From 318dc763a6c165413c0b0a971015df402f2b8a1d Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Wed, 20 Apr 2022 09:43:51 +0000 Subject: [PATCH] Fix test failure issue and update code styles Change-Id: I0b08da1b083abdb19dc383e6f4b210f66659c109 Signed-off-by: XiaokangQian --- library/ssl_misc.h | 4 ++-- library/ssl_tls13_server.c | 32 ++++++++++++++------------------ programs/ssl/ssl_server2.c | 12 ++++++------ tests/ssl-opt.sh | 6 ++---- 4 files changed, 24 insertions(+), 30 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index f079e687d..025732e03 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -582,12 +582,12 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_CLI_C) - /*!< Number of Hello Retry Request messages received from the server. */ + /** Number of Hello Retry Request messages received from the server. */ int hello_retry_request_count; #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - /*!< selected_group of key_share extension in HelloRetryRequest message. */ + /** selected_group of key_share extension in HelloRetryRequest message. */ uint16_t hrr_selected_group; #endif /* MBEDTLS_SSL_SRV_C */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2e0dd39c9..447bc0e3d 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -125,9 +125,7 @@ static int ssl_tls13_parse_supported_groups_ext( named_group = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; - MBEDTLS_SSL_DEBUG_MSG( - 2, ( "got named group: %d", - named_group ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "got named group: %d", named_group ) ); if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) || ! mbedtls_ssl_named_group_is_supported( named_group ) || @@ -233,13 +231,8 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl, match_found = 1; MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); - ret = psa_crypto_init(); - if( ret != PSA_SUCCESS ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "psa_crypto_init()", ret ); - return( ret ); - } - ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p - 2, key_exchange_len + 2 ); + ret = mbedtls_ssl_tls13_read_public_ecdhe_share( + ssl, p - 2, key_exchange_len + 2 ); if( ret != 0 ) return( ret ); } @@ -385,8 +378,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *p = buf; size_t legacy_session_id_len; - size_t cipher_suites_len; const unsigned char *cipher_suites_start; + size_t cipher_suites_len; size_t extensions_len; const unsigned char *extensions_end; @@ -494,13 +487,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, /* * Search for a matching ciphersuite */ - size_t ciphersuite_exist = 0; - uint16_t cipher_suite; + int ciphersuite_match = 0; ciphersuite_info = NULL; for ( size_t j = 0; j < cipher_suites_len; j += 2, p += 2 ) { - cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); + uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); /* @@ -514,14 +506,18 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ssl->session_negotiate->ciphersuite = cipher_suite; ssl->handshake->ciphersuite_info = ciphersuite_info; - ciphersuite_exist = 1; + ciphersuite_match = 1; break; } - if( !ciphersuite_exist ) - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + if( !ciphersuite_match ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); @@ -562,7 +558,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, size_t extension_data_len; const unsigned char *extension_data_end; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); p += 4; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 948d2e016..b5b0248aa 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -65,7 +65,7 @@ int main( void ) #include #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" #endif @@ -1421,7 +1421,7 @@ int main( int argc, char *argv[] ) int i; char *p, *q; const int *list; -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t status; #endif unsigned char eap_tls_keymaterial[16]; @@ -1487,7 +1487,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_init( &cookie_ctx ); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if( status != PSA_SUCCESS ) { @@ -4127,7 +4127,7 @@ exit: #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char* message = mbedtls_test_helper_is_psa_leaking(); if( message ) { @@ -4139,8 +4139,8 @@ exit: /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if ( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) ) \ + && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free( ); #endif diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d87007688..b0f5f4bea 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -10209,12 +10209,11 @@ run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA38 -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_disabled MBEDTLS_USE_PSA_CRYPTO requires_openssl_tls1_3 -run_test "TLS 1.3: Server side check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \ +run_test "TLS 1.3: Server side check - openssl" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -tls1_3" \ 1 \ @@ -10227,11 +10226,10 @@ run_test "TLS 1.3: Server side check, ciphersuite TLS_AES_256_GCM_SHA384 - op requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_disabled MBEDTLS_USE_PSA_CRYPTO -run_test "TLS 1.3: Server side check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \ +run_test "TLS 1.3: Server side check - gnutls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 1 \