calc_verify is only called in some configurations
If MBEDTLS_SSL_EXTENDED_MASTER_SECRET is disabled or the feature is disabled
at runtime, and if client authentication is not used, then calc_verify is not
called, so don't require the corresponding debug trace.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d7f4b71..77f529c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -803,6 +803,38 @@
esac
}
+# Determine what calc_verify trace is to be expected, if any.
+#
+# calc_verify is only called for two things: to calculate the
+# extended master secret, and to process client authentication.
+#
+# Warning: the current implementation assumes that extended_ms is not
+# disabled on the client or on the server.
+#
+# Inputs:
+# * $1: 'required' or 1 if client authentication is expected,
+# 'none' or 0 or absent if not.
+# * $CONFIGS_ENABLED
+#
+# Outputs:
+# * $maybe_calc_verify: set to a trace expected in the debug logs
+set_maybe_calc_verify() {
+ maybe_calc_verify=
+ case $CONFIGS_ENABLED in
+ *\ MBEDTLS_SSL_EXTENDED_MASTER_SECRET\ *) :;;
+ *)
+ case ${1-} in
+ ''|0|none) return;;
+ 1|required) :;;
+ *) echo "Bad parameter 1 to set_maybe_calc_verify: $1"; exit 1;;
+ esac
+ esac
+ case $CONFIGS_ENABLED in
+ *\ MBEDTLS_USE_PSA_CRYPTO\ *) maybe_calc_verify="PSA calc verify";;
+ *) maybe_calc_verify="<= calc verify";;
+ esac
+}
+
# Compare file content
# Usage: find_in_both pattern file1 file2
# extract from file1 the first line matching the pattern
@@ -1191,17 +1223,18 @@
run_test_psa() {
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+ set_maybe_calc_verify none
run_test "PSA-supported ciphersuite: $1" \
"$P_SRV debug_level=3 force_version=tls12" \
"$P_CLI debug_level=3 force_version=tls12 force_ciphersuite=$1" \
0 \
-c "Successfully setup PSA-based decryption cipher context" \
-c "Successfully setup PSA-based encryption cipher context" \
- -c "PSA calc verify" \
+ -c "$maybe_calc_verify" \
-c "calc PSA finished" \
-s "Successfully setup PSA-based decryption cipher context" \
-s "Successfully setup PSA-based encryption cipher context" \
- -s "PSA calc verify" \
+ -s "$maybe_calc_verify" \
-s "calc PSA finished" \
-C "Failed to setup PSA-based cipher context"\
-S "Failed to setup PSA-based cipher context"\
@@ -1210,22 +1243,24 @@
-c "Perform PSA-based computation of digest of ServerKeyExchange" \
-S "error" \
-C "error"
+ unset maybe_calc_verify
}
run_test_psa_force_curve() {
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+ set_maybe_calc_verify none
run_test "PSA - ECDH with $1" \
"$P_SRV debug_level=4 force_version=tls12" \
"$P_CLI debug_level=4 force_version=tls12 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
0 \
-c "Successfully setup PSA-based decryption cipher context" \
-c "Successfully setup PSA-based encryption cipher context" \
- -c "PSA calc verify" \
+ -c "$maybe_calc_verify" \
-c "calc PSA finished" \
-s "Successfully setup PSA-based decryption cipher context" \
-s "Successfully setup PSA-based encryption cipher context" \
- -s "PSA calc verify" \
+ -s "$maybe_calc_verify" \
-s "calc PSA finished" \
-C "Failed to setup PSA-based cipher context"\
-S "Failed to setup PSA-based cipher context"\
@@ -1234,6 +1269,7 @@
-c "Perform PSA-based computation of digest of ServerKeyExchange" \
-S "error" \
-C "error"
+ unset maybe_calc_verify
}
# Test that the server's memory usage after a handshake is reduced when a client specifies