ + -s "PSA calc verify" \ -C "Failed to setup PSA-based cipher context"\ -S "Failed to setup PSA-based cipher context"\ -s "Protocol is TLSv1.2" \ From 92dd4d0307b3ed3de7226f57e6721da69280c4b4 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 30 Jan 2019 04:10:19 -0500 Subject: [PATCH 5/5] ssl-opt.sh: add a test for "calc PSA finished" log to the PSA tests --- tests/ssl-opt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9b35c3220..42ffa1041 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -761,9 +761,11 @@ run_test_psa() { -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ -c "PSA calc verify" \ + -c "calc PSA finished" \ -s "Successfully setup PSA-based decryption cipher context" \ -s "Successfully setup PSA-based encryption cipher context" \ -s "PSA calc verify" \ + -s "calc PSA finished" \ -C "Failed to setup PSA-based cipher context"\ -S "Failed to setup PSA-based cipher context"\ -s "Protocol is TLSv1.2" \