tests: net: sockets: tls_configurations: adapt to Mbed TLS 4.0

- RSA based key exchanges were removed so the corresponding test case is
  also removed. It has been replaced with a PSK one, still using TLS 1.2.
- Configuration overlay files were removed because thank to ciphersuite
  Kconfig it's now pretty trivial and compact to select what's required
  for a connection.

pytest script was updated accordingly.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>

Author: valeriosetti

tests/net/socket/tls_configurations/overlay-ec.conf

@@ -17,18 +17,17 @@ def get_arguments_from_server_type(server_type, port):
     certs_path = os.path.join(this_path, "..", "credentials")
 
     args = ["openssl", "s_server"]
-    if server_type == "1.2-rsa":
-        args.extend(["-cert", "{}/rsa.crt".format(certs_path),
-                     "-key", "{}/rsa-priv.key".format(certs_path),
-                     "-certform", "PEM",
-                     "-tls1_2",
-                     "-cipher", "AES128-SHA256,AES256-SHA256"])
+    if server_type == "1.2-psk":
+        args.extend(["-tls1_2",
+                     "-cipher", "PSK-AES256-CBC-SHA384",
+                     "-psk_identity", "PSK_identity", "-psk", "0102030405",
+                     "-nocert"])
     elif server_type == "1.2-ec":
         args.extend(["-cert", "{}/ec.crt".format(certs_path),
                      "-key", "{}/ec-priv.key".format(certs_path),
                      "-certform", "PEM",
                      "-tls1_2",
-                     "-cipher", "ECDHE-ECDSA-AES128-SHA256"])
+                     "-cipher", "ECDHE-ECDSA-AES128-GCM-SHA256"])
     elif server_type == "1.3-ephemeral":
         args.extend(["-cert", "{}/ec.crt".format(certs_path),
                      "-key", "{}/ec-priv.key".format(certs_path),
@@ -59,7 +58,7 @@ def openssl_server(server_type, port):
     logger.info("Server type: " + server_type)
     args = get_arguments_from_server_type(server_type, port)
     logger.info("Launch command:")
-    print(" ".join(args))
+    logger.info(" ".join(args))
     openssl = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
 
     try:

tests/net/socket/tls_configurations/overlay-rsa.conf

@@ -16,26 +16,18 @@ LOG_MODULE_REGISTER(tls_configuration_sample, LOG_LEVEL_INF);
 #include <zephyr/net/net_if.h>
 #include <zephyr/sys/util.h>
 
-/* This include is required for the definition of the Mbed TLS internal symbol
- * MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED.
- */
-#include <mbedtls/ssl_ciphersuites.h>
+#if defined(CONFIG_MBEDTLS_CIPHERSUITE_TLS_PSK_WITH_AES_256_CBC_SHA384) || \
+    defined(CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
+#define USE_PSK_KEY_EXCHANGE
+#endif
 
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(USE_PSK_KEY_EXCHANGE)
 static const unsigned char psk[] = { 0x01, 0x02, 0x03, 0x04, 0x05 };
 static const char psk_id[] = "PSK_identity";
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+#endif /* USE_PSK_KEY_EXCHANGE */
 
-/* Following certificates (*.inc files) are:
- * - generated from "create-certs.sh" script
- * - converted in C array shape in the CMakeList file
- */
-#if defined(CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN) || defined(CONFIG_PSA_WANT_ALG_RSA_PSS)
-#define USE_CERTIFICATE
-static const unsigned char certificate[] = {
-#include "rsa.crt.inc"
-};
-#elif defined(CONFIG_PSA_WANT_ALG_ECDSA)
+/* Server certificate is only used when not using PSK key exchanges for simplicity. */
+#if !defined(USE_PSK_KEY_EXCHANGE)
 #define USE_CERTIFICATE
 static const unsigned char certificate[] = {
 #include "ec.crt.inc"
@@ -51,7 +43,7 @@ enum {
 #if defined(USE_CERTIFICATE)
 	CA_CERTIFICATE_TAG,
 #endif
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(USE_PSK_KEY_EXCHANGE)
 	PSK_TAG,
 #endif
 };
@@ -102,7 +94,7 @@ static int create_socket(void)
 #if defined(USE_CERTIFICATE)
 		CA_CERTIFICATE_TAG,
 #endif
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(USE_PSK_KEY_EXCHANGE)
 		PSK_TAG,
 #endif
 	};
@@ -159,7 +151,7 @@ static int setup_credentials(void)
 	}
 #endif
 
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(USE_PSK_KEY_EXCHANGE)
 	err = tls_credential_add(PSK_TAG,
 				TLS_CREDENTIAL_PSK,
 				psk,

tests/net/socket/tls_configurations/overlay-tls12.conf

@@ -8,45 +8,42 @@ common:
     - native_sim
   harness: pytest
 tests:
-  net.sockets.tls12.rsa_kex:
-    extra_args:
-      - EXTRA_CONF_FILE=overlay-tls12.conf;overlay-rsa.conf
+  net.sockets.tls12.psk_kex:
     extra_configs:
-      - CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
-      - CONFIG_SERVER_PORT=4000
+      - CONFIG_MBEDTLS_CIPHERSUITE_TLS_PSK_WITH_AES_256_CBC_SHA384=y
+      - CONFIG_SERVER_PORT=4001
     harness_config:
-      pytest_args: ["--server-type", "1.2-rsa", "--port", "4000"]
+      pytest_args: ["--server-type", "1.2-psk", "--port", "4001"]
   net.sockets.tls12.ec_kex:
-    extra_args:
-      - EXTRA_CONF_FILE=overlay-tls12.conf;overlay-ec.conf
     extra_configs:
-      - CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
-      - CONFIG_SERVER_PORT=4001
+      - CONFIG_MBEDTLS_CIPHERSUITE_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256=y
+      - CONFIG_SERVER_PORT=4002
     harness_config:
-      pytest_args: ["--server-type", "1.2-ec", "--port", "4001"]
+      pytest_args: ["--server-type", "1.2-ec", "--port", "4002"]
   net.sockets.tls13.ephemeral_kex:
-    extra_args:
-      - EXTRA_CONF_FILE=overlay-tls13.conf;overlay-ec.conf
     extra_configs:
+      - CONFIG_MBEDTLS_CIPHERSUITE_TLS1_3_AES_256_GCM_SHA384=y
       - CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y
-      - CONFIG_SERVER_PORT=4002
+      - CONFIG_PSA_WANT_ALG_SHA_256=y # for certificate verification
+      - CONFIG_SERVER_PORT=4003
     harness_config:
-      pytest_args: ["--server-type", "1.3-ephemeral", "--port", "4002"]
+      pytest_args: ["--server-type", "1.3-ephemeral", "--port", "4003"]
   net.sockets.tls13.ephemeral_kex.tickets:
-    extra_args:
-      - EXTRA_CONF_FILE=overlay-tls13.conf;overlay-ec.conf
     extra_configs:
       - CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
+      - CONFIG_MBEDTLS_CIPHERSUITE_TLS1_3_AES_256_GCM_SHA384=y
       - CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y
-      - CONFIG_SERVER_PORT=4003
+      - CONFIG_PSA_WANT_ALG_SHA_256=y # for certificate verification
+      - CONFIG_SERVER_PORT=4004
     harness_config:
-      pytest_args: ["--server-type", "1.3-ephemeral-tickets", "--port", "4003"]
+      pytest_args: ["--server-type", "1.3-ephemeral-tickets", "--port", "4004"]
   net.sockets.tls13.psk_kex.tickets:
-    extra_args:
-      - EXTRA_CONF_FILE=overlay-tls13.conf
     extra_configs:
       - CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
+      - CONFIG_MBEDTLS_CIPHERSUITE_TLS1_3_AES_256_GCM_SHA384=y
       - CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y
-      - CONFIG_SERVER_PORT=4004
+      - CONFIG_PSA_WANT_ECC_SECP_R1_256=y # for certificate verification
+      - CONFIG_PSA_WANT_ALG_SHA_256=y # for certificate verification
+      - CONFIG_SERVER_PORT=4005
     harness_config:
-      pytest_args: ["--server-type", "1.3-psk-tickets", "--port", "4004"]
+      pytest_args: ["--server-type", "1.3-psk-tickets", "--port", "4005"]