From 7dfe7c9e4a14aa27edc5111bbe88bf0fb488e120 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 20 Sep 2024 18:16:41 +0200 Subject: [PATCH] Remove RSA-PSK test cases The test cases removed by this commit are specific to RSA-PSK, not incidentally using RSA-PSK when testing other features, so there is no loss of test coverage. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 175 +------------------------------ tests/suites/test_suite_ssl.data | 20 ---- 2 files changed, 1 insertion(+), 194 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bf399529be..44cbcd311e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -584,7 +584,7 @@ adapt_cmd_for_psk () { # with a pre-shared key, skip it. If the test looks like it's already using # a pre-shared key, do nothing. # -# This code does not consider builds with ECDHE-PSK or RSA-PSK. +# This code does not consider builds with ECDHE-PSK. # # Inputs: # * $CLI_CMD, $SRV_CMD, $PXY_CMD: client/server/proxy commands. @@ -2537,22 +2537,6 @@ run_test "Opaque key for server authentication: DHE-RSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_RSA_C -requires_hash_alg SHA_256 -run_test "Opaque key for server authentication: RSA-PSK" \ - "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \ - psk=73776f726466697368 psk_identity=foo" \ - "$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ - psk=73776f726466697368 psk_identity=foo" \ - 0 \ - -c "Verifying peer X.509 certificate... ok" \ - -c "Ciphersuite is TLS-RSA-PSK-" \ - -s "key types: Opaque, Opaque" \ - -s "Ciphersuite is TLS-RSA-PSK-" \ - -S "error" \ - -C "error" - requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 @@ -8584,50 +8568,6 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -run_test "PSK callback: opaque rsa-psk on client, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ - psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ - 0 \ - -C "session hash for extended master secret"\ - -S "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ - 0 \ - -C "session hash for extended master secret"\ - -S "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ - "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ - 0 \ - -c "session hash for extended master secret"\ - -s "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ - "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ - 0 \ - -c "session hash for extended master secret"\ - -s "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - run_test "PSK callback: opaque ecdhe-psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ @@ -8762,52 +8702,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=73776f726466697368" \ - 0 \ - -C "session hash for extended master secret"\ - -S "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=73776f726466697368" \ - 0 \ - -C "session hash for extended master secret"\ - -S "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=73776f726466697368 extended_ms=1" \ - 0 \ - -c "session hash for extended master secret"\ - -s "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=73776f726466697368 extended_ms=1" \ - 0 \ - -c "session hash for extended master secret"\ - -s "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ @@ -8946,52 +8840,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -C "session hash for extended master secret"\ - -S "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=def psk=beef" \ - 0 \ - -C "session hash for extended master secret"\ - -S "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=abc psk=dead extended_ms=1" \ - 0 \ - -c "session hash for extended master secret"\ - -s "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=abc psk=dead extended_ms=1" \ - 0 \ - -c "session hash for extended master secret"\ - -s "session hash for extended master secret"\ - -S "SSL - The handshake negotiation failed" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback" \ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ @@ -9995,27 +9843,6 @@ run_test "SSL async private: decrypt, delay=1" \ -s "Async resume (slot [0-9]): call 0 more times." \ -s "Async resume (slot [0-9]): decrypt done, status=0" -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt RSA-PSK, delay=0" \ - "$P_SRV psk=73776f726466697368 \ - async_operations=d async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI psk=73776f726466697368 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt RSA-PSK, delay=1" \ - "$P_SRV psk=73776f726466697368 \ - async_operations=d async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI psk=73776f726466697368 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): call 0 more times." \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: sign callback not present" \ "$P_SRV \ diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index c522459bf9..8135ef17ad 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -452,26 +452,6 @@ Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad usage depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 -Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, non-opaque -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 - -Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:0:MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 - -Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - -Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - -Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, no psk -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384