From a7f94e49a821d37f4f33addd5db8d183cb1720f8 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 09:40:46 +0100 Subject: [PATCH] tests: ssl: Add early data status unit test Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 + tests/suites/test_suite_ssl.function | 143 +++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 86945cc7b4..82ec57ab39 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3282,3 +3282,6 @@ tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD TLS 1.3 early data, discard after HRR tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR + +TLS 1.3 cli, early data status +tls13_cli_early_data_status diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d6e4c6aeaf..d44848fbd0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3787,3 +3787,146 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +void tls13_cli_early_data_status() +{ + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options client_options; + mbedtls_test_handshake_test_options server_options; + mbedtls_ssl_session saved_session; + + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); + mbedtls_ssl_session_init(&saved_session); + + PSA_INIT(); + + /* + * Run first handshake to get a ticket from the server. + */ + client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + + ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, + &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Prepare for handshake with the ticket. + */ + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Go through the handshake sequence, state by state, checking the early + * data status each time. + */ + do { + int state = client_ep.ssl.state; + + /* Progress the handshake from at least one state */ + while (client_ep.ssl.state == state) { + ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + if (client_ep.ssl.state != state) { + break; + } + ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + } + + switch (client_ep.ssl.state) { + case MBEDTLS_SSL_CLIENT_HELLO: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); + break; + + case MBEDTLS_SSL_SERVER_HELLO: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + break; + + case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + break; + + case MBEDTLS_SSL_SERVER_FINISHED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + break; + + case MBEDTLS_SSL_END_OF_EARLY_DATA: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + + case MBEDTLS_SSL_CLIENT_CERTIFICATE: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + + case MBEDTLS_SSL_CLIENT_FINISHED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); + break; +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + + case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ + case MBEDTLS_SSL_HANDSHAKE_OVER: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + + default: + TEST_FAIL("Unexpected state."); + } + } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER); + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + TEST_EQUAL(client_ep.ssl.handshake->ccs_count, 1); +#endif + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); + mbedtls_ssl_session_free(&saved_session); + PSA_DONE(); +} +/* END_CASE */