From a6f1d18afe621cfed0694249e226fd365fcf36f9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 15 Nov 2018 13:06:09 +0000 Subject: [PATCH] Automatically allocate opaque PSK key slots in ssl_{client/server}2 Previously, command line arguments `psk_slot` and `psk_list_slot` could be used to indicate the PSA key slots that the example applications should use to store the PSK(s) provided. This commit changes this approach to use the utility function `mbedtls_psa_get_free_key_slot()` to obtain free key slots from the PSA Crypto implementation automatically, so that users only need to pass boolean flags `psk_opaque` and `psk_list_opaque` on the command line to enable / disable PSA-based opaque PSKs. --- programs/ssl/ssl_client2.c | 37 +++++++++------ programs/ssl/ssl_server2.c | 94 ++++++++++++++++++++++---------------- tests/ssl-opt.sh | 34 +++++++------- 3 files changed, 93 insertions(+), 72 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 61dd50ebf..1bf6e2f0c 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -61,6 +61,7 @@ int main( void ) #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" +#include "mbedtls/psa_util.h" #endif #include @@ -85,7 +86,7 @@ int main( void ) #define DFL_CRT_FILE "" #define DFL_KEY_FILE "" #define DFL_PSK "" -#define DFL_PSK_SLOT 0 +#define DFL_PSK_OPAQUE 0 #define DFL_PSK_IDENTITY "Client_identity" #define DFL_ECJPAKE_PW NULL #define DFL_EC_MAX_OPS -1 @@ -145,8 +146,9 @@ int main( void ) " psk_identity=%%s default: \"Client_identity\"\n" #if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ - " psk_slot=%%d default: 0\n" \ - " An empty key slot identifier to be used to hold the PSK.\n" \ + " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ + " Enable this to store the PSK configured through command line\n" \ + " parameter `psk` in a PSA-based key slot.\n" \ " Note: Currently only supported in conjunction with\n" \ " the use of min_version to force TLS 1.2 and force_ciphersuite \n" \ " to force a particular PSK-only ciphersuite.\n" \ @@ -353,7 +355,7 @@ struct options const char *crt_file; /* the file with the client certificate */ const char *key_file; /* the file with the client key */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - int psk_slot; + int psk_opaque; #endif const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ @@ -651,7 +653,7 @@ int main( int argc, char *argv[] ) opt.key_file = DFL_KEY_FILE; opt.psk = DFL_PSK; #if defined(MBEDTLS_USE_PSA_CRYPTO) - opt.psk_slot = DFL_PSK_SLOT; + opt.psk_opaque = DFL_PSK_OPAQUE; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.ecjpake_pw = DFL_ECJPAKE_PW; @@ -754,8 +756,8 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; #if defined(MBEDTLS_USE_PSA_CRYPTO) - else if( strcmp( p, "psk_slot" ) == 0 ) - opt.psk_slot = atoi( q ); + else if( strcmp( p, "psk_opaque" ) == 0 ) + opt.psk_opaque = atoi( q ); #endif else if( strcmp( p, "psk_identity" ) == 0 ) opt.psk_identity = q; @@ -1093,11 +1095,11 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { if( opt.psk == NULL ) { - mbedtls_printf( "psk_slot set but no psk to be imported specified.\n" ); + mbedtls_printf( "psk_opaque set but no psk to be imported specified.\n" ); ret = 2; goto usage; } @@ -1162,7 +1164,7 @@ int main( int argc, char *argv[] ) } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { /* Ensure that the chosen ciphersuite is PSK-only; we must know * the ciphersuite in advance to set the correct policy for the @@ -1558,10 +1560,15 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { /* The algorithm has already been determined earlier. */ - slot = (psa_key_slot_t) opt.psk_slot; + status = mbedtls_psa_get_free_key_slot( &slot ); + if( status != PSA_SUCCESS ) + { + ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + goto exit; + } psa_key_policy_init( &policy ); psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg ); @@ -2232,17 +2239,17 @@ exit: #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here * immediately because of bad cmd line params, * for example). */ - status = psa_destroy_key( opt.psk_slot ); + status = psa_destroy_key( slot ); if( status != PSA_SUCCESS ) { mbedtls_printf( "Failed to destroy key slot %u - error was %d", - (unsigned) opt.psk_slot, (int) status ); + (unsigned) slot, (int) status ); if( ret == 0 ) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f4b737faf..534a3f373 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -62,6 +62,7 @@ int main( void ) #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" +#include "mbedtls/psa_util.h" #endif #include @@ -123,8 +124,8 @@ int main( void ) #define DFL_ASYNC_PRIVATE_DELAY2 ( -1 ) #define DFL_ASYNC_PRIVATE_ERROR ( 0 ) #define DFL_PSK "" -#define DFL_PSK_SLOT 0 -#define DFL_PSK_LIST_SLOT 0 +#define DFL_PSK_OPAQUE 0 +#define DFL_PSK_LIST_OPAQUE 0 #define DFL_PSK_IDENTITY "Client_identity" #define DFL_ECJPAKE_PW NULL #define DFL_PSK_LIST NULL @@ -234,20 +235,18 @@ int main( void ) " id1,psk1[,id2,psk2[,...]]\n" #if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ - " psk_slot=%%d default: 0 (don't use key slots)\n" \ - " An empty key slot identifier to be used to hold the static PSK\n" \ - " configured through the psk parameter.\n"\ + " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ + " Enable this to store the PSK configured through command line\n" \ + " parameter `psk` in a PSA-based key slot.\n" \ " Note: Currently only supported in conjunction with\n" \ " the use of min_version to force TLS 1.2 and force_ciphersuite \n" \ " to force a particular PSK-only ciphersuite.\n" \ " Note: This is to test integration of PSA-based opaque PSKs with\n" \ " Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \ " with prepopulated key slots instead of importing raw key material.\n" \ - " psk_list_slot=%%d default: 0 (don't use key slots)\n" \ - " The base of a consecutive list of empty key slot identifiers to be used\n" \ - " to hold the dynamic PSKs configured through the psk_list parameter;\n" \ - " for example, if you specify a list of 3 dynamic PSKs through the psk_list\n"\ - " parameter, then the slots psk_slot, .., psk_slot+3 must be empty.\n" \ + " psk_list_opaque=%%d default: 0 (don't use opaque dynamic PSKs)\n" \ + " Enable this to store the list of dynamically chosen PSKs configured\n" \ + " through the command line parameter `psk_list` in PSA-based key slots.\n" \ " Note: Currently only supported in conjunction with\n" \ " the use of min_version to force TLS 1.2 and force_ciphersuite \n" \ " to force a particular PSK-only ciphersuite.\n" \ @@ -485,8 +484,8 @@ struct options int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ int async_private_error; /* inject error in async private callback */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - int psk_slot; - int psk_list_slot; + int psk_opaque; + int psk_list_opaque; #endif const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ @@ -871,11 +870,6 @@ psk_entry *psk_parse( char *psk_string ) if( unhexify( new->key, key_hex, &new->key_len ) != 0 ) goto error; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_list_slot != 0 ) - new->slot = opt.psk_list_slot++; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - new->next = cur; cur = new; } @@ -1250,11 +1244,17 @@ static psa_status_t psa_setup_psk_key_slot( psa_key_slot_t slot, status = psa_set_key_policy( slot, &policy ); if( status != PSA_SUCCESS ) + { + fprintf( stderr, "POLICY\n" ); return( status ); + } status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len ); if( status != PSA_SUCCESS ) + { + fprintf( stderr, "IMPORT\n" ); return( status ); + } return( PSA_SUCCESS ); } @@ -1268,6 +1268,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; + psa_key_slot_t psk_slot = 0; #endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -1432,8 +1433,8 @@ int main( int argc, char *argv[] ) opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR; opt.psk = DFL_PSK; #if defined(MBEDTLS_USE_PSA_CRYPTO) - opt.psk_slot = DFL_PSK_SLOT; - opt.psk_list_slot = DFL_PSK_LIST_SLOT; + opt.psk_opaque = DFL_PSK_OPAQUE; + opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; @@ -1564,10 +1565,10 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; #if defined(MBEDTLS_USE_PSA_CRYPTO) - else if( strcmp( p, "psk_slot" ) == 0 ) - opt.psk_slot = atoi( q ); - else if( strcmp( p, "psk_list_slot" ) == 0 ) - opt.psk_list_slot = atoi( q ); + else if( strcmp( p, "psk_opaque" ) == 0 ) + opt.psk_opaque = atoi( q ); + else if( strcmp( p, "psk_list_opaque" ) == 0 ) + opt.psk_list_opaque = atoi( q ); #endif else if( strcmp( p, "psk_identity" ) == 0 ) opt.psk_identity = q; @@ -1879,11 +1880,11 @@ int main( int argc, char *argv[] ) } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { if( strlen( opt.psk ) == 0 ) { - mbedtls_printf( "psk_slot set but no psk to be imported specified.\n" ); + mbedtls_printf( "psk_opaque set but no psk to be imported specified.\n" ); ret = 2; goto usage; } @@ -1896,7 +1897,7 @@ int main( int argc, char *argv[] ) } } - if( opt.psk_list_slot != 0 ) + if( opt.psk_list_opaque != 0 ) { if( opt.psk_list == NULL ) { @@ -1965,7 +1966,7 @@ int main( int argc, char *argv[] ) } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 || opt.psk_list_slot != 0 ) + if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 ) { /* Ensure that the chosen ciphersuite is PSK-only; we must know * the ciphersuite in advance to set the correct policy for the @@ -2664,20 +2665,27 @@ int main( int argc, char *argv[] ) if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { - /* The algorithm has already been determined earlier. */ - status = psa_setup_psk_key_slot( opt.psk_slot, alg, - psk, psk_len ); + status = mbedtls_psa_get_free_key_slot( &psk_slot ); if( status != PSA_SUCCESS ) { + fprintf( stderr, "ALLOC FAIL\n" ); ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } - if( ( ret = mbedtls_ssl_conf_psk_opaque( &conf, opt.psk_slot, - (const unsigned char *) opt.psk_identity, - strlen( opt.psk_identity ) ) ) != 0 ) + /* The algorithm has already been determined earlier. */ + status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len ); + if( status != PSA_SUCCESS ) + { + fprintf( stderr, "SETUP FAIL\n" ); + ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + goto exit; + } + if( ( ret = mbedtls_ssl_conf_psk_opaque( &conf, psk_slot, + (const unsigned char *) opt.psk_identity, + strlen( opt.psk_identity ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_psk_opaque returned %d\n\n", ret ); @@ -2698,24 +2706,30 @@ int main( int argc, char *argv[] ) if( opt.psk_list != NULL ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_list_slot != 0 ) + if( opt.psk_list_opaque != 0 ) { psk_entry *cur_psk; for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next ) { - fprintf( stderr, "REGISTER KEY SLOT %d\n", (int) cur_psk->slot ); + status = mbedtls_psa_get_free_key_slot( &cur_psk->slot ); + if( status != PSA_SUCCESS ) + { + ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + goto exit; + } + status = psa_setup_psk_key_slot( cur_psk->slot, alg, cur_psk->key, cur_psk->key_len ); if( status != PSA_SUCCESS ) { - fprintf( stderr, "REGISTER KEY SLOT\n" ); ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } } } #endif /* MBEDTLS_USE_PSA_CRYPTO */ + mbedtls_ssl_conf_psk_cb( &conf, psk_callback, psk_info ); } #endif @@ -3355,17 +3369,17 @@ exit: #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.psk_slot != 0 ) + if( opt.psk_opaque != 0 ) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here * immediately because of bad cmd line params, * for example). */ - status = psa_destroy_key( opt.psk_slot ); + status = psa_destroy_key( psk_slot ); if( status != PSA_SUCCESS ) { mbedtls_printf( "Failed to destroy key slot %u - error was %d", - (unsigned) opt.psk_slot, (int) status ); + (unsigned) psk_slot, (int) status ); } } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED && diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 45b2e207f..129b91c08 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3834,7 +3834,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_slot=1" \ + psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ -S "skip PMS generation for opaque PSK"\ @@ -3848,7 +3848,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_slot=1" \ + psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ -S "skip PMS generation for opaque PSK"\ @@ -3862,7 +3862,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_slot=1" \ + psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ -S "skip PMS generation for opaque PSK"\ @@ -3876,7 +3876,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_slot=1" \ + psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ -S "skip PMS generation for opaque PSK"\ @@ -3888,7 +3888,7 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_slot=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123" \ 0 \ @@ -3902,7 +3902,7 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_slot=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123" \ 0 \ @@ -3916,7 +3916,7 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_slot=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 extended_ms=1" \ @@ -3931,7 +3931,7 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_slot=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 extended_ms=1" \ @@ -3946,7 +3946,7 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_slot=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -3960,7 +3960,7 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_slot=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=def psk=beef" \ 0 \ @@ -3974,7 +3974,7 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_slot=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=abc psk=dead extended_ms=1" \ @@ -3989,7 +3989,7 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_slot=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=abc psk=dead extended_ms=1" \ @@ -4004,7 +4004,7 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_slot=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -4018,7 +4018,7 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_slot=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_slot=2 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -4032,7 +4032,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \ - "$P_SRV extended_ms=0 psk_slot=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -4045,7 +4045,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_slot=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -4058,7 +4058,7 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_slot=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 1 \