diff --git a/ChangeLog.d/tls13-without-tickets.txt b/ChangeLog.d/tls13-without-tickets.txt new file mode 100644 index 0000000000..8ceef21ee5 --- /dev/null +++ b/ChangeLog.d/tls13-without-tickets.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix TLS 1.3 client build and runtime when support for session tickets is + disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 172d4693b2..ca130a3fbd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3216,16 +3216,16 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, * a full handshake. * * \note This function can handle a variety of mechanisms for session - * resumption: For TLS 1.2, both session ID-based resumption and - * ticket-based resumption will be considered. For TLS 1.3, - * once implemented, sessions equate to tickets, and loading - * one or more sessions via this call will lead to their - * corresponding tickets being advertised as resumption PSKs - * by the client. - * - * \note Calling this function multiple times will only be useful - * once TLS 1.3 is supported. For TLS 1.2 connections, this - * function should be called at most once. + * resumption: For TLS 1.2, both session ID-based resumption + * and ticket-based resumption will be considered. For TLS 1.3, + * sessions equate to tickets, and loading one session by + * calling this function will lead to its corresponding ticket + * being advertised as resumption PSK by the client. This + * depends on session tickets being enabled (see + * #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + * If session tickets are disabled, a call to this function + * with a TLS 1.3 session, will not have any effect on the next + * handshake for the SSL context \p ssl. * * \param ssl The SSL context representing the connection which should * be attempted to be setup using session resumption. This @@ -3240,9 +3240,10 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, * * \return \c 0 if successful. * \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - * could not be loaded because of an implementation limitation. - * This error is non-fatal, and has no observable effect on - * the SSL context or the session that was attempted to be loaded. + * could not be loaded because one session has already been + * loaded. This error is non-fatal, and has no observable + * effect on the SSL context or the session that was attempted + * to be loaded. * \return Another negative error code on other kinds of failure. * * \sa mbedtls_ssl_get_session() @@ -3309,8 +3310,16 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session, * to determine the necessary size by calling this function * with \p buf set to \c NULL and \p buf_len to \c 0. * + * \note For TLS 1.3 sessions, this feature is supported only if the + * MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + * as in TLS 1.3 session resumption is possible only with + * tickets. + * * \return \c 0 if successful. * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + * MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + * and the session is a TLS 1.3 session. */ int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, unsigned char *buf, @@ -4837,23 +4846,16 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl * \note This function can handle a variety of mechanisms for session * resumption: For TLS 1.2, both session ID-based resumption and * ticket-based resumption will be considered. For TLS 1.3, - * once implemented, sessions equate to tickets, and calling - * this function multiple times will export the available - * tickets one a time until no further tickets are available, - * in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - * be returned. - * - * \note Calling this function multiple times will only be useful - * once TLS 1.3 is supported. For TLS 1.2 connections, this - * function should be called at most once. + * sessions equate to tickets, and if session tickets are + * enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + * option), this function exports the last received ticket and + * the exported session may be used to resume the TLS 1.3 + * session. If session tickets are disabled, exported sessions + * cannot be used to resume a TLS 1.3 session. * * \return \c 0 if successful. In this case, \p session can be used for * session resumption by passing it to mbedtls_ssl_set_session(), * and serialized for storage via mbedtls_ssl_session_save(). - * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - * is available for export. - * This error is a non-fatal, and has no observable effect on - * the SSL context or the destination session. * \return Another negative error code on other kinds of failure. * * \sa mbedtls_ssl_set_session() diff --git a/library/ssl_msg.c b/library/ssl_msg.c index b07cd96f1b..2bdad848a9 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5570,9 +5570,9 @@ static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl) +static int ssl_tls13_is_new_session_ticket(mbedtls_ssl_context *ssl) { if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) || @@ -5580,15 +5580,9 @@ static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl) return 0; } - ssl->keep_current_message = 1; - - MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received")); - mbedtls_ssl_handshake_set_state(ssl, - MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); - - return MBEDTLS_ERR_SSL_WANT_READ; + return 1; } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl) @@ -5596,14 +5590,23 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message")); -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - int ret = ssl_tls13_check_new_session_ticket(ssl); - if (ret != 0) { - return ret; + if (ssl_tls13_is_new_session_ticket(ssl)) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received")); + ssl->keep_current_message = 1; + + mbedtls_ssl_handshake_set_state(ssl, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); + return MBEDTLS_ERR_SSL_WANT_READ; +#else + MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported.")); + return 0; +#endif } } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ /* Fail in all other cases. */ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c5e06491c1..c2c2b6f795 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1760,6 +1760,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) const mbedtls_ssl_ciphersuite_t *ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); @@ -1770,6 +1771,14 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session session->ciphersuite)); return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } +#else + /* + * If session tickets are not enabled, it is not possible to resume a + * TLS 1.3 session, thus do not make any change to the SSL context in + * the first place. + */ + return 0; +#endif } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ @@ -4049,7 +4058,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session, } static int ssl_tls13_session_load(const mbedtls_ssl_session *session, - unsigned char *buf, + const unsigned char *buf, size_t buf_len) { ((void) session); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 7fcc394319..162e3a3146 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -666,6 +666,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl, return 0; } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; @@ -678,7 +679,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) return PSA_ALG_NONE; } -#if defined(MBEDTLS_SSL_SESSION_TICKETS) static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) { mbedtls_ssl_session *session = ssl->session_negotiate; diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2760d76a5d..6fe8caeca4 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -172,12 +172,12 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, #define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1 #define SSL_TLS1_3_PSK_IDENTITY_MATCH 0 -#if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl); MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_identity_match_ticket( mbedtls_ssl_context *ssl, @@ -575,10 +575,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( psa_algorithm_t psk_hash_alg; int allowed_key_exchange_modes; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session session; mbedtls_ssl_session_init(&session); -#endif MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4); identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0); @@ -3109,6 +3107,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) return 0; } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) /* * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ @@ -3138,7 +3137,6 @@ static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ss return SSL_NEW_SESSION_TICKET_WRITE; } -#if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, unsigned char *ticket_nonce, diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 5e43921710..10bbf19d74 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -813,6 +813,7 @@ run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_all" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ @@ -826,6 +827,20 @@ run_test "TLS 1.3 m->O: resumption" \ -c "Reconnecting with saved session... ok" \ -c "HTTP/1.0 200 ok" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS +run_test "TLS 1.3 m->O: resumption fails, no ticket support" \ + "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \ + "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \ + 1 \ + -c "Protocol is TLSv1.3" \ + -C "Saving session for reuse... ok" \ + -C "Reconnecting with saved session... ok" \ + -c "Ignore NewSessionTicket, not supported." + # No early data m->O tests for the time being. The option -early_data is needed # to enable early data on OpenSSL server and it is not compatible with the # -www option we usually use for testing with OpenSSL server (see @@ -858,6 +873,7 @@ run_test "TLS 1.3 m->O: resumption with early data" \ requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ @@ -875,6 +891,21 @@ requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS +run_test "TLS 1.3 m->G: resumption fails, no ticket support" \ + "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \ + "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \ + 1 \ + -c "Protocol is TLSv1.3" \ + -C "Saving session for reuse... ok" \ + -C "Reconnecting with saved session... ok" \ + -c "Ignore NewSessionTicket, not supported." + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a1203f7726..3aabec41d4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -6061,6 +6061,19 @@ component_test_tls13_no_compatibility_mode () { tests/ssl-opt.sh } +component_test_full_minus_session_tickets() { + msg "build: full config without session tickets" + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: full config without session tickets" + make test + msg "ssl-opt.sh (full config without session tickets)" + tests/ssl-opt.sh +} + component_build_mingw () { msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 55201c0b78..255849fdc2 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -1791,30 +1791,33 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session, session->endpoint = endpoint_type == MBEDTLS_SSL_IS_CLIENT ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER; session->ciphersuite = 0xabcd; + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) session->ticket_age_add = 0x87654321; session->ticket_flags = 0x7; - session->resumption_key_len = 32; memset(session->resumption_key, 0x99, sizeof(session->resumption_key)); - -#if defined(MBEDTLS_SSL_EARLY_DATA) - session->max_early_data_size = 0x87654321; -#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) - int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample"); - if (ret != 0) { - return -1; - } -#endif /* MBEDTLS_SSL_ALPN && MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_EARLY_DATA */ - -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - session->ticket_creation_time = mbedtls_ms_time() - 42; - } #endif +#if defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) + int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample"); + if (ret != 0) { + return -1; + } +#endif +#if defined(MBEDTLS_HAVE_TIME) + session->ticket_creation_time = mbedtls_ms_time() - 42; +#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + } +#endif /* MBEDTLS_SSL_SRV_C */ + #if defined(MBEDTLS_SSL_CLI_C) if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_HAVE_TIME) session->ticket_reception_time = mbedtls_ms_time() - 40; #endif @@ -1828,9 +1831,22 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session, } memset(session->ticket, 33, ticket_len); } +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + char hostname[] = "hostname example"; + session->hostname = mbedtls_calloc(1, sizeof(hostname)); + if (session->hostname == NULL) { + return -1; + } + memcpy(session->hostname, hostname, sizeof(hostname)); +#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ } #endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_EARLY_DATA) + session->max_early_data_size = 0x87654321; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) session->record_size_limit = 2048; #endif diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a7c402004f..76be941422 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3731,6 +3731,7 @@ run_test "CBC Record splitting: TLS 1.2, no splitting" \ # Tests for Session Tickets +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: basic" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3745,6 +3746,7 @@ run_test "Session resume using tickets: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: manual rotation" \ "$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3759,6 +3761,7 @@ run_test "Session resume using tickets: manual rotation" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: cache disabled" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3773,6 +3776,7 @@ run_test "Session resume using tickets: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: timeout" \ "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_delay=2000" \ @@ -3787,6 +3791,7 @@ run_test "Session resume using tickets: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: session copy" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_mode=0" \ @@ -3802,6 +3807,7 @@ run_test "Session resume using tickets: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV -tls1_2" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -3812,6 +3818,7 @@ run_test "Session resume using tickets: openssl server" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl client" \ "$P_SRV debug_level=3 tickets=1" \ "( $O_CLI -sess_out $SESSION; \ @@ -3825,6 +3832,7 @@ run_test "Session resume using tickets: openssl client" \ -s "a session has been resumed" requires_cipher_enabled "AES" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-128-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3840,6 +3848,7 @@ run_test "Session resume using tickets: AES-128-GCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-192-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3855,6 +3864,7 @@ run_test "Session resume using tickets: AES-192-GCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-128-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3870,6 +3880,7 @@ run_test "Session resume using tickets: AES-128-CCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-192-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3885,6 +3896,7 @@ run_test "Session resume using tickets: AES-192-CCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-256-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-256-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3900,6 +3912,7 @@ run_test "Session resume using tickets: AES-256-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CAMELLIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CAMELLIA-128-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-128-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3915,6 +3928,7 @@ run_test "Session resume using tickets: CAMELLIA-128-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CAMELLIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CAMELLIA-192-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-192-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3930,6 +3944,7 @@ run_test "Session resume using tickets: CAMELLIA-192-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CAMELLIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CAMELLIA-256-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-256-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3945,6 +3960,7 @@ run_test "Session resume using tickets: CAMELLIA-256-CCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-128-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3960,6 +3976,7 @@ run_test "Session resume using tickets: ARIA-128-GCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-192-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3975,6 +3992,7 @@ run_test "Session resume using tickets: ARIA-192-GCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-256-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3990,6 +4008,7 @@ run_test "Session resume using tickets: ARIA-256-GCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-128-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4005,6 +4024,7 @@ run_test "Session resume using tickets: ARIA-128-CCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-192-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4020,6 +4040,7 @@ run_test "Session resume using tickets: ARIA-192-CCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-256-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4035,6 +4056,7 @@ run_test "Session resume using tickets: ARIA-256-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CHACHA20" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CHACHA20-POLY1305" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CHACHA20-POLY1305" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4052,6 +4074,7 @@ run_test "Session resume using tickets: CHACHA20-POLY1305" \ # Tests for Session Tickets with DTLS requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: basic" \ "$P_SRV debug_level=3 dtls=1 tickets=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4067,6 +4090,7 @@ run_test "Session resume using tickets, DTLS: basic" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: cache disabled" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4082,6 +4106,7 @@ run_test "Session resume using tickets, DTLS: cache disabled" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: timeout" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2000" \ @@ -4097,6 +4122,7 @@ run_test "Session resume using tickets, DTLS: timeout" \ -C "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: session copy" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \ @@ -4112,6 +4138,7 @@ run_test "Session resume using tickets, DTLS: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -4125,6 +4152,7 @@ run_test "Session resume using tickets, DTLS: openssl server" \ # probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "( $O_NEXT_CLI -dtls -sess_out $SESSION; \ @@ -4140,6 +4168,7 @@ run_test "Session resume using tickets, DTLS: openssl client" \ # Tests for Session Resume based on session-ID and cache requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache: tickets enabled on client" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4155,6 +4184,7 @@ run_test "Session resume using cache: tickets enabled on client" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache: tickets enabled on server" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \ @@ -4246,6 +4276,7 @@ run_test "Session resume using cache: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache: openssl client" \ "$P_SRV force_version=tls12 debug_level=3 tickets=0" \ "( $O_CLI -sess_out $SESSION; \ @@ -4295,6 +4326,7 @@ run_test "Session resume and connection ID" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache, DTLS: tickets enabled on client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4311,6 +4343,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache, DTLS: tickets enabled on server" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -4396,6 +4429,7 @@ run_test "Session resume using cache, DTLS: session copy" \ requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "( $O_NEXT_CLI -dtls -sess_out $SESSION; \ @@ -6656,6 +6690,7 @@ run_test "Non-blocking I/O: client auth" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: ticket" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI nbio=2 tickets=1" \ @@ -6665,6 +6700,7 @@ run_test "Non-blocking I/O: ticket" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: ticket + client auth" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI nbio=2 tickets=1" \ @@ -6674,6 +6710,7 @@ run_test "Non-blocking I/O: ticket + client auth" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \ @@ -6685,6 +6722,7 @@ run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI nbio=2 tickets=1 reconnect=1" \ @@ -6694,6 +6732,7 @@ run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \ @@ -6705,6 +6744,7 @@ run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.3 + ticket + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI nbio=2 tickets=1 reconnect=1" \ @@ -6743,6 +6783,7 @@ run_test "Event-driven I/O: client auth" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: ticket" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI event=1 tickets=1" \ @@ -6752,6 +6793,7 @@ run_test "Event-driven I/O: ticket" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: ticket + client auth" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI event=1 tickets=1" \ @@ -6761,6 +6803,7 @@ run_test "Event-driven I/O: ticket + client auth" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \ @@ -6772,6 +6815,7 @@ run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI event=1 tickets=1 reconnect=1" \ @@ -6781,6 +6825,7 @@ run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \ @@ -6792,6 +6837,7 @@ run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.3 + ticket + resume" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI event=1 tickets=1 reconnect=1" \ @@ -6824,6 +6870,7 @@ run_test "Event-driven I/O, DTLS: client auth" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=1" \ @@ -6831,6 +6878,7 @@ run_test "Event-driven I/O, DTLS: ticket" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket + client auth" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=1" \ @@ -6838,6 +6886,7 @@ run_test "Event-driven I/O, DTLS: ticket + client auth" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -6845,6 +6894,7 @@ run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket + resume" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -11797,6 +11847,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -p "$P_PXY delay_srv=NewSessionTicket" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -11917,6 +11968,7 @@ run_test "DTLS proxy: 3d, FS, client auth" \ client_needs_more_time 2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS proxy: 3d, FS, ticket" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \ @@ -11927,6 +11979,7 @@ run_test "DTLS proxy: 3d, FS, ticket" \ client_needs_more_time 2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \ @@ -11937,6 +11990,7 @@ run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ client_needs_more_time 2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS proxy: 3d, max handshake, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \ diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 734b945148..d6bf16a673 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -930,35 +930,35 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2 ssl_session_serialize_version_check:0:0:0:1:0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: session serialization: Wrong major version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: session serialization: Wrong minor version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: session serialization: Wrong patch version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: session serialization: Wrong config -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong major version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong minor version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong patch version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong config -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 Test Session id & Ciphersuite accessors TLS 1.2 @@ -2971,7 +2971,7 @@ depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBED ssl_serialize_session_save_load:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: Session serialization, save-load: no ticket -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: Session serialization, save-load: small ticket @@ -3091,7 +3091,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_ ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: Session serialization, load buffer size: no ticket -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: Session serialization, load buffer size: small ticket @@ -3103,7 +3103,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_ ssl_serialize_session_load_buf_size:1023:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: Session serialization, load buffer size -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_SRV_C ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 Test configuration of groups for DHE through mbedtls_ssl_conf_curves() diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 67d97e47ce..840af7d2d9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -2093,7 +2093,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - TEST_ASSERT(original.ciphersuite == restored.ciphersuite); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add); TEST_ASSERT(original.ticket_flags == restored.ticket_flags); TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len); @@ -2104,22 +2104,24 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, restored.resumption_key, original.resumption_key_len) == 0); } +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_SSL_EARLY_DATA) - TEST_ASSERT( - original.max_early_data_size == restored.max_early_data_size); -#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) if (endpoint_type == MBEDTLS_SSL_IS_SERVER) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) TEST_ASSERT(original.ticket_alpn != NULL); TEST_ASSERT(restored.ticket_alpn != NULL); TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn), restored.ticket_alpn, strlen(restored.ticket_alpn)); +#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ } -#endif -#endif +#endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_HAVE_TIME) TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time); #endif @@ -2132,12 +2134,23 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, restored.ticket, original.ticket_len) == 0); } - - } +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + TEST_ASSERT(original.hostname != NULL); + TEST_ASSERT(restored.hostname != NULL); + TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname), + restored.hostname, strlen(restored.hostname)); #endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + } +#endif /* MBEDTLS_SSL_CLI_C */ } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_SSL_EARLY_DATA) + TEST_ASSERT( + original.max_early_data_size == restored.max_early_data_size); +#endif + #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) TEST_ASSERT(original.record_size_limit == restored.record_size_limit); #endif