mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-01-26 12:35:20 +00:00
Enable SNI test for both tls12 and tls13
Change-Id: Iae5c39668db7caa1a59d7e67f226a5286d91db22 CustomizedGitHooks: yes Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian
parent
129aeb9b0e
commit
23c5be6b94
@ -1687,7 +1687,7 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) );
|
||||
ret = 0;
|
||||
}
|
||||
else
|
||||
@ -1793,7 +1793,7 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
else
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
@ -335,6 +335,98 @@ static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
/*
|
||||
* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
|
||||
*/
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
static int ssl_check_key_curve( mbedtls_pk_context *pk,
|
||||
const mbedtls_ecp_curve_info **curves )
|
||||
{
|
||||
const mbedtls_ecp_curve_info **crv = curves;
|
||||
mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
|
||||
|
||||
while( *crv != NULL )
|
||||
{
|
||||
if( (*crv)->grp_id == grp_id )
|
||||
return( 0 );
|
||||
crv++;
|
||||
}
|
||||
|
||||
return( -1 );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
|
||||
/*
|
||||
* Try picking a certificate for this ciphersuite,
|
||||
* return 0 on success and -1 on failure.
|
||||
*/
|
||||
static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
|
||||
{
|
||||
mbedtls_ssl_key_cert *cur, *list;
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
mbedtls_pk_type_t pk_alg =
|
||||
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
uint32_t flags;
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if( ssl->handshake->sni_key_cert != NULL )
|
||||
list = ssl->handshake->sni_key_cert;
|
||||
else
|
||||
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||
list = ssl->conf->key_cert;
|
||||
|
||||
if( list == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
for( cur = list; cur != NULL; cur = cur->next )
|
||||
{
|
||||
flags = 0;
|
||||
MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
|
||||
cur->cert );
|
||||
|
||||
/*
|
||||
* This avoids sending the client a cert it'll reject based on
|
||||
* keyUsage or other extensions.
|
||||
*/
|
||||
if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
||||
MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
|
||||
"(extended) key usage extension" ) );
|
||||
continue;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
if( pk_alg == MBEDTLS_PK_ECDSA &&
|
||||
ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
|
||||
continue;
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
/* Do not update ssl->handshake->key_cert unless there is a match */
|
||||
if( cur != NULL )
|
||||
{
|
||||
ssl->handshake->key_cert = cur;
|
||||
MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
|
||||
ssl->handshake->key_cert->cert );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
return( -1 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
/*
|
||||
*
|
||||
* STATE HANDLING: ClientHello
|
||||
@ -699,7 +791,16 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
ssl->handshake->sni_name = NULL;
|
||||
ssl->handshake->sni_name_len = 0;
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
if( (ssl_pick_cert( ssl, ssl->handshake->ciphersuite_info ) != 0) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
|
||||
"no suitable certificate" ) );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
/* Update checksum with either
|
||||
* - The entire content of the CH message, if no PSK extension is present
|
||||
|
||||
@ -5363,7 +5363,6 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
|
||||
# tests for SNI
|
||||
|
||||
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: no SNI callback" \
|
||||
"$P_SRV debug_level=3 \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
|
||||
@ -5373,7 +5372,6 @@ run_test "SNI: no SNI callback" \
|
||||
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
||||
|
||||
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: matching cert 1" \
|
||||
"$P_SRV debug_level=3 \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5385,7 +5383,6 @@ run_test "SNI: matching cert 1" \
|
||||
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
||||
|
||||
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: matching cert 2" \
|
||||
"$P_SRV debug_level=3 \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5397,7 +5394,6 @@ run_test "SNI: matching cert 2" \
|
||||
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
|
||||
|
||||
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: no matching cert" \
|
||||
"$P_SRV debug_level=3 \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5410,7 +5406,6 @@ run_test "SNI: no matching cert" \
|
||||
-c "mbedtls_ssl_handshake returned" \
|
||||
-c "SSL - A fatal alert message was received from our peer"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: client auth no override: optional" \
|
||||
"$P_SRV debug_level=3 auth_mode=optional \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5424,7 +5419,6 @@ run_test "SNI: client auth no override: optional" \
|
||||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: client auth override: none -> optional" \
|
||||
"$P_SRV debug_level=3 auth_mode=none \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5438,7 +5432,6 @@ run_test "SNI: client auth override: none -> optional" \
|
||||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: client auth override: optional -> none" \
|
||||
"$P_SRV debug_level=3 auth_mode=optional \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5448,11 +5441,8 @@ run_test "SNI: client auth override: optional -> none" \
|
||||
-s "skip write certificate request" \
|
||||
-C "skip parse certificate request" \
|
||||
-c "got no certificate request" \
|
||||
-c "skip write certificate" \
|
||||
-c "skip write certificate verify" \
|
||||
-s "skip parse certificate verify"
|
||||
-c "skip write certificate"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: CA no override" \
|
||||
"$P_SRV debug_level=3 auth_mode=optional \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5471,7 +5461,6 @@ run_test "SNI: CA no override" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-S "The certificate has been revoked (is on a CRL)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: CA override" \
|
||||
"$P_SRV debug_level=3 auth_mode=optional \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -5490,7 +5479,6 @@ run_test "SNI: CA override" \
|
||||
-S "! The certificate is not correctly signed by the trusted CA" \
|
||||
-S "The certificate has been revoked (is on a CRL)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "SNI: CA override with CRL" \
|
||||
"$P_SRV debug_level=3 auth_mode=optional \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
@ -11406,7 +11394,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
run_test "TLS 1.3: Server side check - openssl with sni" \
|
||||
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
|
||||
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||
sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||
"$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
|
||||
0 \
|
||||
-s "parse ServerName extension" \
|
||||
@ -11420,7 +11408,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
run_test "TLS 1.3: Server side check - gnutls with sni" \
|
||||
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
|
||||
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||
sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||
"$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
|
||||
0 \
|
||||
-s "parse ServerName extension" \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user