From c10f6b4735716f0f1c2fc16371cf39e5581d9d2d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 23 Dec 2021 17:16:42 +0800 Subject: [PATCH] tls13_only: simple test pass Signed-off-by: Jerry Yu --- library/ssl_tls.c | 59 ++++++++++++++++++++++++++--------------------- tests/ssl-opt.sh | 10 ++++++-- 2 files changed, 41 insertions(+), 28 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 24afbe4a43..2d24cadfcb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -333,7 +333,7 @@ static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing, } #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_USE_PSA_CRYPTO) static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation, @@ -574,11 +574,11 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen, label, random, rlen, dstbuf, dlen ) ); } #endif /* MBEDTLS_SHA384_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * ); @@ -590,7 +590,7 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned ch static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * ); static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1129,7 +1129,7 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, (void) minor_ver; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && hash == MBEDTLS_MD_SHA384 ) @@ -1149,7 +1149,7 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, } else #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } @@ -1366,7 +1366,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( 0 ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, unsigned char *hash, @@ -1464,7 +1464,7 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl, return; } #endif /* MBEDTLS_SHA384_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) @@ -2441,7 +2441,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, { ((void) ciphersuite_info); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) ssl->handshake->update_checksum = ssl_update_checksum_sha384; @@ -2452,7 +2452,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, ssl->handshake->update_checksum = ssl_update_checksum_sha256; else #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return; @@ -2462,7 +2462,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) { ((void) ssl); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_abort( &ssl->handshake->fin_sha256_psa ); @@ -2479,7 +2479,7 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); #endif #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, @@ -2488,7 +2488,7 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, ((void) ssl); ((void) buf); ((void) len); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); @@ -2503,10 +2503,10 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); #endif #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -2530,9 +2530,9 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, #endif } #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *ssl, unsigned char *buf, int from ) @@ -2684,7 +2684,7 @@ static void ssl_calc_finished_tls_sha384( MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } #endif /* MBEDTLS_SHA384_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) { @@ -2974,7 +2974,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) { memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) handshake->fin_sha256_psa = psa_hash_operation_init(); @@ -2993,7 +2993,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); #endif #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ handshake->update_checksum = ssl_update_checksum_start; @@ -7582,8 +7582,11 @@ static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); mbedtls_sha256_init( &sha256 ); + // MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:sha256", &sha256, sizeof(sha256)); mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); - + // MBEDTLS_SSL_DEBUG_MSG(2,("ssl_get_handshake_transcript_sha256")); + // MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:sha256", &sha256, sizeof(sha256)); + // MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:ssl->handshake->fin_sha256", &ssl->handshake->fin_sha256, sizeof(ssl->handshake->fin_sha256)); if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret ); @@ -7605,18 +7608,21 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, size_t dst_len, size_t *olen ) { + int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; switch( md ) { #if defined(MBEDTLS_SHA384_C) case MBEDTLS_MD_SHA384: - return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); -#endif /* MBEDTLS_SHA384_C && MBEDTLS_SSL_PROTO_TLS1_2 */ + ret = ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ; + break; +#endif /* MBEDTLS_SHA384_C */ #if defined(MBEDTLS_SHA256_C) case MBEDTLS_MD_SHA256: - return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); -#endif /* MBEDTLS_SHA256_C && MBEDTLS_SSL_PROTO_TLS1_2*/ + ret = ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ; + break; +#endif /* MBEDTLS_SHA256_C */ default: break; @@ -7626,7 +7632,8 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, ((void) dst); ((void) dst_len); ((void) olen); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + return( ret ); } #endif /* !MBEDTLS_USE_PSA_CRYPTO */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ddf831f1df..ce99388fb4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1703,31 +1703,37 @@ run_test "SHA-256 allowed by default in client certificate" \ # Dummy TLS 1.3 test # Currently only checking that passing TLS 1.3 key exchange modes to # ssl_client2/ssl_server2 example programs works. +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3, key exchange mode parameter passing: PSK only" \ - "$P_SRV tls13_kex_modes=psk" \ - "$P_CLI tls13_kex_modes=psk" \ + "$P_SRV tls13_kex_modes=psk debug_level=4" \ + "$P_CLI tls13_kex_modes=psk debug_level=4" \ 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \ "$P_SRV tls13_kex_modes=psk_ephemeral" \ "$P_CLI tls13_kex_modes=psk_ephemeral" \ 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3, key exchange mode parameter passing: Pure-ephemeral only" \ "$P_SRV tls13_kex_modes=ephemeral" \ "$P_CLI tls13_kex_modes=ephemeral" \ 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3, key exchange mode parameter passing: All ephemeral" \ "$P_SRV tls13_kex_modes=ephemeral_all" \ "$P_CLI tls13_kex_modes=ephemeral_all" \ 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3, key exchange mode parameter passing: All PSK" \ "$P_SRV tls13_kex_modes=psk_all" \ "$P_CLI tls13_kex_modes=psk_all" \ 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3, key exchange mode parameter passing: All" \ "$P_SRV tls13_kex_modes=all" \