From 25ab65478123884ab9222fe3a3949929bbbfb7a2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 15 Sep 2022 18:32:34 +0800 Subject: [PATCH] Add dummy ticket support Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 5 +- programs/ssl/ssl_server2.c | 119 +++++++++++-- tests/opt-testcases/tls13-kex-modes.sh | 227 +++++++++++++++++++++++++ tests/ssl-opt.sh | 1 - 4 files changed, 339 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6591ecba00..6e754a3f81 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -186,8 +186,9 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( if( now < session->start ) { MBEDTLS_SSL_DEBUG_MSG( - 3, ( "Ticket expired: now=%" MBEDTLS_PRINTF_LONGLONG - ", start=%" MBEDTLS_PRINTF_LONGLONG, + 3, ( "Ticket expired: start is in future " + "( now=%" MBEDTLS_PRINTF_LONGLONG + ", start=%" MBEDTLS_PRINTF_LONGLONG " )", (long long)now, (long long)session->start ) ); goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 7526bc6cf5..25565d13b7 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -120,6 +120,7 @@ int main( void ) #define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED +#define DFL_DUMMY_TICKET 0 #define DFL_TICKET_ROTATE 0 #define DFL_TICKET_TIMEOUT 86400 #define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM @@ -638,6 +639,7 @@ struct options unsigned char mfl_code; /* code for maximum fragment length */ int trunc_hmac; /* accept truncated hmac? */ int tickets; /* enable / disable session tickets */ + int dummy_ticket; /* enable / disable dummy ticket generator */ int ticket_rotate; /* session ticket rotate (code coverage) */ int ticket_timeout; /* session ticket lifetime */ int ticket_aead; /* session ticket protection */ @@ -1351,6 +1353,79 @@ int report_cid_usage( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_HAVE_TIME) +/* Functions for session ticket tests + * + */ +int dummy_ticket_write( void *p_ticket, const mbedtls_ssl_session *session, + unsigned char *start, const unsigned char *end, + size_t *tlen, uint32_t *ticket_lifetime ) +{ + int ret; + unsigned char *p = start; + size_t clear_len; + ((void) p_ticket); + + if( end - p < 4 ) + { + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + *((uint32_t *)p) = 7 * 24 * 3600; + *ticket_lifetime = 7 * 24 * 3600; + p += 4; + + /* Dump session state */ + if( ( ret = mbedtls_ssl_session_save( session, p, end - p, + &clear_len ) ) != 0 ) + { + return( ret ); + } + + *tlen = 4 + clear_len; + + return( 0 ); +} + +int dummy_ticket_parse( void *p_ticket, mbedtls_ssl_session *session, + unsigned char *buf, size_t len ) +{ + int ret; + ((void) p_ticket); + + if( ( ret = mbedtls_ssl_session_load( session, buf + 4, len - 4 ) ) != 0 ) + return( ret ); + + switch( opt.dummy_ticket % 7 ) + { + case 1: + return( MBEDTLS_ERR_SSL_INVALID_MAC ); + case 2: + return( MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ); + case 3: + session->start = mbedtls_time( NULL ) + 10; + break; + case 4: + session->start = mbedtls_time( NULL ) - 10 - 7 * 24 * 3600; + break; + case 5: + session->start = mbedtls_time( NULL ) - 10; + break; + case 6: + session->start = mbedtls_time( NULL ); + session->ticket_age_add -= 1000; + break; + default: + break; + } + + return( ret ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && + MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_HAVE_TIME */ + int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; @@ -1607,6 +1682,7 @@ int main( int argc, char *argv[] ) opt.mfl_code = DFL_MFL_CODE; opt.trunc_hmac = DFL_TRUNC_HMAC; opt.tickets = DFL_TICKETS; + opt.dummy_ticket = DFL_DUMMY_TICKET; opt.ticket_rotate = DFL_TICKET_ROTATE; opt.ticket_timeout = DFL_TICKET_TIMEOUT; opt.ticket_aead = DFL_TICKET_AEAD; @@ -2002,6 +2078,12 @@ int main( int argc, char *argv[] ) if( opt.tickets < 0 ) goto usage; } + else if( strcmp( p, "dummy_ticket" ) == 0 ) + { + opt.dummy_ticket = atoi( q ); + if( opt.dummy_ticket < 0 ) + goto usage; + } else if( strcmp( p, "ticket_rotate" ) == 0 ) { opt.ticket_rotate = atoi( q ); @@ -2919,19 +3001,36 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_SESSION_TICKETS) if( opt.tickets != MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) { - if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, - rng_get, &rng, - opt.ticket_aead, - opt.ticket_timeout ) ) != 0 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_HAVE_TIME) + if( opt.dummy_ticket ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret ); - goto exit; + mbedtls_ssl_conf_session_tickets_cb( &conf, + dummy_ticket_write, + dummy_ticket_parse, + NULL ); + } + else +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && + MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_HAVE_TIME */ + { + if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, + rng_get, &rng, + opt.ticket_aead, + opt.ticket_timeout ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret ); + goto exit; + } + + mbedtls_ssl_conf_session_tickets_cb( &conf, + mbedtls_ssl_ticket_write, + mbedtls_ssl_ticket_parse, + &ticket_ctx ); } - mbedtls_ssl_conf_session_tickets_cb( &conf, - mbedtls_ssl_ticket_write, - mbedtls_ssl_ticket_parse, - &ticket_ctx ); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_conf_new_session_tickets( &conf, opt.tickets ); #endif diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 3487026206..a6bbd082ba 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -66,6 +66,233 @@ run_test "TLS 1.3: PSK: No valid ciphersuite. O->m" \ -s "Found PSK KEX MODE" \ -s "No matched ciphersuite" +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: psk_ephemeral, auth fail, m->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -s "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: ephemeral, auth fail, m->m" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -s "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: psk_ephemeral, expired, m->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=2" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -S "ticket is not authentic" \ + -s "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: ephemeral, expired, m->m" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "ticket is not authentic" \ + -s "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: psk_ephemeral, future start, m->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=3" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -s "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: ephemeral, future start, m->m" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -s "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: psk_ephemeral, out of max age, m->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=4" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -s "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: ephemeral, out of max age, m->m" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -s "Ticket expired: Ticket age exceed limitation" \ + -S "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: psk_ephemeral, negative tolerance exceed, m->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=5" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -s "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: ephemeral, negative tolerance exceed, m->m" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -s "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: psk_ephemeral, tolerance exceed, m->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=6" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -s "Ticket expired: Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3: NewSessionTicket: ephemeral, tolerance exceed, m->m" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Ticket expired: start is in future" \ + -S "Ticket expired: Ticket age exceed limitation" \ + -s "Ticket expired: Ticket age outside tolerance window" requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 67e9cfb9f9..48dd89e357 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12842,7 +12842,6 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" - requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_DEBUG_C