mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-04 06:40:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change state machine after encrypted extension and update cases

Browse Source 
Change-Id: Ie84a2d52a08538afb8f6096af0c054bd55ed66cb
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-05-07 01:25:58 +00:00
parent ec6efb98bc
commit a987e1d2f8
2 changed files with 29 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
library/ssl_tls13_server.c
View File

@ -733,30 +733,6 @@ cleanup:
return( ret );
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
#define SSL_CERTIFICATE_REQUEST_SKIP 1
/* Coordination:
* Check whether a CertificateRequest message should be written.
* Returns a negative code on failure, or
* - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
* - SSL_CERTIFICATE_REQUEST_SKIP
* indicating if the writing of the CertificateRequest
* should be skipped or not.
*/
static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
{
int authmode;
authmode = ssl->conf->authmode;
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
return( SSL_CERTIFICATE_REQUEST_SKIP );
return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/*
* Handler for MBEDTLS_SSL_SERVER_HELLO
*/
@ -1170,14 +1146,7 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
else
{
MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
else
{
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
ret = 0;
}
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
}
#else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
@ -1190,6 +1159,28 @@ cleanup:
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
#define SSL_CERTIFICATE_REQUEST_SKIP 1
/* Coordination:
* Check whether a CertificateRequest message should be written.
* Returns a negative code on failure, or
* - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
* - SSL_CERTIFICATE_REQUEST_SKIP
* indicating if the writing of the CertificateRequest
* should be skipped or not.
*/
static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
{
int authmode;
authmode = ssl->conf->authmode;
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
return( SSL_CERTIFICATE_REQUEST_SKIP );
return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
}
/*
* struct {
* opaque certificate_request_context<0..2^8-1>;

9
tests/ssl-opt.sh
View File

@ -11316,7 +11316,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_openssl_tls1_3
run_test "TLS 1.3: Server side check - openssl with cient authentication" \
run_test "TLS 1.3: Server side check - openssl with client authentication" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
1 \
@ -11325,6 +11325,7 @@ run_test "TLS 1.3: Server side check - openssl with cient authentication" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "=> write certificate request" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
@ -11351,7 +11352,7 @@ requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "TLS 1.3: Server side check - gnutls with cient authentication" \
run_test "TLS 1.3: Server side check - gnutls with client authentication" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
1 \
@ -11360,6 +11361,7 @@ run_test "TLS 1.3: Server side check - gnutls with cient authentication" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "=> write certificate request" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
@ -11376,6 +11378,7 @@ run_test "TLS 1.3: Server side check - mbedtls" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "=> write certificate request" \
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
@ -11385,7 +11388,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check - mbedtls with cient authentication" \
run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13" \
1 \