mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-15 23:42:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls13_only: simple test pass

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2021-12-23 17:16:42 +08:00
parent c3091b1c8c
commit c10f6b4735
2 changed files with 41 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
library/ssl_tls.c
View File

@ -333,7 +333,7 @@ static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
} }
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation, static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
@ -574,11 +574,11 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen,
label, random, rlen, dstbuf, dlen ) ); label, random, rlen, dstbuf, dlen ) );
} }
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * ); static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
@ -590,7 +590,7 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned ch
static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * ); static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO) defined(MBEDTLS_USE_PSA_CRYPTO)
@ -1129,7 +1129,7 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
(void) minor_ver; (void) minor_ver;
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
hash == MBEDTLS_MD_SHA384 ) hash == MBEDTLS_MD_SHA384 )
@ -1149,7 +1149,7 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
} }
else else
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
} }
@ -1366,7 +1366,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
return( 0 ); return( 0 );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
unsigned char *hash, unsigned char *hash,
@ -1464,7 +1464,7 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
return; return;
} }
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
@ -2441,7 +2441,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
{ {
((void) ciphersuite_info); ((void) ciphersuite_info);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
ssl->handshake->update_checksum = ssl_update_checksum_sha384; ssl->handshake->update_checksum = ssl_update_checksum_sha384;
@ -2452,7 +2452,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
ssl->handshake->update_checksum = ssl_update_checksum_sha256; ssl->handshake->update_checksum = ssl_update_checksum_sha256;
else else
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return; return;
@ -2462,7 +2462,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
{ {
((void) ssl); ((void) ssl);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &ssl->handshake->fin_sha256_psa ); psa_hash_abort( &ssl->handshake->fin_sha256_psa );
@ -2479,7 +2479,7 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
#endif #endif
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
} }
static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
@ -2488,7 +2488,7 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
((void) ssl); ((void) ssl);
((void) buf); ((void) buf);
((void) len); ((void) len);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
@ -2503,10 +2503,10 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
#endif #endif
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len ) const unsigned char *buf, size_t len )
@ -2530,9 +2530,9 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
#endif #endif
} }
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_calc_finished_tls_sha256( static void ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from ) mbedtls_ssl_context *ssl, unsigned char *buf, int from )
@ -2684,7 +2684,7 @@ static void ssl_calc_finished_tls_sha384(
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
} }
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
{ {
@ -2974,7 +2974,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
{ {
memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) // #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
handshake->fin_sha256_psa = psa_hash_operation_init(); handshake->fin_sha256_psa = psa_hash_operation_init();
@ -2993,7 +2993,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
#endif #endif
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ // #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
handshake->update_checksum = ssl_update_checksum_start; handshake->update_checksum = ssl_update_checksum_start;
@ -7582,8 +7582,11 @@ static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
mbedtls_sha256_init( &sha256 ); mbedtls_sha256_init( &sha256 );
// MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:sha256", &sha256, sizeof(sha256));
mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
// MBEDTLS_SSL_DEBUG_MSG(2,("ssl_get_handshake_transcript_sha256"));
// MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:sha256", &sha256, sizeof(sha256));
// MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:ssl->handshake->fin_sha256", &ssl->handshake->fin_sha256, sizeof(ssl->handshake->fin_sha256));
if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 ) if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret );
@ -7605,18 +7608,21 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
size_t dst_len, size_t dst_len,
size_t *olen ) size_t *olen )
{ {
int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
switch( md ) switch( md )
{ {
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
case MBEDTLS_MD_SHA384: case MBEDTLS_MD_SHA384:
return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); ret = ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ;
#endif /* MBEDTLS_SHA384_C && MBEDTLS_SSL_PROTO_TLS1_2 */ break;
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
case MBEDTLS_MD_SHA256: case MBEDTLS_MD_SHA256:
return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); ret = ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ;
#endif /* MBEDTLS_SHA256_C && MBEDTLS_SSL_PROTO_TLS1_2*/ break;
#endif /* MBEDTLS_SHA256_C */
default: default:
break; break;
@ -7626,7 +7632,8 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
((void) dst); ((void) dst);
((void) dst_len); ((void) dst_len);
((void) olen); ((void) olen);
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
return( ret );
} }
#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* !MBEDTLS_USE_PSA_CRYPTO */

10
tests/ssl-opt.sh
View File

@ -1703,31 +1703,37 @@ run_test "SHA-256 allowed by default in client certificate" \
# Dummy TLS 1.3 test # Dummy TLS 1.3 test
# Currently only checking that passing TLS 1.3 key exchange modes to # Currently only checking that passing TLS 1.3 key exchange modes to
# ssl_client2/ssl_server2 example programs works. # ssl_client2/ssl_server2 example programs works.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3, key exchange mode parameter passing: PSK only" \ run_test "TLS 1.3, key exchange mode parameter passing: PSK only" \
"$P_SRV tls13_kex_modes=psk" \ "$P_SRV tls13_kex_modes=psk debug_level=4" \
"$P_CLI tls13_kex_modes=psk" \ "$P_CLI tls13_kex_modes=psk debug_level=4" \
0 0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \ run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \
"$P_SRV tls13_kex_modes=psk_ephemeral" \ "$P_SRV tls13_kex_modes=psk_ephemeral" \
"$P_CLI tls13_kex_modes=psk_ephemeral" \ "$P_CLI tls13_kex_modes=psk_ephemeral" \
0 0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3, key exchange mode parameter passing: Pure-ephemeral only" \ run_test "TLS 1.3, key exchange mode parameter passing: Pure-ephemeral only" \
"$P_SRV tls13_kex_modes=ephemeral" \ "$P_SRV tls13_kex_modes=ephemeral" \
"$P_CLI tls13_kex_modes=ephemeral" \ "$P_CLI tls13_kex_modes=ephemeral" \
0 0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3, key exchange mode parameter passing: All ephemeral" \ run_test "TLS 1.3, key exchange mode parameter passing: All ephemeral" \
"$P_SRV tls13_kex_modes=ephemeral_all" \ "$P_SRV tls13_kex_modes=ephemeral_all" \
"$P_CLI tls13_kex_modes=ephemeral_all" \ "$P_CLI tls13_kex_modes=ephemeral_all" \
0 0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3, key exchange mode parameter passing: All PSK" \ run_test "TLS 1.3, key exchange mode parameter passing: All PSK" \
"$P_SRV tls13_kex_modes=psk_all" \ "$P_SRV tls13_kex_modes=psk_all" \
"$P_CLI tls13_kex_modes=psk_all" \ "$P_CLI tls13_kex_modes=psk_all" \
0 0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3, key exchange mode parameter passing: All" \ run_test "TLS 1.3, key exchange mode parameter passing: All" \
"$P_SRV tls13_kex_modes=all" \ "$P_SRV tls13_kex_modes=all" \