mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-01 13:20:30 +00:00
Merge pull request #6448 from ronald-cron-arm/tls13-kex-build-options
TLS 1.3 Introduce and use key exchange mode config options
This commit is contained in:
commit
2012361ae6
docs/architecture
include/mbedtls
library
ssl_client.cssl_misc.hssl_tls.cssl_tls12_client.cssl_tls13_client.cssl_tls13_generic.cssl_tls13_keys.cssl_tls13_keys.hssl_tls13_server.c
programs/ssl
tests
@ -141,10 +141,33 @@ Support description
|
||||
| MBEDTLS_USE_PSA_CRYPTO | yes |
|
||||
|
||||
(1) These options must remain in their default state of enabled.
|
||||
(2) Key exchange configuration options for TLS 1.3 will likely to be
|
||||
organized around the notion of key exchange mode along the line
|
||||
of the MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL
|
||||
runtime configuration macros.
|
||||
(2) See the TLS 1.3 specific build options section below.
|
||||
|
||||
- TLS 1.3 specific build options:
|
||||
|
||||
- MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE enables the support for middlebox
|
||||
compatibility mode as defined in section D.4 of RFC 8446.
|
||||
|
||||
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED enables the support for
|
||||
the PSK key exchange mode as defined by RFC 8446. If it is the only key
|
||||
exchange mode enabled, the TLS 1.3 implementation does not contain any code
|
||||
related to key exchange protocols, certificates and signatures.
|
||||
|
||||
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED enables the
|
||||
support for the ephemeral key exchange mode. If it is the only key exchange
|
||||
mode enabled, the TLS 1.3 implementation does not contain any code related
|
||||
to PSK based key exchange. The ephemeral key exchange mode requires at least
|
||||
one of the key exchange protocol allowed by the TLS 1.3 specification, the
|
||||
parsing and validation of x509 certificates and at least one signature
|
||||
algorithm allowed by the TLS 1.3 specification for signature computing and
|
||||
verification.
|
||||
|
||||
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED enables the
|
||||
support for the PSK ephemeral key exchange mode. If it is the only key
|
||||
exchange mode enabled, the TLS 1.3 implementation does not contain any code
|
||||
related to certificates and signatures. The PSK ephemeral key exchange
|
||||
mode requires at least one of the key exchange protocol allowed by the
|
||||
TLS 1.3 specification.
|
||||
|
||||
|
||||
Prototype upstreaming status
|
||||
|
@ -78,6 +78,36 @@
|
||||
#define MBEDTLS_PK_WRITE_C
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) || \
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED
|
||||
#endif
|
||||
|
||||
/* Make sure all configuration symbols are set before including check_config.h,
|
||||
* even the ones that are calculated programmatically. */
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
|
||||
|
@ -806,6 +806,19 @@
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#if !( defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
( defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PKCS1_V21) ) )
|
||||
#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
|
||||
#if !( defined(MBEDTLS_ECDH_C) )
|
||||
#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined, but not all prerequisites"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The current implementation of TLS 1.3 requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE.
|
||||
*/
|
||||
|
@ -1552,6 +1552,47 @@
|
||||
*/
|
||||
//#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
*
|
||||
* Enable TLS 1.3 PSK key exchange mode.
|
||||
*
|
||||
* Comment to disable support for the PSK key exchange mode in TLS 1.3. If
|
||||
* MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
|
||||
* effect on the build.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
*
|
||||
* Enable TLS 1.3 ephemeral key exchange mode.
|
||||
*
|
||||
* Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or
|
||||
* MBEDTLS_PKCS1_V21
|
||||
*
|
||||
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
|
||||
* If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
|
||||
* effect on the build.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
*
|
||||
* Enable TLS 1.3 PSK ephemeral key exchange mode.
|
||||
*
|
||||
* Requires: MBEDTLS_ECDH_C
|
||||
*
|
||||
* Comment to disable support for the PSK ephemeral key exchange mode in
|
||||
* TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not
|
||||
* have any effect on the build.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
|
||||
*
|
||||
|
@ -1393,7 +1393,7 @@ struct mbedtls_ssl_config
|
||||
void *MBEDTLS_PRIVATE(p_vrfy); /*!< context for X.509 verify calllback */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
/** Callback to retrieve PSK key from identity */
|
||||
int (*MBEDTLS_PRIVATE(f_psk))(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
@ -1444,13 +1444,13 @@ struct mbedtls_ssl_config
|
||||
void *MBEDTLS_PRIVATE(p_async_config_data); /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */
|
||||
#endif
|
||||
const uint16_t *MBEDTLS_PRIVATE(sig_algs); /*!< allowed signature algorithms */
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */
|
||||
@ -1463,7 +1463,7 @@ struct mbedtls_ssl_config
|
||||
mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field
|
||||
@ -1494,7 +1494,7 @@ struct mbedtls_ssl_config
|
||||
* Its value is non-zero if and only if
|
||||
* \c psk is not \c NULL or \c psk_opaque
|
||||
* is not \c 0. */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ALPN)
|
||||
const char **MBEDTLS_PRIVATE(alpn_list); /*!< ordered list of protocols */
|
||||
@ -3296,7 +3296,7 @@ int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
|
||||
mbedtls_pk_context *pk_key );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
/**
|
||||
* \brief Configure pre-shared keys (PSKs) and their
|
||||
* identities to be used in PSK-based ciphersuites.
|
||||
@ -3465,7 +3465,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
|
||||
size_t),
|
||||
void *p_psk );
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
|
||||
/**
|
||||
@ -3598,7 +3598,7 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
|
||||
void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf,
|
||||
const uint16_t *groups );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
/**
|
||||
* \brief Set the allowed hashes for signatures during the handshake.
|
||||
@ -3644,7 +3644,7 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
|
||||
*/
|
||||
void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
|
||||
const uint16_t* sig_algs );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
/**
|
||||
|
@ -292,6 +292,11 @@ typedef enum {
|
||||
#define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#define MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges allowing client certificate requests */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
@ -341,6 +346,11 @@ typedef enum {
|
||||
#define MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
#define MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using DHE */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
|
@ -608,7 +608,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if(
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
( propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) ||
|
||||
@ -623,7 +623,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
|
||||
return( ret );
|
||||
p += output_len;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
if( propose_tls12 )
|
||||
@ -637,8 +637,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
|
||||
* MUST be the last extension in the ClientHello.
|
||||
*/
|
||||
@ -650,7 +649,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
|
||||
return( ret );
|
||||
p += output_len;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
/* Write the length of the list of extensions. */
|
||||
extensions_len = p - p_extensions_len - 2;
|
||||
@ -957,8 +956,7 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
||||
mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
msg_len );
|
||||
ssl->handshake->update_checksum( ssl, buf, msg_len - binders_len );
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
if( binders_len > 0 )
|
||||
{
|
||||
MBEDTLS_SSL_PROC_CHK(
|
||||
@ -967,7 +965,7 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
||||
ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len,
|
||||
binders_len );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl,
|
||||
buf_len,
|
||||
|
@ -245,7 +245,7 @@
|
||||
|
||||
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
|
||||
#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
|
||||
|
||||
@ -255,7 +255,7 @@
|
||||
#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
/*
|
||||
* Check that we obey the standard's message size bounds
|
||||
@ -600,8 +600,6 @@ struct mbedtls_ssl_handshake_params
|
||||
size_t ecrs_n; /*!< place for saving a length */
|
||||
#endif
|
||||
|
||||
size_t pmslen; /*!< premaster length */
|
||||
|
||||
mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
|
||||
|
||||
void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
@ -621,7 +619,7 @@ struct mbedtls_ssl_handshake_params
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
/** selected_group of key_share extension in HelloRetryRequest message. */
|
||||
uint16_t hrr_selected_group;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
@ -631,7 +629,7 @@ struct mbedtls_ssl_handshake_params
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
|
||||
#endif
|
||||
|
||||
@ -677,7 +675,7 @@ struct mbedtls_ssl_handshake_params
|
||||
const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
|
||||
uint8_t psk_opaque_is_internal;
|
||||
@ -686,7 +684,7 @@ struct mbedtls_ssl_handshake_params
|
||||
size_t psk_len; /*!< Length of PSK from callback */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
uint16_t selected_identity;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
|
||||
mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
|
||||
@ -853,15 +851,18 @@ struct mbedtls_ssl_handshake_params
|
||||
unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
|
||||
MBEDTLS_SERVER_HELLO_RANDOM_LEN];
|
||||
/*!< random bytes */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
|
||||
/*!< premaster secret */
|
||||
size_t pmslen; /*!< premaster length */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
int extensions_present; /*!< extension presence; Each bitfield
|
||||
represents an extension and defined
|
||||
as \c MBEDTLS_SSL_EXT_XXX */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
unsigned char certificate_request_context_len;
|
||||
unsigned char *certificate_request_context;
|
||||
#endif
|
||||
@ -1365,11 +1366,13 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
|
||||
mbedtls_key_exchange_type_t key_ex );
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/**
|
||||
* Get the first defined opaque PSK by order of precedence:
|
||||
@ -1422,7 +1425,7 @@ static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
|
||||
@ -1784,7 +1787,8 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *
|
||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_SRV_C) && \
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/**
|
||||
* Given a list of key exchange modes, check if at least one of them is
|
||||
* supported.
|
||||
@ -1831,7 +1835,8 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
|
||||
return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
|
||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_SRV_C &&
|
||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
/*
|
||||
* Helper functions to check the selected key exchange mode.
|
||||
@ -1871,7 +1876,7 @@ int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
/*
|
||||
* Handler of TLS 1.3 write Certificate message
|
||||
*/
|
||||
@ -1884,7 +1889,7 @@ int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* Generic handler of Certificate Verify
|
||||
@ -1914,7 +1919,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* Parse TLS Signature Algorithm extension
|
||||
*/
|
||||
@ -1922,7 +1927,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
const unsigned char *end );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
/* Get handshake transcript */
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -2042,7 +2047,7 @@ static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group )
|
||||
static inline const void *mbedtls_ssl_get_sig_algs(
|
||||
const mbedtls_ssl_context *ssl )
|
||||
{
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
if( ssl->handshake != NULL &&
|
||||
@ -2054,17 +2059,14 @@ static inline const void *mbedtls_ssl_get_sig_algs(
|
||||
#endif
|
||||
return( ssl->conf->sig_algs );
|
||||
|
||||
#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
((void) ssl);
|
||||
return( NULL );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
}
|
||||
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
|
||||
uint16_t own_sig_alg )
|
||||
{
|
||||
@ -2079,61 +2081,7 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
|
||||
uint16_t proposed_sig_alg )
|
||||
{
|
||||
const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
|
||||
if( sig_alg == NULL )
|
||||
return( 0 );
|
||||
|
||||
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
|
||||
{
|
||||
if( *sig_alg == proposed_sig_alg )
|
||||
return( 1 );
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
|
||||
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
|
||||
{
|
||||
*pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
|
||||
*md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
|
||||
|
||||
if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
|
||||
return( 0 );
|
||||
|
||||
switch( sig_alg )
|
||||
{
|
||||
#if defined(MBEDTLS_PKCS1_V21)
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
|
||||
*md_alg = MBEDTLS_MD_SHA256;
|
||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||
break;
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
|
||||
*md_alg = MBEDTLS_MD_SHA384;
|
||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||
break;
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
|
||||
*md_alg = MBEDTLS_MD_SHA512;
|
||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||
break;
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#endif /* MBEDTLS_PKCS1_V21 */
|
||||
default:
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
|
||||
const uint16_t sig_alg )
|
||||
{
|
||||
@ -2201,7 +2149,63 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
|
||||
mbedtls_pk_context *key );
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
|
||||
uint16_t proposed_sig_alg )
|
||||
{
|
||||
const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
|
||||
if( sig_alg == NULL )
|
||||
return( 0 );
|
||||
|
||||
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
|
||||
{
|
||||
if( *sig_alg == proposed_sig_alg )
|
||||
return( 1 );
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
|
||||
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
|
||||
{
|
||||
*pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
|
||||
*md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
|
||||
|
||||
if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
|
||||
return( 0 );
|
||||
|
||||
switch( sig_alg )
|
||||
{
|
||||
#if defined(MBEDTLS_PKCS1_V21)
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
|
||||
*md_alg = MBEDTLS_MD_SHA256;
|
||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||
break;
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
|
||||
*md_alg = MBEDTLS_MD_SHA384;
|
||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||
break;
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
|
||||
*md_alg = MBEDTLS_MD_SHA512;
|
||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||
break;
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#endif /* MBEDTLS_PKCS1_V21 */
|
||||
default:
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
|
||||
@ -2279,26 +2283,17 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
|
||||
{
|
||||
return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif
|
||||
((void) ssl);
|
||||
((void) sig_alg);
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
|
||||
mbedtls_pk_context *key );
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
|
||||
@ -2459,7 +2454,7 @@ int mbedtls_ssl_check_dtls_clihlo_cookie(
|
||||
unsigned char *obuf, size_t buf_len, size_t *olen );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/**
|
||||
* \brief Given an SSL context and its associated configuration, write the TLS
|
||||
* 1.3 specific Pre-Shared key extension.
|
||||
@ -2492,7 +2487,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
|
||||
mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf, unsigned char *end );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
|
||||
|
@ -843,7 +843,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
/* Heap allocate and translate sig_hashes from internal hash identifiers to
|
||||
@ -909,7 +909,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
|
||||
ssl->handshake->sig_algs_heap_allocated = 0;
|
||||
}
|
||||
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
@ -1599,16 +1599,21 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
|
||||
{
|
||||
if( conf->psk_identity == NULL ||
|
||||
conf->psk_identity_len == 0 )
|
||||
{
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
|
||||
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
|
||||
return( 1 );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
if( conf->psk != NULL )
|
||||
|
||||
if( conf->psk != NULL && conf->psk_len != 0 )
|
||||
return( 1 );
|
||||
|
||||
return( 0 );
|
||||
@ -1654,6 +1659,7 @@ static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
|
||||
{
|
||||
/* Identity len will be encoded on two bytes */
|
||||
if( psk_identity == NULL ||
|
||||
psk_identity_len == 0 ||
|
||||
( psk_identity_len >> 16 ) != 0 ||
|
||||
psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
@ -1677,7 +1683,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* We currently only support one PSK, raw or opaque. */
|
||||
if( ssl_conf_psk_is_configured( conf ) )
|
||||
if( mbedtls_ssl_conf_has_static_psk( conf ) )
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
|
||||
/* Check and set raw PSK */
|
||||
@ -1795,7 +1801,7 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* We currently only support one PSK, raw or opaque. */
|
||||
if( ssl_conf_psk_is_configured( conf ) )
|
||||
if( mbedtls_ssl_conf_has_static_psk( conf ) )
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
|
||||
/* Check and set opaque PSK */
|
||||
@ -1836,7 +1842,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
|
||||
@ -2389,7 +2395,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
|
||||
}
|
||||
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
/*
|
||||
* Set allowed/preferred hashes for handshake signatures
|
||||
@ -2410,7 +2416,7 @@ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
|
||||
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
|
||||
conf->sig_algs = sig_algs;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
@ -3581,7 +3587,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
if ( ssl->handshake->sig_algs_heap_allocated )
|
||||
mbedtls_free( (void*) handshake->sig_algs );
|
||||
@ -3593,7 +3599,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
||||
mbedtls_free( (void*) handshake->certificate_request_context );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
|
||||
@ -3639,7 +3645,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
||||
mbedtls_free( (void *) handshake->curves );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
|
||||
{
|
||||
@ -3659,7 +3665,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
||||
mbedtls_free( handshake->psk );
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
@ -4459,7 +4465,7 @@ static int ssl_preset_suiteb_ciphersuites[] = {
|
||||
0
|
||||
};
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
|
||||
/* NOTICE:
|
||||
* For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
|
||||
@ -4604,7 +4610,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
|
||||
};
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
static uint16_t ssl_preset_suiteb_groups[] = {
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||
@ -4616,7 +4622,7 @@ static uint16_t ssl_preset_suiteb_groups[] = {
|
||||
MBEDTLS_SSL_IANA_TLS_GROUP_NONE
|
||||
};
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
|
||||
* to make sure there are no duplicated signature algorithm entries. */
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -4640,7 +4646,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
/*
|
||||
* Load default in mbedtls_ssl_config
|
||||
@ -4652,7 +4658,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( ssl_check_no_sig_alg_duplication( ssl_preset_suiteb_sig_algs ) )
|
||||
{
|
||||
mbedtls_printf( "ssl_preset_suiteb_sig_algs has duplicated entries\n" );
|
||||
@ -4678,7 +4684,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
/* Use the functions here so that they are covered in tests,
|
||||
* but otherwise access member directly for efficiency */
|
||||
@ -4809,14 +4815,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
if( mbedtls_ssl_conf_is_tls12_only( conf ) )
|
||||
conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
|
||||
else
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
conf->sig_algs = ssl_preset_suiteb_sig_algs;
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
conf->curve_list = NULL;
|
||||
@ -4835,14 +4841,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
conf->cert_profile = &mbedtls_x509_crt_profile_default;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
if( mbedtls_ssl_conf_is_tls12_only( conf ) )
|
||||
conf->sig_algs = ssl_tls12_preset_default_sig_algs;
|
||||
else
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
conf->sig_algs = ssl_preset_default_sig_algs;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
conf->curve_list = NULL;
|
||||
@ -4867,7 +4873,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
|
||||
mbedtls_mpi_free( &conf->dhm_G );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
|
||||
{
|
||||
@ -4889,7 +4895,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
|
||||
conf->psk_identity = NULL;
|
||||
conf->psk_identity_len = 0;
|
||||
}
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
ssl_key_cert_free( conf->key_cert );
|
||||
@ -5268,7 +5274,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
|
||||
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/* mbedtls_ssl_parse_sig_alg_ext()
|
||||
*
|
||||
* The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
|
||||
@ -5376,7 +5382,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
|
||||
@ -8582,7 +8588,7 @@ int mbedtls_ssl_validate_ciphersuite(
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* Function for writing a signature algorithm extension.
|
||||
*
|
||||
@ -8685,7 +8691,7 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
/*
|
||||
|
@ -49,27 +49,6 @@
|
||||
|
||||
#include "hash_info.h"
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
|
||||
{
|
||||
if( conf->psk_identity == NULL ||
|
||||
conf->psk_identity_len == 0 )
|
||||
{
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
|
||||
return( 1 );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
if( conf->psk != NULL && conf->psk_len != 0 )
|
||||
return( 1 );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
|
||||
|
@ -210,6 +210,7 @@ static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
|
||||
/*
|
||||
* Functions for writing key_share extension.
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
|
||||
uint16_t *group_id )
|
||||
@ -364,7 +365,7 @@ cleanup:
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* ssl_tls13_parse_hrr_key_share_ext()
|
||||
@ -602,7 +603,7 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/*
|
||||
* ssl_tls13_write_psk_key_exchange_modes_ext() structure:
|
||||
*
|
||||
@ -728,11 +729,6 @@ static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||
|
||||
static int ssl_tls13_has_configured_psk( const mbedtls_ssl_config *conf )
|
||||
{
|
||||
return( conf->psk != NULL && conf->psk_identity != NULL );
|
||||
}
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
|
||||
psa_algorithm_t *hash_alg,
|
||||
@ -740,7 +736,7 @@ static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
|
||||
size_t *identity_len )
|
||||
{
|
||||
|
||||
if( !ssl_tls13_has_configured_psk( ssl->conf ) )
|
||||
if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
|
||||
return( -1 );
|
||||
|
||||
*hash_alg = PSA_ALG_SHA_256;
|
||||
@ -756,7 +752,7 @@ static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
|
||||
size_t *psk_len )
|
||||
{
|
||||
|
||||
if( !ssl_tls13_has_configured_psk( ssl->conf ) )
|
||||
if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
|
||||
return( -1 );
|
||||
|
||||
*hash_alg = PSA_ALG_SHA_256;
|
||||
@ -775,7 +771,7 @@ static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
|
||||
configured_psk_count++;
|
||||
}
|
||||
#endif
|
||||
if( ssl_tls13_has_configured_psk( ssl->conf ) )
|
||||
if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
|
||||
configured_psk_count++;
|
||||
@ -1094,7 +1090,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
else
|
||||
#endif
|
||||
if( ssl_tls13_has_configured_psk( ssl->conf ) )
|
||||
if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
|
||||
{
|
||||
ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len );
|
||||
}
|
||||
@ -1117,8 +1113,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
@ -1148,6 +1143,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
||||
return( ret );
|
||||
p += ext_len;
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
||||
if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
|
||||
{
|
||||
ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
|
||||
@ -1155,8 +1151,9 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
||||
return( ret );
|
||||
p += ext_len;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/* For PSK-based key exchange we need the pre_shared_key extension
|
||||
* and the psk_key_exchange_modes extension.
|
||||
*
|
||||
@ -1170,7 +1167,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
p += ext_len;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
|
||||
*out_len = p - buf;
|
||||
|
||||
@ -1686,7 +1683,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
|
||||
goto cleanup;
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
|
||||
if( is_hrr )
|
||||
@ -1703,7 +1700,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
|
||||
return( ret );
|
||||
}
|
||||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
|
||||
case MBEDTLS_TLS_EXT_KEY_SHARE:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
|
||||
@ -2070,7 +2067,7 @@ static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
|
||||
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
|
||||
buf, buf_len );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
|
||||
else
|
||||
@ -2087,7 +2084,7 @@ cleanup:
|
||||
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
/*
|
||||
* STATE HANDLING: CertificateRequest
|
||||
*
|
||||
@ -2324,7 +2321,7 @@ static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_SERVER_FINISHED
|
||||
@ -2370,7 +2367,7 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
|
||||
( "Switch to handshake traffic keys for outbound traffic" ) );
|
||||
mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
if( ssl->handshake->client_auth )
|
||||
{
|
||||
int ret = mbedtls_ssl_tls13_write_certificate( ssl );
|
||||
@ -2400,7 +2397,7 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
|
||||
*/
|
||||
@ -2414,7 +2411,7 @@ static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_CLIENT_FINISHED
|
||||
@ -2727,7 +2724,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
|
||||
ret = ssl_tls13_process_encrypted_extensions( ssl );
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
|
||||
ret = ssl_tls13_process_certificate_request( ssl );
|
||||
break;
|
||||
@ -2739,7 +2736,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
|
||||
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
||||
ret = ssl_tls13_process_certificate_verify( ssl );
|
||||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
case MBEDTLS_SSL_SERVER_FINISHED:
|
||||
ret = ssl_tls13_process_server_finished( ssl );
|
||||
@ -2749,11 +2746,11 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
|
||||
ret = ssl_tls13_write_client_certificate( ssl );
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
|
||||
ret = ssl_tls13_write_client_certificate_verify( ssl );
|
||||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
case MBEDTLS_SSL_CLIENT_FINISHED:
|
||||
ret = ssl_tls13_write_client_finished( ssl );
|
||||
|
@ -83,7 +83,7 @@ cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
/*
|
||||
* STATE HANDLING: Read CertificateVerify
|
||||
*/
|
||||
@ -285,12 +285,12 @@ error:
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
|
||||
size_t verify_buffer_len;
|
||||
@ -348,7 +348,7 @@ cleanup:
|
||||
((void) ssl);
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
}
|
||||
|
||||
/*
|
||||
@ -357,7 +357,7 @@ cleanup:
|
||||
*
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/*
|
||||
* Structure of Certificate message:
|
||||
@ -534,9 +534,9 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/* Validate certificate chain sent by the server. */
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -727,14 +727,14 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
unsigned char *buf;
|
||||
size_t buf_len;
|
||||
|
||||
@ -752,12 +752,12 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
|
||||
buf, buf_len );
|
||||
|
||||
cleanup:
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
|
||||
return( ret );
|
||||
}
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
/*
|
||||
* enum {
|
||||
* X509(0),
|
||||
@ -1078,7 +1078,7 @@ cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
*
|
||||
|
@ -38,9 +38,6 @@
|
||||
#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
|
||||
.name = string,
|
||||
|
||||
#define TLS1_3_EVOLVE_INPUT_SIZE ( PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE ) ? \
|
||||
PSA_HASH_MAX_SIZE : PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
|
||||
|
||||
struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
|
||||
{
|
||||
/* This seems to work in C, despite the string literal being one
|
||||
@ -334,9 +331,12 @@ int mbedtls_ssl_tls13_evolve_secret(
|
||||
int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
size_t hlen, ilen;
|
||||
size_t hlen;
|
||||
unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 };
|
||||
unsigned char tmp_input [ TLS1_3_EVOLVE_INPUT_SIZE ] = { 0 };
|
||||
const unsigned char all_zeroes_input[ MBEDTLS_TLS1_3_MD_MAX_SIZE ] = { 0 };
|
||||
const unsigned char *l_input = NULL;
|
||||
size_t l_input_len;
|
||||
|
||||
psa_key_derivation_operation_t operation =
|
||||
PSA_KEY_DERIVATION_OPERATION_INIT;
|
||||
|
||||
@ -364,12 +364,13 @@ int mbedtls_ssl_tls13_evolve_secret(
|
||||
|
||||
if( input != NULL && input_len != 0 )
|
||||
{
|
||||
memcpy( tmp_input, input, input_len );
|
||||
ilen = input_len;
|
||||
l_input = input;
|
||||
l_input_len = input_len;
|
||||
}
|
||||
else
|
||||
{
|
||||
ilen = hlen;
|
||||
l_input = all_zeroes_input;
|
||||
l_input_len = hlen;
|
||||
}
|
||||
|
||||
status = psa_key_derivation_setup( &operation,
|
||||
@ -388,8 +389,7 @@ int mbedtls_ssl_tls13_evolve_secret(
|
||||
|
||||
status = psa_key_derivation_input_bytes( &operation,
|
||||
PSA_KEY_DERIVATION_INPUT_SECRET,
|
||||
tmp_input,
|
||||
ilen );
|
||||
l_input, l_input_len );
|
||||
|
||||
if( status != PSA_SUCCESS )
|
||||
goto cleanup;
|
||||
@ -406,7 +406,6 @@ int mbedtls_ssl_tls13_evolve_secret(
|
||||
status = ( status == PSA_SUCCESS ? abort_status : status );
|
||||
ret = ( ret == 0 ? psa_ssl_status_to_mbedtls ( status ) : ret );
|
||||
mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
|
||||
mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
@ -1068,7 +1067,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac );
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
||||
{
|
||||
ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
|
||||
@ -1084,7 +1083,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
|
||||
ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, NULL, psk, psk_len,
|
||||
handshake->tls13_master_secrets.early );
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
mbedtls_free( (void*)psk );
|
||||
#endif
|
||||
if( ret != 0 )
|
||||
@ -1251,14 +1250,13 @@ exit:
|
||||
int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) && defined(MBEDTLS_ECDH_C)
|
||||
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED && MBEDTLS_ECDH_C */
|
||||
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
|
||||
psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md(
|
||||
handshake->ciphersuite_info->mac );
|
||||
unsigned char *shared_secret = NULL;
|
||||
size_t shared_secret_len = 0;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
||||
/*
|
||||
* Compute ECDHE secret used to compute the handshake secret from which
|
||||
* client_handshake_traffic_secret and server_handshake_traffic_secret
|
||||
@ -1270,60 +1268,75 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
#if defined(MBEDTLS_ECDH_C)
|
||||
/* Compute ECDH shared secret. */
|
||||
status = psa_raw_key_agreement(
|
||||
PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
|
||||
handshake->premaster, sizeof( handshake->premaster ),
|
||||
&handshake->pmslen );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = psa_ssl_status_to_mbedtls( status );
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
|
||||
return( ret );
|
||||
}
|
||||
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
|
||||
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
|
||||
status = psa_destroy_key( handshake->ecdh_psa_privkey );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = psa_ssl_status_to_mbedtls( status );
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
|
||||
return( ret );
|
||||
}
|
||||
status = psa_get_key_attributes( handshake->ecdh_psa_privkey,
|
||||
&key_attributes );
|
||||
if( status != PSA_SUCCESS )
|
||||
ret = psa_ssl_status_to_mbedtls( status );
|
||||
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
shared_secret_len = PSA_BITS_TO_BYTES(
|
||||
psa_get_key_bits( &key_attributes ) );
|
||||
shared_secret = mbedtls_calloc( 1, shared_secret_len );
|
||||
if( shared_secret == NULL )
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
|
||||
status = psa_raw_key_agreement(
|
||||
PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
|
||||
shared_secret, shared_secret_len, &shared_secret_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = psa_ssl_status_to_mbedtls( status );
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
status = psa_destroy_key( handshake->ecdh_psa_privkey );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = psa_ssl_status_to_mbedtls( status );
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
#endif /* MBEDTLS_ECDH_C */
|
||||
}
|
||||
else if( mbedtls_ssl_tls13_named_group_is_dhe( handshake->offered_group_id ) )
|
||||
else
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHE not supported." ) );
|
||||
return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Group not supported." ) );
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
}
|
||||
}
|
||||
#else
|
||||
return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* Compute the Handshake Secret
|
||||
*/
|
||||
ret = mbedtls_ssl_tls13_evolve_secret( hash_alg,
|
||||
handshake->tls13_master_secrets.early,
|
||||
handshake->premaster, handshake->pmslen,
|
||||
shared_secret, shared_secret_len,
|
||||
handshake->tls13_master_secrets.handshake );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
|
||||
return( ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret",
|
||||
handshake->tls13_master_secrets.handshake,
|
||||
PSA_HASH_LENGTH( hash_alg ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
|
||||
mbedtls_platform_zeroize( handshake->premaster, sizeof( handshake->premaster ) );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
|
||||
return( 0 );
|
||||
cleanup:
|
||||
if( shared_secret != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( shared_secret, shared_secret_len );
|
||||
mbedtls_free( shared_secret );
|
||||
}
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/* Generate application traffic keys since any records following a 1-RTT Finished message
|
||||
@ -1601,7 +1614,7 @@ cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||
unsigned char **psk,
|
||||
size_t *psk_len )
|
||||
@ -1642,7 +1655,7 @@ int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||
return( 0 );
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
|
@ -691,7 +691,7 @@ int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/**
|
||||
* \brief Export TLS 1.3 PSK from handshake context
|
||||
*
|
||||
@ -707,7 +707,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||
unsigned char **psk,
|
||||
size_t *psk_len );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
|
@ -59,7 +59,7 @@ static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
|
||||
return( ciphersuite_info );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/* From RFC 8446:
|
||||
*
|
||||
* enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
|
||||
@ -701,7 +701,7 @@ static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
/* From RFC 8446:
|
||||
* struct {
|
||||
@ -993,7 +993,7 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
|
||||
MBEDTLS_SSL_EXT_SIG_ALG ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
|
||||
mbedtls_ssl_context *ssl )
|
||||
@ -1015,7 +1015,7 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
|
||||
MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
|
||||
MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
||||
@ -1027,7 +1027,7 @@ static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
|
||||
mbedtls_ssl_tls13_psk_enabled( ssl ) &&
|
||||
ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
|
||||
@ -1040,7 +1040,7 @@ static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
|
||||
mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
|
||||
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
|
||||
@ -1104,7 +1104,7 @@ static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg )
|
||||
@ -1229,7 +1229,7 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
|
||||
return( -1 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C &&
|
||||
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
*
|
||||
@ -1289,11 +1289,11 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *extensions_end;
|
||||
int hrr_required = 0;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
const unsigned char *cipher_suites;
|
||||
const unsigned char *pre_shared_key_ext = NULL;
|
||||
const unsigned char *pre_shared_key_ext_end = NULL;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
|
||||
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
|
||||
|
||||
@ -1400,7 +1400,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
* with CipherSuite defined as:
|
||||
* uint8 CipherSuite[2];
|
||||
*/
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
cipher_suites = p;
|
||||
#endif
|
||||
cipher_suites_end = p + cipher_suites_len;
|
||||
@ -1581,7 +1581,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
|
||||
|
||||
@ -1596,7 +1596,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
|
||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
|
||||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
|
||||
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
|
||||
@ -1608,14 +1608,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/* Delay processing of the PSK identity once we have
|
||||
* found out which algorithms to use. We keep a pointer
|
||||
* to the buffer and the size for later processing.
|
||||
*/
|
||||
pre_shared_key_ext = p;
|
||||
pre_shared_key_ext_end = extension_data_end;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
|
||||
break;
|
||||
|
||||
@ -1634,7 +1634,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_ALPN */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
case MBEDTLS_TLS_EXT_SIG_ALG:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
|
||||
|
||||
@ -1649,7 +1649,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
|
||||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
default:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||
@ -1669,7 +1669,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
p - buf );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/* Update checksum with either
|
||||
* - The entire content of the CH message, if no PSK extension is present
|
||||
* - The content up to but excluding the PSK extension, if present.
|
||||
@ -1698,7 +1698,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
{
|
||||
ssl->handshake->update_checksum( ssl, buf, p - buf );
|
||||
}
|
||||
@ -2154,7 +2154,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
|
||||
p += output_len;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
if( !is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
||||
{
|
||||
ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
|
||||
@ -2166,7 +2166,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
p += output_len;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif
|
||||
|
||||
MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
|
||||
|
||||
@ -2390,7 +2390,7 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
|
||||
else
|
||||
@ -2405,7 +2405,7 @@ cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
|
||||
#define SSL_CERTIFICATE_REQUEST_SKIP 1
|
||||
/* Coordination:
|
||||
@ -2573,7 +2573,7 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_SERVER_FINISHED
|
||||
@ -2984,7 +2984,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
|
||||
ret = ssl_tls13_write_certificate_request( ssl );
|
||||
break;
|
||||
@ -2996,7 +2996,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
|
||||
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
||||
ret = ssl_tls13_write_certificate_verify( ssl );
|
||||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
/*
|
||||
* Injection of dummy-CCS's for middlebox compatibility
|
||||
@ -3027,6 +3027,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
|
||||
ret = ssl_tls13_handshake_wrapup( ssl );
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
case MBEDTLS_SSL_CLIENT_CERTIFICATE:
|
||||
ret = mbedtls_ssl_tls13_process_certificate( ssl );
|
||||
if( ret == 0 )
|
||||
@ -3053,6 +3054,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
|
||||
ssl, MBEDTLS_SSL_CLIENT_FINISHED );
|
||||
}
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
case MBEDTLS_SSL_NEW_SESSION_TICKET:
|
||||
|
@ -120,7 +120,7 @@ int main( void )
|
||||
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
|
||||
#define GET_REQUEST_END "\r\n\r\n"
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#define USAGE_CONTEXT_CRT_CB \
|
||||
" context_crt_cb=%%d This determines whether the CRT verification callback is bound\n" \
|
||||
" to the SSL configuration of the SSL context.\n" \
|
||||
@ -129,8 +129,8 @@ int main( void )
|
||||
" - 1: Use CRT callback bound to SSL context\n"
|
||||
#else
|
||||
#define USAGE_CONTEXT_CRT_CB ""
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_FS_IO)
|
||||
#define USAGE_IO \
|
||||
" ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
|
||||
@ -148,10 +148,10 @@ int main( void )
|
||||
#define USAGE_IO \
|
||||
" No file operations available (MBEDTLS_FS_IO not defined)\n"
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
#define USAGE_IO ""
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#define USAGE_KEY_OPAQUE \
|
||||
" key_opaque=%%d Handle your private key as if it were opaque\n" \
|
||||
" default: 0 (disabled)\n"
|
||||
@ -173,7 +173,7 @@ int main( void )
|
||||
#define USAGE_CID ""
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#define USAGE_PSK_RAW \
|
||||
" psk=%%s default: \"\" (disabled)\n" \
|
||||
" The PSK values are in hex, without 0x.\n" \
|
||||
@ -195,7 +195,7 @@ int main( void )
|
||||
#define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
|
||||
#else
|
||||
#define USAGE_PSK ""
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||
#define USAGE_CA_CALLBACK \
|
||||
@ -269,8 +269,7 @@ int main( void )
|
||||
#define USAGE_CURVES ""
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#define USAGE_SIG_ALGS \
|
||||
" sig_algs=a,b,c,d default: \"default\" (library default)\n" \
|
||||
" example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n"
|
||||
@ -541,7 +540,7 @@ struct options
|
||||
|
||||
#include "ssl_test_common_source.c"
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
static unsigned char peer_crt_info[1024];
|
||||
|
||||
/*
|
||||
@ -579,7 +578,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
int report_cid_usage( mbedtls_ssl_context *ssl,
|
||||
@ -719,14 +718,13 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_net_context server_fd;
|
||||
io_ctx_t io_ctx;
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif
|
||||
|
||||
unsigned char buf[MAX_REQUEST_SIZE + 1];
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
|
||||
size_t psk_len = 0;
|
||||
#endif
|
||||
@ -758,7 +756,7 @@ int main( int argc, char *argv[] )
|
||||
const char *pers = "ssl_client2";
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_algorithm_t alg = 0;
|
||||
psa_key_attributes_t key_attributes;
|
||||
@ -777,7 +775,7 @@ int main( int argc, char *argv[] )
|
||||
#if defined(MBEDTLS_TIMING_C)
|
||||
mbedtls_timing_delay_context timer;
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
uint32_t flags;
|
||||
mbedtls_x509_crt cacert;
|
||||
mbedtls_x509_crt clicert;
|
||||
@ -786,7 +784,7 @@ int main( int argc, char *argv[] )
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
|
||||
#endif
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
char *p, *q;
|
||||
const int *list;
|
||||
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
|
||||
@ -827,7 +825,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_config_init( &conf );
|
||||
memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) );
|
||||
rng_init( &rng );
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
mbedtls_x509_crt_init( &cacert );
|
||||
mbedtls_x509_crt_init( &clicert );
|
||||
mbedtls_pk_init( &pkey );
|
||||
@ -1027,7 +1025,7 @@ int main( int argc, char *argv[] )
|
||||
opt.key_file = q;
|
||||
else if( strcmp( p, "key_pwd" ) == 0 )
|
||||
opt.key_pwd = q;
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
else if( strcmp( p, "key_opaque" ) == 0 )
|
||||
opt.key_opaque = atoi( q );
|
||||
#endif
|
||||
@ -1165,11 +1163,10 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
else if( strcmp( p, "curves" ) == 0 )
|
||||
opt.curves = q;
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
else if( strcmp( p, "sig_algs" ) == 0 )
|
||||
opt.sig_algs = q;
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif
|
||||
else if( strcmp( p, "etm" ) == 0 )
|
||||
{
|
||||
switch( atoi( q ) )
|
||||
@ -1406,7 +1403,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_debug_set_threshold( opt.debug_level );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
/*
|
||||
* Unhexify the pre-shared key if any is given
|
||||
*/
|
||||
@ -1419,7 +1416,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
@ -1478,7 +1475,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined (MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
/* Determine KDF algorithm the opaque PSK will be used in. */
|
||||
@ -1489,7 +1486,7 @@ int main( int argc, char *argv[] )
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
|
||||
@ -1572,8 +1569,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( opt.sig_algs != NULL )
|
||||
{
|
||||
p = (char *) opt.sig_algs;
|
||||
@ -1672,7 +1668,7 @@ int main( int argc, char *argv[] )
|
||||
|
||||
sig_alg_list[i] = MBEDTLS_TLS1_3_SIG_NONE;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ALPN)
|
||||
if( opt.alpn_string != NULL )
|
||||
@ -1705,7 +1701,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* 1.1. Load the trusted CA
|
||||
*/
|
||||
@ -1827,7 +1823,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_printf( " ok (key type: %s)\n",
|
||||
strlen( opt.key_file ) || strlen( opt.key_opaque_alg1 ) ?
|
||||
mbedtls_pk_get_name( &pkey ) : "none" );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
/*
|
||||
* 2. Setup stuff
|
||||
@ -1845,7 +1841,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/* The default algorithms profile disables SHA-1, but our tests still
|
||||
rely on it heavily. */
|
||||
if( opt.allow_sha1 > 0 )
|
||||
@ -1858,7 +1854,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
|
||||
|
||||
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
|
||||
@ -1995,7 +1991,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( strcmp( opt.ca_path, "none" ) != 0 &&
|
||||
strcmp( opt.ca_file, "none" ) != 0 )
|
||||
{
|
||||
@ -2016,7 +2012,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
if( opt.curves != NULL &&
|
||||
@ -2026,13 +2022,12 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( opt.sig_algs != NULL )
|
||||
mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list );
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
@ -2070,7 +2065,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
if( opt.min_version != DFL_MIN_VERSION )
|
||||
mbedtls_ssl_conf_min_tls_version( &conf, opt.min_version );
|
||||
@ -2104,7 +2099,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",
|
||||
@ -2127,10 +2122,10 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( opt.context_crt_cb == 1 )
|
||||
mbedtls_ssl_set_verify( &ssl, my_verify, NULL );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
io_ctx.ssl = &ssl;
|
||||
io_ctx.net = &server_fd;
|
||||
@ -2451,7 +2446,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* 5. Verify the server certificate
|
||||
*/
|
||||
@ -2474,7 +2469,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_printf( " . Peer certificate information ...\n" );
|
||||
mbedtls_printf( "%s\n", peer_crt_info );
|
||||
#endif /* !MBEDTLS_X509_REMOVE_INFO */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
ret = report_cid_usage( &ssl, "initial handshake" );
|
||||
@ -2849,9 +2844,9 @@ send_request:
|
||||
mbedtls_printf( " . Restarting connection from same port..." );
|
||||
fflush( stdout );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
|
||||
{
|
||||
@ -3085,9 +3080,9 @@ reconnect:
|
||||
|
||||
mbedtls_printf( " . Reconnecting with saved session..." );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
|
||||
{
|
||||
@ -3191,16 +3186,16 @@ exit:
|
||||
mbedtls_free( context_buf );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
mbedtls_x509_crt_free( &clicert );
|
||||
mbedtls_x509_crt_free( &cacert );
|
||||
mbedtls_pk_free( &pkey );
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_destroy_key( key_slot );
|
||||
#endif
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
|
||||
defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
@ -3219,7 +3214,7 @@ exit:
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED &&
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
|
||||
MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
|
@ -175,7 +175,7 @@ int main( void )
|
||||
*/
|
||||
#define DFL_IO_BUF_LEN 200
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_FS_IO)
|
||||
#define USAGE_IO \
|
||||
" ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
|
||||
@ -206,8 +206,8 @@ int main( void )
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
#else
|
||||
#define USAGE_IO ""
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#define USAGE_KEY_OPAQUE \
|
||||
" key_opaque=%%d Handle your private keys as if they were opaque\n" \
|
||||
" default: 0 (disabled)\n"
|
||||
@ -241,7 +241,7 @@ int main( void )
|
||||
#define USAGE_CID ""
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#define USAGE_PSK_RAW \
|
||||
" psk=%%s default: \"\" (disabled)\n" \
|
||||
" The PSK values are in hex, without 0x.\n" \
|
||||
@ -276,7 +276,7 @@ int main( void )
|
||||
#define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
|
||||
#else
|
||||
#define USAGE_PSK ""
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||
#define USAGE_CA_CALLBACK \
|
||||
" ca_callback=%%d default: 0 (disabled)\n" \
|
||||
@ -435,8 +435,7 @@ int main( void )
|
||||
#define USAGE_CURVES ""
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#define USAGE_SIG_ALGS \
|
||||
" sig_algs=a,b,c,d default: \"default\" (library default)\n" \
|
||||
" example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n"
|
||||
@ -908,7 +907,7 @@ int cert_callback( mbedtls_ssl_context *ssl )
|
||||
|
||||
#endif /* SNI_OPTION */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
|
||||
typedef struct _psk_entry psk_entry;
|
||||
|
||||
@ -1021,7 +1020,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl,
|
||||
|
||||
return( -1 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
static mbedtls_net_context listen_fd, client_fd;
|
||||
|
||||
@ -1114,7 +1113,7 @@ typedef struct
|
||||
unsigned remaining_delay;
|
||||
} ssl_async_operation_context_t;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
|
||||
/* Note that ssl_async_operation_type_t and the array below need to be kept in sync!
|
||||
* `ssl_async_operation_names[op]` is the name of op for each value `op`
|
||||
@ -1277,11 +1276,11 @@ static void ssl_async_cancel( mbedtls_ssl_context *ssl )
|
||||
mbedtls_printf( "Async cancel callback.\n" );
|
||||
mbedtls_free( ctx );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
static psa_status_t psa_setup_psk_key_slot( mbedtls_svc_key_id_t *slot,
|
||||
psa_algorithm_t alg,
|
||||
unsigned char *psk,
|
||||
@ -1304,7 +1303,7 @@ static psa_status_t psa_setup_psk_key_slot( mbedtls_svc_key_id_t *slot,
|
||||
|
||||
return( PSA_SUCCESS );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
@ -1432,7 +1431,7 @@ int main( int argc, char *argv[] )
|
||||
int query_config_ret = 0;
|
||||
io_ctx_t io_ctx;
|
||||
unsigned char* buf = 0;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_algorithm_t alg = 0;
|
||||
mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
@ -1456,7 +1455,7 @@ int main( int argc, char *argv[] )
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
unsigned char renego_period[8] = { 0 };
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
uint32_t flags;
|
||||
mbedtls_x509_crt cacert;
|
||||
mbedtls_x509_crt srvcert;
|
||||
@ -1469,7 +1468,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
|
||||
#endif
|
||||
int key_cert_init = 0, key_cert_init2 = 0;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
ssl_async_key_context_t ssl_async_keys;
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
@ -1506,10 +1505,9 @@ int main( int argc, char *argv[] )
|
||||
size_t context_buf_len = 0;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif
|
||||
|
||||
int i;
|
||||
char *p, *q;
|
||||
@ -1554,7 +1552,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_init( &ssl );
|
||||
mbedtls_ssl_config_init( &conf );
|
||||
rng_init( &rng );
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
mbedtls_x509_crt_init( &cacert );
|
||||
mbedtls_x509_crt_init( &srvcert );
|
||||
mbedtls_pk_init( &pkey );
|
||||
@ -1783,7 +1781,7 @@ int main( int argc, char *argv[] )
|
||||
opt.key_file = q;
|
||||
else if( strcmp( p, "key_pwd" ) == 0 )
|
||||
opt.key_pwd = q;
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
else if( strcmp( p, "key_opaque" ) == 0 )
|
||||
opt.key_opaque = atoi( q );
|
||||
#endif
|
||||
@ -1867,11 +1865,10 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
else if( strcmp( p, "curves" ) == 0 )
|
||||
opt.curves = q;
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
else if( strcmp( p, "sig_algs" ) == 0 )
|
||||
opt.sig_algs = q;
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif
|
||||
else if( strcmp( p, "renegotiation" ) == 0 )
|
||||
{
|
||||
opt.renegotiation = (atoi( q )) ?
|
||||
@ -2339,7 +2336,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
|
||||
{
|
||||
/* Determine KDF algorithm the opaque PSK will be used in. */
|
||||
@ -2350,7 +2347,7 @@ int main( int argc, char *argv[] )
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
|
||||
@ -2377,7 +2374,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
/*
|
||||
* Unhexify the pre-shared key and parse the list if any given
|
||||
*/
|
||||
@ -2396,7 +2393,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
if( opt.curves != NULL )
|
||||
@ -2454,8 +2451,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( opt.sig_algs != NULL )
|
||||
{
|
||||
p = (char *) opt.sig_algs;
|
||||
@ -2554,7 +2550,7 @@ int main( int argc, char *argv[] )
|
||||
|
||||
sig_alg_list[i] = MBEDTLS_TLS1_3_SIG_NONE;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ALPN)
|
||||
if( opt.alpn_string != NULL )
|
||||
@ -2587,7 +2583,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* 1.1. Load the trusted CA
|
||||
*/
|
||||
@ -2795,7 +2791,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_printf( " ok (key types: %s, %s)\n",
|
||||
key_cert_init ? mbedtls_pk_get_name( &pkey ) : "none",
|
||||
key_cert_init2 ? mbedtls_pk_get_name( &pkey2 ) : "none" );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
|
||||
if( opt.dhm_file != NULL )
|
||||
@ -2845,7 +2841,7 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/* The default algorithms profile disables SHA-1, but our tests still
|
||||
rely on it heavily. Hence we allow it here. A real-world server
|
||||
should use the default profile unless there is a good reason not to. */
|
||||
@ -2855,7 +2851,7 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
|
||||
mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
if( opt.auth_mode != DFL_AUTH_MODE )
|
||||
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
|
||||
@ -3106,7 +3102,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( strcmp( opt.ca_path, "none" ) != 0 &&
|
||||
strcmp( opt.ca_file, "none" ) != 0 )
|
||||
{
|
||||
@ -3195,7 +3191,7 @@ int main( int argc, char *argv[] )
|
||||
&ssl_async_keys );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(SNI_OPTION)
|
||||
if( opt.sni != NULL )
|
||||
@ -3232,13 +3228,12 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( opt.sig_algs != NULL )
|
||||
mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list );
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
|
||||
if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 )
|
||||
{
|
||||
@ -3547,7 +3542,7 @@ handshake:
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
@ -3602,7 +3597,7 @@ handshake:
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* 5. Verify the client certificate
|
||||
*/
|
||||
@ -3631,7 +3626,7 @@ handshake:
|
||||
mbedtls_printf( "%s\n", crt_buf );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
if( opt.eap_tls != 0 )
|
||||
{
|
||||
@ -4319,13 +4314,13 @@ exit:
|
||||
sni_free( sni_info );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
ret = psk_free( psk_info );
|
||||
if( ( ret != 0 ) && ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) )
|
||||
mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
mbedtls_x509_crt_free( &cacert );
|
||||
mbedtls_x509_crt_free( &srvcert );
|
||||
mbedtls_pk_free( &pkey );
|
||||
@ -4353,7 +4348,7 @@ exit:
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
|
||||
defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
@ -4370,7 +4365,7 @@ exit:
|
||||
(int) status );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED &&
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
|
||||
MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -3218,11 +3218,90 @@ component_test_tls13_only () {
|
||||
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
|
||||
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
|
||||
|
||||
msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without MBEDTLS_SSL_PROTO_TLS1_2"
|
||||
if_build_succeeded make test
|
||||
msg "test_suite_ssl: TLS 1.3 only, all key exchange modes enabled"
|
||||
cd tests; ./test_suite_ssl; cd ..
|
||||
|
||||
msg "ssl-opt.sh (TLS 1.3)"
|
||||
if_build_succeeded tests/ssl-opt.sh
|
||||
msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled"
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
component_test_tls13_only_psk () {
|
||||
msg "build: TLS 1.3 only from default, only PSK key exchange mode"
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
scripts/config.py unset MBEDTLS_ECDH_C
|
||||
scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
|
||||
scripts/config.py unset MBEDTLS_ECDSA_C
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
|
||||
|
||||
msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled"
|
||||
cd tests; ./test_suite_ssl; cd ..
|
||||
|
||||
msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled"
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
component_test_tls13_only_ephemeral () {
|
||||
msg "build: TLS 1.3 only from default, only ephemeral key exchange mode"
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
|
||||
|
||||
msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode"
|
||||
cd tests; ./test_suite_ssl; cd ..
|
||||
|
||||
msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode"
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
component_test_tls13_only_psk_ephemeral () {
|
||||
msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode"
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
|
||||
scripts/config.py unset MBEDTLS_ECDSA_C
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
|
||||
|
||||
msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode"
|
||||
cd tests; ./test_suite_ssl; cd ..
|
||||
|
||||
msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode"
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
component_test_tls13_only_psk_all () {
|
||||
msg "build: TLS 1.3 only from default, without ephemeral key exchange mode"
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
|
||||
scripts/config.py unset MBEDTLS_ECDSA_C
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
|
||||
|
||||
msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
|
||||
cd tests; ./test_suite_ssl; cd ..
|
||||
|
||||
msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
component_test_tls13_only_ephemeral_all () {
|
||||
msg "build: TLS 1.3 only from default, without PSK key exchange mode"
|
||||
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
|
||||
|
||||
msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
|
||||
cd tests; ./test_suite_ssl; cd ..
|
||||
|
||||
msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
|
||||
tests/ssl-opt.sh
|
||||
}
|
||||
|
||||
component_test_tls13_only_with_hooks () {
|
||||
|
@ -237,7 +237,9 @@ REVERSE_DEPENDENCIES = {
|
||||
'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
|
||||
'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
|
||||
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED',
|
||||
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED'],
|
||||
'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
|
||||
'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
|
||||
'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED',
|
||||
|
@ -357,7 +357,7 @@ class MbedTLSBase(TLSProgram):
|
||||
|
||||
def pre_checks(self):
|
||||
ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
|
||||
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3']
|
||||
'requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED']
|
||||
|
||||
if self._compat_mode:
|
||||
ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE']
|
||||
|
567
tests/ssl-opt.sh
567
tests/ssl-opt.sh
File diff suppressed because it is too large
Load Diff
@ -261,7 +261,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2
|
||||
handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2
|
||||
|
||||
Handshake, tls1_3
|
||||
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
|
||||
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3
|
||||
|
||||
Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
@ -3131,7 +3131,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1
|
||||
# - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5
|
||||
# - Padding used: No (== granularity 1)
|
||||
depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5"
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5"
|
||||
|
||||
SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2
|
||||
# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
|
||||
@ -3142,7 +3142,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2
|
||||
# - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7
|
||||
# - Padding used: No (== granularity 1)
|
||||
depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7"
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7"
|
||||
|
||||
SSL TLS 1.3 Record Encryption RFC 8448 Example #1
|
||||
# Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3
|
||||
@ -3161,7 +3161,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1
|
||||
# 3a ee bb 21 69 49 15 e4
|
||||
# - Padding used: No (== granularity 1)
|
||||
depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4"
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4"
|
||||
|
||||
SSL TLS 1.3 Record Encryption RFC 8448 Example #2
|
||||
# Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3
|
||||
@ -3180,7 +3180,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2
|
||||
# 0d d0 32 e1 67 c2 95 5d
|
||||
# - Padding used: No (== granularity 1)
|
||||
depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d"
|
||||
ssl_tls13_record_protection:MBEDTLS_TLS1_3_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d"
|
||||
|
||||
SSL TLS 1.3 Key schedule: Application secrets derivation helper
|
||||
# Vector from RFC 8448
|
||||
|
@ -31,7 +31,7 @@ typedef struct log_pattern
|
||||
size_t counter;
|
||||
} log_pattern;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
static int rng_seed = 0xBEEF;
|
||||
static int rng_get( void *p_rng, unsigned char *output, size_t output_len )
|
||||
{
|
||||
@ -103,7 +103,7 @@ typedef struct handshake_test_options
|
||||
|
||||
void init_handshake_options( handshake_test_options *opts )
|
||||
{
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
srand( rng_seed );
|
||||
rng_seed += 0xD0;
|
||||
#endif
|
||||
@ -790,7 +790,7 @@ int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len )
|
||||
return msg_len;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
|
||||
/*
|
||||
* Structure with endpoint's certificates for SSL communication tests.
|
||||
@ -1178,7 +1178,7 @@ int mbedtls_move_handshake_to_state( mbedtls_ssl_context *ssl,
|
||||
return ( max_steps >= 0 ) ? ret : -1;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
/*
|
||||
* Write application data. Increase write counter if necessary.
|
||||
@ -1750,7 +1750,7 @@ static int ssl_tls12_populate_session( mbedtls_ssl_session *session,
|
||||
memset( session->id, 66, session->id_len );
|
||||
memset( session->master, 17, sizeof( session->master ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && defined(MBEDTLS_FS_IO)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && defined(MBEDTLS_FS_IO)
|
||||
if( crt_file != NULL && strlen( crt_file ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crt tmp_crt;
|
||||
@ -1801,9 +1801,9 @@ static int ssl_tls12_populate_session( mbedtls_ssl_session *session,
|
||||
|
||||
mbedtls_x509_crt_free( &tmp_crt );
|
||||
}
|
||||
#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
|
||||
#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
|
||||
(void) crt_file;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
|
||||
session->verify_result = 0xdeadbeef;
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
@ -2029,7 +2029,7 @@ int exchange_data( mbedtls_ssl_context *ssl_1,
|
||||
ssl_2, 256, 1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
static int check_ssl_version( mbedtls_ssl_protocol_version expected_negotiated_version,
|
||||
const mbedtls_ssl_context *ssl )
|
||||
{
|
||||
@ -2066,17 +2066,17 @@ static int check_ssl_version( mbedtls_ssl_protocol_version expected_negotiated_v
|
||||
exit:
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
void perform_handshake( handshake_test_options *options )
|
||||
{
|
||||
/* forced_ciphersuite needs to last until the end of the handshake */
|
||||
int forced_ciphersuite[2];
|
||||
enum { BUFFSIZE = 17000 };
|
||||
mbedtls_endpoint client, server;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
const char *psk_identity = "foo";
|
||||
#endif
|
||||
#if defined(MBEDTLS_TIMING_C)
|
||||
@ -2188,7 +2188,7 @@ void perform_handshake( handshake_test_options *options )
|
||||
TEST_ASSERT( MBEDTLS_SSL_MAX_FRAG_LEN_NONE == options->mfl );
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
if( options->psk_str != NULL && options->psk_str->len > 0 )
|
||||
{
|
||||
TEST_ASSERT( mbedtls_ssl_conf_psk( &client.conf, options->psk_str->x,
|
||||
@ -2467,7 +2467,7 @@ exit:
|
||||
#endif
|
||||
USE_PSA_DONE( );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS)
|
||||
/*
|
||||
@ -3685,7 +3685,7 @@ void ssl_dtls_replay( data_t * prevs, data_t * new, int ret )
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
|
||||
{
|
||||
mbedtls_ssl_context ssl;
|
||||
@ -4752,7 +4752,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file,
|
||||
TEST_ASSERT( memcmp( original.master,
|
||||
restored.master, sizeof( original.master ) ) == 0 );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
TEST_ASSERT( ( original.peer_cert == NULL ) ==
|
||||
( restored.peer_cert == NULL ) );
|
||||
@ -4778,7 +4778,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file,
|
||||
original.peer_cert_digest_len ) == 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
TEST_ASSERT( original.verify_result == restored.verify_result );
|
||||
|
||||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
@ -5100,7 +5100,7 @@ void ssl_session_serialize_version_check( int corrupt_major,
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void mbedtls_endpoint_sanity( int endpoint_type )
|
||||
{
|
||||
enum { BUFFSIZE = 1024 };
|
||||
@ -5127,7 +5127,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */
|
||||
void move_handshake_to_state(int endpoint_type, int state, int need_pass)
|
||||
{
|
||||
enum { BUFFSIZE = 1024 };
|
||||
@ -5183,7 +5183,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */
|
||||
void handshake_version( int dtls, int client_min_version, int client_max_version,
|
||||
int server_min_version, int server_max_version,
|
||||
int expected_negotiated_version )
|
||||
@ -5208,7 +5208,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void handshake_psk_cipher( char* cipher, int pk_alg, data_t *psk_str, int dtls )
|
||||
{
|
||||
handshake_test_options options;
|
||||
@ -5229,7 +5229,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void handshake_cipher( char* cipher, int pk_alg, int dtls )
|
||||
{
|
||||
test_handshake_psk_cipher( cipher, pk_alg, NULL, dtls );
|
||||
@ -5239,7 +5239,7 @@ void handshake_cipher( char* cipher, int pk_alg, int dtls )
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void handshake_ciphersuite_select( char* cipher, int pk_alg, data_t *psk_str,
|
||||
int psa_alg, int psa_alg2, int psa_usage,
|
||||
int expected_handshake_result,
|
||||
@ -5266,7 +5266,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void app_data( int mfl, int cli_msg_len, int srv_msg_len,
|
||||
int expected_cli_fragments,
|
||||
int expected_srv_fragments, int dtls )
|
||||
@ -5294,7 +5294,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */
|
||||
void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len,
|
||||
int expected_cli_fragments,
|
||||
int expected_srv_fragments )
|
||||
@ -5306,7 +5306,7 @@ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len,
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len,
|
||||
int expected_cli_fragments,
|
||||
int expected_srv_fragments )
|
||||
@ -5318,7 +5318,7 @@ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len,
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void handshake_serialization( )
|
||||
{
|
||||
handshake_test_options options;
|
||||
@ -5334,7 +5334,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation)
|
||||
{
|
||||
handshake_test_options options;
|
||||
@ -5373,7 +5373,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void renegotiation( int legacy_renegotiation )
|
||||
{
|
||||
handshake_test_options options;
|
||||
@ -5392,7 +5392,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation,
|
||||
int serialize, int dtls, char *cipher )
|
||||
{
|
||||
@ -5416,7 +5416,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void resize_buffers_serialize_mfl( int mfl )
|
||||
{
|
||||
test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
|
||||
@ -5427,7 +5427,7 @@ void resize_buffers_serialize_mfl( int mfl )
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation,
|
||||
char *cipher )
|
||||
{
|
||||
@ -5621,7 +5621,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
|
||||
void test_multiple_psks()
|
||||
{
|
||||
unsigned char psk0[10] = { 0 };
|
||||
@ -5651,7 +5651,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
|
||||
void test_multiple_psks_opaque( int mode )
|
||||
{
|
||||
/*
|
||||
@ -5828,7 +5828,7 @@ void conf_group()
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void force_bad_session_id_len( )
|
||||
{
|
||||
enum { BUFFSIZE = 1024 };
|
||||
@ -6015,7 +6015,7 @@ void cid_sanity( )
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECDSA_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECDSA_C */
|
||||
void raw_key_agreement_fail( int bad_server_ecdhe_key )
|
||||
{
|
||||
enum { BUFFSIZE = 17000 };
|
||||
@ -6086,7 +6086,7 @@ exit:
|
||||
USE_PSA_DONE( );
|
||||
}
|
||||
/* END_CASE */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
||||
void tls13_server_certificate_msg_invalid_vector_len( )
|
||||
{
|
||||
int ret = -1;
|
||||
|
@ -235,7 +235,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
||||
char *subject_name, char *issuer_key_file,
|
||||
char *issuer_pwd, char *issuer_name,
|
||||
|
Loading…
x
Reference in New Issue
Block a user