From e53527063b465d4bd546a084dea0ac5917c0f35d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 5 Oct 2022 11:37:54 +0200 Subject: [PATCH 01/15] Add test components for tls 1.2 builds with single encryption type Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 157 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c0e0d30203b0..935053a80063 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1268,6 +1268,163 @@ component_test_ecp_restartable_no_internal_rng () { # no SSL tests as they all depend on having a DRBG } +component_test_tls1_2_default_stream_cipher_only () { + msg "build: default with only stream cipher" + + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + + make + + msg "test: default with only stream cipher" + make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. +} + +component_test_tls1_2_default_stream_cipher_only_use_psa () { + msg "build: default with only stream cipher use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + + make + + msg "test: default with only stream cipher use psa" + make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. +} + +component_test_tls1_2_default_cbc_legacy_cipher_only () { + msg "build: default with only CBC-legacy cipher" + + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + + make + + msg "test: default with only CBC-legacy cipher" + make test + + msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { + msg "build: default with only CBC-legacy cipher use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + + make + + msg "test: default with only CBC-legacy cipher use psa" + make test + + msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers" + + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + + make + + msg "test: default with only CBC-legacy and CBC-EtM ciphers" + make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + + make + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" + make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + component_test_new_ecdh_context () { msg "build: new ECDH context (ASan build)" # ~ 6 min scripts/config.py unset MBEDTLS_ECDH_LEGACY_CONTEXT From 9450dc7b6fde548885f70d8c477d2c411142d3ee Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:36:12 +0200 Subject: [PATCH 02/15] Fix guards for mbedtls_ct_size_mask() and mbedtls_ct_memcpy_if_eq() Both functions are used when MBEDTLS_SSL_SOME_SUITES_USE_MAC is defined not MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC. Signed-off-by: Przemek Stekiel --- library/constant_time.c | 8 ++++---- library/constant_time_internal.h | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/constant_time.c b/library/constant_time.c index 3cdbac266d07..79c98c7904d0 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -81,7 +81,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value ) #endif } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) size_t mbedtls_ct_size_mask( size_t value ) { @@ -97,7 +97,7 @@ size_t mbedtls_ct_size_mask( size_t value ) #endif } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) @@ -404,7 +404,7 @@ static void mbedtls_ct_mem_move_to_left( void *start, #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) void mbedtls_ct_memcpy_if_eq( unsigned char *dest, const unsigned char *src, @@ -527,7 +527,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, return( ret ); } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index a550b38fa587..8874729dba19 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -196,7 +196,7 @@ signed char mbedtls_ct_base64_dec_value( unsigned char c ); #endif /* MBEDTLS_BASE64_C */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /** Conditional memcpy without branches. * @@ -292,7 +292,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, size_t max_data_len, unsigned char *output ); -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) From 864b43d3aaa47b0c8fec328cc0c63ac7e546dc94 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 5 Oct 2022 11:47:29 +0200 Subject: [PATCH 03/15] Fix configuration requirements(MBEDTLS_SSL_CONTEXT_SERIALIZATION, MBEDTLS_SSL_SESSION_TICKETS) Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 9 +++++++++ include/mbedtls/config.h | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index be5c548e5614..816c2119376d 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -926,6 +926,15 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) +#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) +#error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" +#endif + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 1da98022a388..73708bd3bd99 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1620,6 +1620,8 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * * Comment to disable the context serialization APIs. */ #define MBEDTLS_SSL_CONTEXT_SERIALIZATION @@ -1990,6 +1992,8 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * * Comment this macro to disable support for SSL session tickets */ #define MBEDTLS_SSL_SESSION_TICKETS From 249fccafb57c90ce84d672b77b557a598880f51c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:49:21 +0200 Subject: [PATCH 04/15] test_suite_cipher.function: always include aes.h It is done to have MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH macro available (used in tests) Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_cipher.function | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 93bff1e024eb..4fe54c0c4049 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1,9 +1,6 @@ /* BEGIN_HEADER */ #include "mbedtls/cipher.h" - -#if defined(MBEDTLS_AES_C) #include "mbedtls/aes.h" -#endif #if defined(MBEDTLS_GCM_C) #include "mbedtls/gcm.h" From b79d0dd1ad1d1c5cce312e5c30ad14a6e00a04dc Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Sep 2022 09:53:20 +0200 Subject: [PATCH 05/15] test_suite_cmac.data: fix bug: use cipher type instead cipher id Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_cmac.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_cmac.data b/tests/suites/test_suite_cmac.data index 70b7609e4898..5956a69811b2 100644 --- a/tests/suites/test_suite_cmac.data +++ b/tests/suites/test_suite_cmac.data @@ -22,15 +22,15 @@ mbedtls_cmac_setkey:MBEDTLS_CIPHER_DES_EDE3_ECB:192:0 CMAC init #5 AES-224: bad key size depends_on:MBEDTLS_AES_C -mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_AES:224:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA +mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_128_ECB:224:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC init #6 AES-0: bad key size depends_on:MBEDTLS_AES_C -mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_AES:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA +mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_128_ECB:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC init #7 Camellia: wrong cipher depends_on:MBEDTLS_CAMELLIA_C -mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA +mbedtls_cmac_setkey:MBEDTLS_CIPHER_CAMELLIA_192_ECB:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC Single Blocks #1 - Empty block, no updates mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":-1:"":-1:"":-1:"":-1:"bb1d6929e95937287fa37d129b756746" From 169554c68fa66edbe53ed8441762d90888905ccf Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 6 Oct 2022 10:53:20 +0200 Subject: [PATCH 06/15] Adapt macro names: MBEDTLS_SSL_SOME_SUITES_USE_MAC->MBEDTLS_SSL_SOME_MODES_USE_MAC Signed-off-by: Przemek Stekiel --- library/constant_time.c | 9 ++++----- library/constant_time_internal.h | 5 ++--- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/library/constant_time.c b/library/constant_time.c index 79c98c7904d0..2401b0434ad9 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -81,7 +81,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value ) #endif } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) size_t mbedtls_ct_size_mask( size_t value ) { @@ -97,7 +97,7 @@ size_t mbedtls_ct_size_mask( size_t value ) #endif } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) @@ -404,8 +404,7 @@ static void mbedtls_ct_mem_move_to_left( void *start, #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) - +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) void mbedtls_ct_memcpy_if_eq( unsigned char *dest, const unsigned char *src, size_t len, @@ -527,7 +526,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, return( ret ); } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index 8874729dba19..6725ac1c7b28 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -32,7 +32,6 @@ #include - /** Turn a value into a mask: * - if \p value == 0, return the all-bits 0 mask, aka 0 * - otherwise, return the all-bits 1 mask, aka (unsigned) -1 @@ -196,7 +195,7 @@ signed char mbedtls_ct_base64_dec_value( unsigned char c ); #endif /* MBEDTLS_BASE64_C */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) /** Conditional memcpy without branches. * @@ -292,7 +291,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, size_t max_data_len, unsigned char *output ); -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) From 2b038806284cf1c214877861f08ddcd722e934b6 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 6 Oct 2022 12:08:25 +0200 Subject: [PATCH 07/15] Enable Key Wrapping mode for 128-bit block ciphers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is done to make configuration consistent with upstream and get rid of warnings. ssl_ticket.c:254:17: warning: implicit declaration of function ‘mbedtls_cipher_auth_encrypt_ext’ Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 935053a80063..dcb42e344daf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1284,6 +1284,8 @@ component_test_tls1_2_default_stream_cipher_only () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + # Enable Key Wrapping mode for 128-bit block ciphers + scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1310,6 +1312,8 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + # Enable Key Wrapping mode for 128-bit block ciphers + scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1335,6 +1339,8 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + # Enable Key Wrapping mode for 128-bit block ciphers + scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1362,6 +1368,8 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + # Enable Key Wrapping mode for 128-bit block ciphers + scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1388,6 +1396,8 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + # Enable Key Wrapping mode for 128-bit block ciphers + scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1415,6 +1425,8 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + # Enable Key Wrapping mode for 128-bit block ciphers + scripts/config.py set MBEDTLS_NIST_KW_C make From 802353c8071ca5a1604bdba45806d59dd48e4728 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 6 Oct 2022 12:10:53 +0200 Subject: [PATCH 08/15] Add MBEDTLS_CIPHER_MODE_AEAD dependency to auth_crypt_tv() test function Test calls functions that require MBEDTLS_CIPHER_MODE_AEAD. Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_cipher.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 4fe54c0c4049..a87b12b0cef5 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -10,7 +10,7 @@ #define MBEDTLS_CIPHER_AUTH_CRYPT #endif -#if defined(MBEDTLS_CIPHER_AUTH_CRYPT) +#if defined(MBEDTLS_CIPHER_AUTH_CRYPT) && defined(MBEDTLS_CIPHER_MODE_AEAD) /* Helper for resetting key/direction * * The documentation doesn't explicitly say whether calling @@ -1132,7 +1132,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT */ +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT:MBEDTLS_CIPHER_MODE_AEAD */ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, data_t * ad, data_t * cipher, data_t * tag, char * result, data_t * clear, int use_psa ) From efc894bf540e6ef5445976e3ebc42dd8801002ee Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 6 Oct 2022 12:15:21 +0200 Subject: [PATCH 09/15] Add GCM dependency to "Per-version suites: TLS 1.2" Test was failing with error: unknown ciphersuite: 'TLS-RSA-WITH-AES-128-GCM-SHA256' Signed-off-by: Przemek Stekiel --- tests/ssl-opt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 75ba4b7eadd6..fbf3bf7b8e31 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6595,6 +6595,7 @@ run_test "Per-version suites: TLS 1.1" \ requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C +requires_config_enabled MBEDTLS_GCM_C run_test "Per-version suites: TLS 1.2" \ "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls12" \ From 0a48eaebc6d8b8632eeab6d210059714c457fae4 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 5 Oct 2022 09:46:35 +0200 Subject: [PATCH 10/15] Add changelog entry: tls 1.2 builds with single encryption type Signed-off-by: Przemek Stekiel --- ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt new file mode 100644 index 000000000000..d24f32c28475 --- /dev/null +++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix bugs to enable TLS 1.2 builds with + single encryption type + tests From 1834a2e985870d93a435ae9ef0f6b11484efb64e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 11:41:30 +0200 Subject: [PATCH 11/15] Reword change log entry Signed-off-by: Przemek Stekiel --- ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt index d24f32c28475..bac4910264ba 100644 --- a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt +++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt @@ -1,3 +1,4 @@ Bugfix - * Fix bugs to enable TLS 1.2 builds with - single encryption type + tests + * Fix bugs and missing dependencies when + building and testing configurations with + only one encryption type enabled in TLS 1.2. From 97d5740b7a5b25f1279e01312873c5c4568c2807 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 14:08:51 +0200 Subject: [PATCH 12/15] Fix MBEDTLS_SSL_TICKET_C, MBEDTLS_SSL_SESSION_TICKETS dependencies Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 10 +++++----- include/mbedtls/config.h | 5 ++--- tests/scripts/all.sh | 12 ++++++------ 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 816c2119376d..40f92536b4f3 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -812,6 +812,11 @@ #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TICKET_C) && \ + !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) +#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && \ !defined(MBEDTLS_SSL_PROTO_SSL3) && !defined(MBEDTLS_SSL_PROTO_TLS1) #error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites" @@ -926,11 +931,6 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) -#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) #error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 73708bd3bd99..e0b442afaf9c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1992,8 +1992,6 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * - * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C - * * Comment this macro to disable support for SSL session tickets */ #define MBEDTLS_SSL_SESSION_TICKETS @@ -3404,7 +3402,8 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_CIPHER_C + * Requires: MBEDTLS_CIPHER_C && + * ( MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C ) */ #define MBEDTLS_SSL_TICKET_C diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index dcb42e344daf..6d3dc8d89e7b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1283,7 +1283,7 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C # Enable Key Wrapping mode for 128-bit block ciphers scripts/config.py set MBEDTLS_NIST_KW_C @@ -1311,7 +1311,7 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C # Enable Key Wrapping mode for 128-bit block ciphers scripts/config.py set MBEDTLS_NIST_KW_C @@ -1338,7 +1338,7 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C # Enable Key Wrapping mode for 128-bit block ciphers scripts/config.py set MBEDTLS_NIST_KW_C @@ -1367,7 +1367,7 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C # Enable Key Wrapping mode for 128-bit block ciphers scripts/config.py set MBEDTLS_NIST_KW_C @@ -1395,7 +1395,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C # Enable Key Wrapping mode for 128-bit block ciphers scripts/config.py set MBEDTLS_NIST_KW_C @@ -1424,7 +1424,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C # Enable Key Wrapping mode for 128-bit block ciphers scripts/config.py set MBEDTLS_NIST_KW_C From 7aca4e44fe395e880e2603a2ad8d8311913c65ee Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 14:14:13 +0200 Subject: [PATCH 13/15] Fix session tickets related build flags in fuzz_server and ssl_server2 Signed-off-by: Przemek Stekiel --- programs/fuzz/fuzz_server.c | 8 ++++---- programs/ssl/ssl_server2.c | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 014f386efe4d..062df4301505 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -40,7 +40,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_ssl_config conf; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_entropy_context entropy; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_context ticket_ctx; #endif unsigned char buf[4096]; @@ -80,7 +80,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_ssl_config_init( &conf ); mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_entropy_init( &entropy ); -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_init( &ticket_ctx ); #endif @@ -110,7 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ); } #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) if( options & 0x4 ) { if( mbedtls_ssl_ticket_setup( &ticket_ctx, @@ -172,7 +172,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { } exit: -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free( &ticket_ctx ); #endif mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 6169a377497f..48f50c568b4b 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -277,13 +277,13 @@ int main( void ) #else #define USAGE_CA_CALLBACK "" #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) #define USAGE_TICKETS \ " tickets=%%d default: 1 (enabled)\n" \ " ticket_timeout=%%d default: 86400 (one day)\n" #else #define USAGE_TICKETS "" -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) #define USAGE_EAP_TLS \ @@ -1335,7 +1335,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_context cache; #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_context ticket_ctx; #endif #if defined(SNI_OPTION) @@ -1423,7 +1423,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_init( &cache ); #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_init( &ticket_ctx ); #endif #if defined(MBEDTLS_SSL_ALPN) @@ -2776,7 +2776,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cache_set ); #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED ) { if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, @@ -4007,7 +4007,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( &cache ); #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free( &ticket_ctx ); #endif #if defined(MBEDTLS_SSL_COOKIE_C) From fa6094185e0f3340d72ad1060537c125c990fc8c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 14:34:09 +0200 Subject: [PATCH 14/15] Revert: Enable Key Wrapping mode for 128-bit block ciphers Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6d3dc8d89e7b..12e3efa9d327 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1284,8 +1284,6 @@ component_test_tls1_2_default_stream_cipher_only () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Enable Key Wrapping mode for 128-bit block ciphers - scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1312,8 +1310,6 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Enable Key Wrapping mode for 128-bit block ciphers - scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1339,8 +1335,6 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Enable Key Wrapping mode for 128-bit block ciphers - scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1368,8 +1362,6 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Enable Key Wrapping mode for 128-bit block ciphers - scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1396,8 +1388,6 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Enable Key Wrapping mode for 128-bit block ciphers - scripts/config.py set MBEDTLS_NIST_KW_C make @@ -1425,8 +1415,6 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Enable Key Wrapping mode for 128-bit block ciphers - scripts/config.py set MBEDTLS_NIST_KW_C make From 0d72141eadf3481f9a1478a7eda6c510d3e9e2b5 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 14:41:13 +0200 Subject: [PATCH 15/15] Revert "Add MBEDTLS_CIPHER_MODE_AEAD dependency to auth_crypt_tv() test function" This reverts commit 802353c8071ca5a1604bdba45806d59dd48e4728. Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_cipher.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index a87b12b0cef5..4fe54c0c4049 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -10,7 +10,7 @@ #define MBEDTLS_CIPHER_AUTH_CRYPT #endif -#if defined(MBEDTLS_CIPHER_AUTH_CRYPT) && defined(MBEDTLS_CIPHER_MODE_AEAD) +#if defined(MBEDTLS_CIPHER_AUTH_CRYPT) /* Helper for resetting key/direction * * The documentation doesn't explicitly say whether calling @@ -1132,7 +1132,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT:MBEDTLS_CIPHER_MODE_AEAD */ +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT */ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, data_t * ad, data_t * cipher, data_t * tag, char * result, data_t * clear, int use_psa )