AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #5973 from ronald-cron-arm/tls13-misc-tests

Browse Source 
TLS 1.3: Enable and add tests
This commit is contained in:
Ronald Cron 2022-06-28 09:15:17 +02:00 committed by GitHub
commit b94854f8e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 75 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/ssl_tls.c
View File

@ -6139,7 +6139,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) );
return( 0 );
}
return( -1 );

10
library/ssl_tls13_client.c
View File

@ -1532,9 +1532,12 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
return( SSL_CERTIFICATE_REQUEST_SKIP );
}
@ -1687,7 +1690,6 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
}
else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) );
ret = 0;
}
else
@ -1697,9 +1699,6 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
goto cleanup;
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
ssl->handshake->client_auth ? "a" : "no" ) );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
cleanup:
@ -1803,7 +1802,10 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
}
return( 0 );
}

2
library/ssl_tls13_generic.c
View File

@ -567,7 +567,7 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
*/
if( ssl->session_negotiate->peer_cert == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) );
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )

7
library/ssl_tls13_server.c
View File

@ -1644,7 +1644,11 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
}
return( 0 );
}
@ -1774,8 +1778,11 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_CLIENT_FINISHED );
}
}
break;

78
tests/ssl-opt.sh
View File

@ -4747,7 +4747,6 @@ run_test "DER format: with 9 trailing random bytes" \
# Tests for auth_mode, there are duplicated tests using ca callback for authentication
# When updating these tests, modify the matching authentication tests accordingly
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server badcert, client required" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -4781,7 +4780,6 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \
-C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@ -4852,7 +4850,6 @@ run_test "Authentication: client SHA384, server required" \
-c "Supported Signature Algorithm found: 4," \
-c "Supported Signature Algorithm found: 5,"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client has no cert, server required (TLS)" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=none \
@ -4864,12 +4861,10 @@ run_test "Authentication: client has no cert, server required (TLS)" \
-c "= write certificate$" \
-C "skip write certificate$" \
-S "x509_verify_cert() returned" \
-s "client has no certificate" \
-s "peer has no certificate" \
-s "! mbedtls_ssl_handshake returned" \
-c "! mbedtls_ssl_handshake returned" \
-s "No client certification received from the client, but required by the authentication mode"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client badcert, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -4885,13 +4880,11 @@ run_test "Authentication: client badcert, server required" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-s "send alert level=2 message=48" \
-c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
# We don't check that the client receives the alert because it might
# detect that its write end of the connection is closed and abort
# before reading the alert message.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client cert self-signed and trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required ca_file=data_files/server5-selfsigned.crt" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@ -4907,7 +4900,6 @@ run_test "Authentication: client cert self-signed and trusted, server require
-S "! The certificate is not correctly signed" \
-S "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client cert not trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@ -4922,10 +4914,8 @@ run_test "Authentication: client cert not trusted, server required" \
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client badcert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -4943,7 +4933,6 @@ run_test "Authentication: client badcert, server optional" \
-C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client badcert, server none" \
"$P_SRV debug_level=3 auth_mode=none" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -4961,7 +4950,6 @@ run_test "Authentication: client badcert, server none" \
-C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \
@ -5023,7 +5011,6 @@ MAX_IM_CA='8'
# are in place so that the semantics are consistent with the test description.
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server max_int chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
key_file=data_files/dir-maxpath/09.key" \
@ -5033,7 +5020,6 @@ run_test "Authentication: server max_int chain, client default" \
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server max_int+1 chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@ -5065,7 +5051,6 @@ run_test "Authentication: server max_int+1 chain, client none" \
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int+1 chain, server default" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@ -5075,7 +5060,6 @@ run_test "Authentication: client max_int+1 chain, server default" \
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int+1 chain, server optional" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@ -5085,7 +5069,6 @@ run_test "Authentication: client max_int+1 chain, server optional" \
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int+1 chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@ -5095,7 +5078,6 @@ run_test "Authentication: client max_int+1 chain, server required" \
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
@ -5657,7 +5639,6 @@ run_test "SNI: DTLS, CA override with CRL" \
# Tests for non-blocking I/O: exercise a variety of handshake flows
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Non-blocking I/O: basic handshake" \
"$P_SRV nbio=2 tickets=0 auth_mode=none" \
"$P_CLI nbio=2 tickets=0" \
@ -5666,7 +5647,6 @@ run_test "Non-blocking I/O: basic handshake" \
-C "mbedtls_ssl_handshake returned" \
-c "Read from server: .* bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Non-blocking I/O: client auth" \
"$P_SRV nbio=2 tickets=0 auth_mode=required" \
"$P_CLI nbio=2 tickets=0" \
@ -5722,7 +5702,6 @@ run_test "Non-blocking I/O: session-id resume" \
# Tests for event-driven I/O: exercise a variety of handshake flows
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Event-driven I/O: basic handshake" \
"$P_SRV event=1 tickets=0 auth_mode=none" \
"$P_CLI event=1 tickets=0" \
@ -5731,7 +5710,6 @@ run_test "Event-driven I/O: basic handshake" \
-C "mbedtls_ssl_handshake returned" \
-c "Read from server: .* bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Event-driven I/O: client auth" \
"$P_SRV event=1 tickets=0 auth_mode=required" \
"$P_CLI event=1 tickets=0" \
@ -7355,6 +7333,20 @@ run_test "Small client packet TLS 1.2 AEAD shorter tag" \
0 \
-s "Read from client: 1 bytes read"
run_test "Small client packet TLS 1.3 AEAD" \
"$P_SRV force_version=tls13" \
"$P_CLI request_size=1 \
force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
0 \
-s "Read from client: 1 bytes read"
run_test "Small client packet TLS 1.3 AEAD shorter tag" \
"$P_SRV force_version=tls13" \
"$P_CLI request_size=1 \
force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
0 \
-s "Read from client: 1 bytes read"
# Tests for small client packets in DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
@ -7405,6 +7397,18 @@ run_test "Small server packet TLS 1.2 AEAD shorter tag" \
0 \
-c "Read from server: 1 bytes read"
run_test "Small server packet TLS 1.3 AEAD" \
"$P_SRV response_size=1 force_version=tls13" \
"$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
0 \
-c "Read from server: 1 bytes read"
run_test "Small server packet TLS 1.3 AEAD shorter tag" \
"$P_SRV response_size=1 force_version=tls13" \
"$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
0 \
-c "Read from server: 1 bytes read"
# Tests for small server packets in DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
@ -7469,6 +7473,22 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large client packet TLS 1.3 AEAD" \
"$P_SRV force_version=tls13" \
"$P_CLI request_size=16384 \
force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
0 \
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large client packet TLS 1.3 AEAD shorter tag" \
"$P_SRV force_version=tls13" \
"$P_CLI request_size=16384 \
force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
0 \
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
run_test "Large server packet TLS 1.2 BlockCipher" \
"$P_SRV response_size=16384 force_version=tls12" \
@ -7508,6 +7528,18 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \
0 \
-c "Read from server: 16384 bytes read"
run_test "Large server packet TLS 1.3 AEAD" \
"$P_SRV response_size=16384 force_version=tls13" \
"$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
0 \
-c "Read from server: 16384 bytes read"
run_test "Large server packet TLS 1.3 AEAD shorter tag" \
"$P_SRV response_size=16384 force_version=tls13" \
"$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
0 \
-c "Read from server: 16384 bytes read"
# Tests for restartable ECC
# Force the use of a curve that supports restartable ECC (secp256r1).

7
tests/suites/test_suite_ssl.function
View File

@ -4829,7 +4829,7 @@ void handshake_cipher( char* cipher, int pk_alg, int dtls )
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments, int dtls )
@ -4843,6 +4843,9 @@ void app_data( int mfl, int cli_msg_len, int srv_msg_len,
options.expected_cli_fragments = expected_cli_fragments;
options.expected_srv_fragments = expected_srv_fragments;
options.dtls = dtls;
#if ! defined(MBEDTLS_SSL_PROTO_TLS1_2)
options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_3;
#endif
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
@ -4850,7 +4853,7 @@ void app_data( int mfl, int cli_msg_len, int srv_msg_len,
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments )