mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-11 00:40:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'development' of https://github.com/Mbed-TLS/mbedtls into random_bye_on_hrr

Browse Source
This commit is contained in:
BensonLiou 2024-01-12 17:53:06 +08:00
commit 57cf55233e
9 changed files with 147 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/fix-tls13-server-min-version-check.txt Normal file
View File

@ -0,0 +1,3 @@
Bugfix
* Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
is disabled at runtime. Fixes #8593.

13
include/mbedtls/ssl.h
View File

@ -3756,6 +3756,8 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
* used for certificate signature are controlled by the * used for certificate signature are controlled by the
* verification profile, see \c mbedtls_ssl_conf_cert_profile(). * verification profile, see \c mbedtls_ssl_conf_cert_profile().
* *
* \deprecated Superseded by mbedtls_ssl_conf_sig_algs().
*
* \note This list should be ordered by decreasing preference * \note This list should be ordered by decreasing preference
* (preferred hash first). * (preferred hash first).
* *
@ -3780,13 +3782,16 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
/** /**
* \brief Configure allowed signature algorithms for use in TLS 1.3 * \brief Configure allowed signature algorithms for use in TLS
* *
* \param conf The SSL configuration to use. * \param conf The SSL configuration to use.
* \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, * \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms,
* terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain * terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain
* available throughout the lifetime of the conf object. Supported * available throughout the lifetime of the conf object.
* values are available as \c MBEDTLS_TLS1_3_SIG_XXXX * - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be
* used.
* - For TLS 1.2, values should be given as
* "(HashAlgorithm << 8) | SignatureAlgorithm".
*/ */
void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
const uint16_t *sig_algs); const uint16_t *sig_algs);

6
library/ssl_client.c
View File

@ -609,7 +609,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
int ssl_write_supported_groups_ext_flags = 0; int ssl_write_supported_groups_ext_flags = 0;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
ssl_write_supported_groups_ext_flags |= ssl_write_supported_groups_ext_flags |=
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG; SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
} }
@ -637,7 +637,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
int write_sig_alg_ext = 0; int write_sig_alg_ext = 0;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
write_sig_alg_ext = write_sig_alg_ext || write_sig_alg_ext = write_sig_alg_ext ||
(propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl)); (propose_tls13 && mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl));
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
write_sig_alg_ext = write_sig_alg_ext || propose_tls12; write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
@ -668,7 +668,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11) /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
* MUST be the last extension in the ClientHello. * MUST be the last extension in the ClientHello.
*/ */
if (propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) { if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
ssl, p, end, &output_len, binders_len); ssl, p, end, &output_len, binders_len);
if (ret != 0) { if (ret != 0) {

110
library/ssl_misc.h
View File

@ -1914,89 +1914,89 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
/* /*
* Helper functions around key exchange modes. * Helper functions around key exchange modes.
*/ */
static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl, static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
int kex_mode_mask) int kex_mode_mask)
{ {
return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0; return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
} }
static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
{ {
return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
} }
static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
{ {
return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
} }
static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
{ {
return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
} }
static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
{ {
return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
} }
static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
{ {
return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
} }
#if defined(MBEDTLS_SSL_SRV_C) && \ #if defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
/** /**
* Given a list of key exchange modes, check if at least one of them is * Given a list of key exchange modes, check if at least one of them is
* supported. * supported by peer.
* *
* \param[in] ssl SSL context * \param[in] ssl SSL context
* \param kex_modes_mask Mask of the key exchange modes to check * \param kex_modes_mask Mask of the key exchange modes to check
* *
* \return 0 if at least one of the key exchange modes is supported, * \return Non-zero if at least one of the key exchange modes is supported by
* !=0 otherwise. * the peer, otherwise \c 0.
*/ */
static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl, static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
int kex_modes_mask) int kex_modes_mask)
{ {
return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0; return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
} }
static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
{ {
return !mbedtls_ssl_tls13_check_kex_modes(ssl, return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
} }
static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled( static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
mbedtls_ssl_context *ssl) mbedtls_ssl_context *ssl)
{ {
return !mbedtls_ssl_tls13_check_kex_modes(ssl, return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
} }
static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
{ {
return !mbedtls_ssl_tls13_check_kex_modes(ssl, return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
} }
static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
{ {
return !mbedtls_ssl_tls13_check_kex_modes(ssl, return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
} }
static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl) static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
{ {
return !mbedtls_ssl_tls13_check_kex_modes(ssl, return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
} }
#endif /* MBEDTLS_SSL_SRV_C && #endif /* MBEDTLS_SSL_SRV_C &&
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
@ -2782,47 +2782,53 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800) #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
static inline unsigned int mbedtls_ssl_session_get_ticket_flags( static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags) mbedtls_ssl_session *session, unsigned int flags)
{ {
return session->ticket_flags & return session->ticket_flags &
(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
} }
static inline unsigned int mbedtls_ssl_session_check_ticket_flags( /**
* Check if at least one of the given flags is set in
* the session ticket. See the definition of
* `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
* permitted flags.
*/
static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
mbedtls_ssl_session *session, unsigned int flags) mbedtls_ssl_session *session, unsigned int flags)
{ {
return mbedtls_ssl_session_get_ticket_flags(session, flags) == 0; return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
} }
static inline unsigned int mbedtls_ssl_session_ticket_allow_psk( static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
mbedtls_ssl_session *session) mbedtls_ssl_session *session)
{ {
return !mbedtls_ssl_session_check_ticket_flags(session, return mbedtls_ssl_tls13_session_ticket_has_flags(
MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION); session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
} }
static inline unsigned int mbedtls_ssl_session_ticket_allow_psk_ephemeral( static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
mbedtls_ssl_session *session) mbedtls_ssl_session *session)
{ {
return !mbedtls_ssl_session_check_ticket_flags(session, return mbedtls_ssl_tls13_session_ticket_has_flags(
MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION); session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
} }
static inline unsigned int mbedtls_ssl_session_ticket_allow_early_data( static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
mbedtls_ssl_session *session) mbedtls_ssl_session *session)
{ {
return !mbedtls_ssl_session_check_ticket_flags(session, return mbedtls_ssl_tls13_session_ticket_has_flags(
MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
} }
static inline void mbedtls_ssl_session_set_ticket_flags( static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags) mbedtls_ssl_session *session, unsigned int flags)
{ {
session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
} }
static inline void mbedtls_ssl_session_clear_ticket_flags( static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags) mbedtls_ssl_session *session, unsigned int flags)
{ {
session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);

2
library/ssl_tls.c
View File

@ -1342,7 +1342,7 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
* bad config. * bad config.
* *
*/ */
if (mbedtls_ssl_conf_tls13_ephemeral_enabled( if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
(mbedtls_ssl_context *) ssl) && (mbedtls_ssl_context *) ssl) &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&

30
library/ssl_tls13_client.c
View File

@ -621,7 +621,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
/* Skip writing extension if no PSK key exchange mode /* Skip writing extension if no PSK key exchange mode
* is enabled in the config. * is enabled in the config.
*/ */
if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) { if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension")); MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
return 0; return 0;
} }
@ -640,14 +640,14 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
*/ */
p += 5; p += 5;
if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) { if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE; *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
ke_modes_len++; ke_modes_len++;
MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode")); MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
} }
if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) { if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE; *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
ke_modes_len++; ke_modes_len++;
@ -684,8 +684,8 @@ static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
mbedtls_ssl_session *session = ssl->session_negotiate; mbedtls_ssl_session *session = ssl->session_negotiate;
return ssl->handshake->resume && return ssl->handshake->resume &&
session != NULL && session->ticket != NULL && session != NULL && session->ticket != NULL &&
mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
ssl, mbedtls_ssl_session_get_ticket_flags( ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL)); session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
} }
@ -695,7 +695,7 @@ static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
mbedtls_ssl_session *session = ssl->session_negotiate; mbedtls_ssl_session *session = ssl->session_negotiate;
return ssl->handshake->resume && return ssl->handshake->resume &&
session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
mbedtls_ssl_session_ticket_allow_early_data(session) && mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite); mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
} }
#endif #endif
@ -1161,7 +1161,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
p += ext_len; p += ext_len;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len); ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
@ -1171,7 +1171,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
#endif #endif
#if defined(MBEDTLS_SSL_EARLY_DATA) #if defined(MBEDTLS_SSL_EARLY_DATA)
if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) && if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
ssl_tls13_early_data_has_valid_ticket(ssl) && ssl_tls13_early_data_has_valid_ticket(ssl) &&
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
@ -1457,7 +1457,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
buf, (size_t) (end - buf))); buf, (size_t) (end - buf)));
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_reset_key_share(ssl); ret = ssl_tls13_reset_key_share(ssl);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
@ -1499,7 +1499,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
* in the ClientHello. * in the ClientHello.
* In a PSK only key exchange that what we expect. * In a PSK only key exchange that what we expect.
*/ */
if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, MBEDTLS_SSL_DEBUG_MSG(1,
("Unexpected HRR in pure PSK key exchange.")); ("Unexpected HRR in pure PSK key exchange."));
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_PEND_FATAL_ALERT(
@ -1776,7 +1776,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_KEY_SHARE: case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension")); MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
goto cleanup; goto cleanup;
} }
@ -1879,7 +1879,7 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
goto cleanup; goto cleanup;
} }
if (!mbedtls_ssl_conf_tls13_check_kex_modes( if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
ssl, handshake->key_exchange_mode)) { ssl, handshake->key_exchange_mode)) {
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG(
@ -2695,7 +2695,7 @@ static int ssl_tls13_parse_new_session_ticket_early_data_ext(
MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4); MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0); session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
mbedtls_ssl_session_set_ticket_flags( mbedtls_ssl_tls13_session_set_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG(
3, ("received max_early_data_size: %u", 3, ("received max_early_data_size: %u",
@ -2846,7 +2846,7 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
session->ticket_len = ticket_len; session->ticket_len = ticket_len;
/* Clear all flags in ticket_flags */ /* Clear all flags in ticket_flags */
mbedtls_ssl_session_clear_ticket_flags( mbedtls_ssl_tls13_session_clear_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
@ -2933,7 +2933,7 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
session->resumption_key_len); session->resumption_key_len);
/* Set ticket_flags depends on the selected key exchange modes */ /* Set ticket_flags depends on the selected key exchange modes */
mbedtls_ssl_session_set_ticket_flags( mbedtls_ssl_tls13_session_set_ticket_flags(
session, ssl->conf->tls13_kex_modes); session, ssl->conf->tls13_kex_modes);
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);

72
library/ssl_tls13_server.c
View File

@ -95,9 +95,9 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl); static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl); static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_offered_psks_check_identity_match_ticket( static int ssl_tls13_offered_psks_check_identity_match_ticket(
@ -175,12 +175,12 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
key_exchanges = 0; key_exchanges = 0;
if (mbedtls_ssl_session_ticket_allow_psk_ephemeral(session) && if (mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(session) &&
ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) { ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
} }
if (mbedtls_ssl_session_ticket_allow_psk(session) && if (mbedtls_ssl_tls13_session_ticket_allow_psk(session) &&
ssl_tls13_check_psk_key_exchange(ssl)) { ssl_tls13_key_exchange_is_psk_available(ssl)) {
key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
} }
@ -1003,12 +1003,12 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_ticket_permission_check(mbedtls_ssl_context *ssl, static int ssl_tls13_ticket_is_kex_mode_permitted(mbedtls_ssl_context *ssl,
unsigned int kex_mode) unsigned int kex_mode)
{ {
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->handshake->resume) { if (ssl->handshake->resume) {
if (mbedtls_ssl_session_check_ticket_flags( if (!mbedtls_ssl_tls13_session_ticket_has_flags(
ssl->session_negotiate, kex_mode)) { ssl->session_negotiate, kex_mode)) {
return 0; return 0;
} }
@ -1022,10 +1022,10 @@ static int ssl_tls13_ticket_permission_check(mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl) static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl)
{ {
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) && return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) &&
ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl); ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
#else #else
((void) ssl); ((void) ssl);
@ -1034,13 +1034,13 @@ static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
} }
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl) static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl)
{ {
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
return ssl_tls13_ticket_permission_check( return ssl_tls13_ticket_is_kex_mode_permitted(
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) && ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
mbedtls_ssl_conf_tls13_psk_enabled(ssl) && mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) &&
mbedtls_ssl_tls13_psk_enabled(ssl) && mbedtls_ssl_tls13_is_psk_supported(ssl) &&
ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl); ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
#else #else
((void) ssl); ((void) ssl);
@ -1049,13 +1049,13 @@ static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
} }
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl) static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl)
{ {
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
return ssl_tls13_ticket_permission_check( return ssl_tls13_ticket_is_kex_mode_permitted(
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) && ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) && mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) &&
mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) && mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) &&
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl); ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
#else #else
((void) ssl); ((void) ssl);
@ -1083,17 +1083,17 @@ static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
ssl->handshake->key_exchange_mode = ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) { if (ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
ssl->handshake->key_exchange_mode = ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral")); MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
} else } else
if (ssl_tls13_check_ephemeral_key_exchange(ssl)) { if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) {
ssl->handshake->key_exchange_mode = ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral")); MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
} else } else
if (ssl_tls13_check_psk_key_exchange(ssl)) { if (ssl_tls13_key_exchange_is_psk_available(ssl)) {
ssl->handshake->key_exchange_mode = ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk")); MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
@ -1734,8 +1734,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
* - The content up to but excluding the PSK extension, if present. * - The content up to but excluding the PSK extension, if present.
*/ */
/* If we've settled on a PSK-based exchange, parse PSK identity ext */ /* If we've settled on a PSK-based exchange, parse PSK identity ext */
if (ssl_tls13_check_psk_key_exchange(ssl) || if (ssl_tls13_key_exchange_is_psk_available(ssl) ||
ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) { ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
ret = handshake->update_checksum(ssl, buf, ret = handshake->update_checksum(ssl, buf,
pre_shared_key_ext - buf); pre_shared_key_ext - buf);
if (0 != ret) { if (0 != ret) {
@ -1842,7 +1842,7 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl)
} }
if (!mbedtls_ssl_session_ticket_allow_early_data(ssl->session_negotiate)) { if (!mbedtls_ssl_tls13_session_ticket_allow_early_data(ssl->session_negotiate)) {
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG(
1, 1,
("EarlyData: rejected, early_data not allowed in ticket " ("EarlyData: rejected, early_data not allowed in ticket "
@ -1925,13 +1925,23 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
* by MBEDTLS_SSL_PROC_CHK_NEG. */ * by MBEDTLS_SSL_PROC_CHK_NEG. */
/* /*
* Version 1.2 of the protocol has been chosen, set the * Version 1.2 of the protocol has to be used for the handshake.
* If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
* ssl->keep_current_message flag for the ClientHello to be kept and parsed * ssl->keep_current_message flag for the ClientHello to be kept and parsed
* as a TLS 1.2 ClientHello. We also change ssl->tls_version to * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step() * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
* will dispatch to the TLS 1.2 state machine. * will dispatch to the TLS 1.2 state machine.
*/ */
if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) { if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
/* Check if server supports TLS 1.2 */
if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("TLS 1.2 not supported."));
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
}
ssl->keep_current_message = 1; ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
return 0; return 0;
@ -3069,7 +3079,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
* expected to be resolved with issue#6395. * expected to be resolved with issue#6395.
*/ */
/* Sent NewSessionTicket message only when client supports PSK */ /* Sent NewSessionTicket message only when client supports PSK */
if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) { if (mbedtls_ssl_tls13_is_some_psk_supported(ssl)) {
mbedtls_ssl_handshake_set_state( mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
} else } else
@ -3128,17 +3138,17 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
#endif #endif
/* Set ticket_flags depends on the advertised psk key exchange mode */ /* Set ticket_flags depends on the advertised psk key exchange mode */
mbedtls_ssl_session_clear_ticket_flags( mbedtls_ssl_tls13_session_clear_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
mbedtls_ssl_session_set_ticket_flags( mbedtls_ssl_tls13_session_set_ticket_flags(
session, ssl->handshake->tls13_kex_modes); session, ssl->handshake->tls13_kex_modes);
#endif #endif
#if defined(MBEDTLS_SSL_EARLY_DATA) #if defined(MBEDTLS_SSL_EARLY_DATA)
if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED && if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
ssl->conf->max_early_data_size > 0) { ssl->conf->max_early_data_size > 0) {
mbedtls_ssl_session_set_ticket_flags( mbedtls_ssl_tls13_session_set_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
} }
#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_EARLY_DATA */
@ -3318,7 +3328,7 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
p += 2; p += 2;
#if defined(MBEDTLS_SSL_EARLY_DATA) #if defined(MBEDTLS_SSL_EARLY_DATA)
if (mbedtls_ssl_session_ticket_allow_early_data(session)) { if (mbedtls_ssl_tls13_session_ticket_allow_early_data(session)) {
size_t output_len; size_t output_len;
if ((ret = mbedtls_ssl_tls13_write_early_data_ext( if ((ret = mbedtls_ssl_tls13_write_early_data_ext(

3
tests/scripts/all.sh
View File

@ -74,6 +74,7 @@
# * component_check_XXX: quick tests that aren't worth parallelizing. # * component_check_XXX: quick tests that aren't worth parallelizing.
# * component_build_XXX: build things but don't run them. # * component_build_XXX: build things but don't run them.
# * component_test_XXX: build and test. # * component_test_XXX: build and test.
# * component_release_XXX: tests that the CI should skip during PR testing.
# * support_XXX: if support_XXX exists and returns false then # * support_XXX: if support_XXX exists and returns false then
# component_XXX is not run by default. # component_XXX is not run by default.
# * post_XXX: things to do after running the tests. # * post_XXX: things to do after running the tests.
@ -750,7 +751,7 @@ pre_check_tools () {
# Require OpenSSL and GnuTLS if running any tests (as opposed to # Require OpenSSL and GnuTLS if running any tests (as opposed to
# only doing builds). Not all tests run OpenSSL and GnuTLS, but this # only doing builds). Not all tests run OpenSSL and GnuTLS, but this
# is a good enough approximation in practice. # is a good enough approximation in practice.
*" test_"*) *" test_"* | *" release_test_"*)
# To avoid setting OpenSSL and GnuTLS for each call to compat.sh # To avoid setting OpenSSL and GnuTLS for each call to compat.sh
# and ssl-opt.sh, we just export the variables they require. # and ssl-opt.sh, we just export the variables they require.
export OPENSSL="$OPENSSL" export OPENSSL="$OPENSSL"

15
tests/ssl-opt.sh
View File

@ -11756,6 +11756,21 @@ run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \
-S "Version: TLS1.2" \ -S "Version: TLS1.2" \
-C "Protocol : TLSv1.2" -C "Protocol : TLSv1.2"
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \
"$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \
"$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \
1 \
-c "The SSL configuration is tls12 only" \
-c "supported_versions(43) extension does not exist." \
-c "A fatal alert message was received from our peer" \
-s "The SSL configuration is tls13 only" \
-s "TLS 1.2 not supported."
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_CLI_C