2022-11-07 07:03:44 +01:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
# tls13-misc.sh
|
|
|
|
|
#
|
|
|
|
|
# Copyright The Mbed TLS Contributors
|
|
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
|
# not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
#
|
|
|
|
|
|
2022-11-08 14:49:47 +01:00
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_SRV_C
|
|
|
|
|
requires_config_enabled MBEDTLS_DEBUG_C
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
|
|
|
|
|
run_test "TLS 1.3: PSK: No valid ciphersuite. G->m" \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
|
|
|
|
|
"$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-CIPHER-ALL:+AES-256-GCM:+AEAD:+SHA384:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3 \
|
|
|
|
|
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
|
|
|
|
|
localhost" \
|
|
|
|
|
1 \
|
|
|
|
|
-s "found psk key exchange modes extension" \
|
|
|
|
|
-s "found pre_shared_key extension" \
|
|
|
|
|
-s "Found PSK_EPHEMERAL KEX MODE" \
|
|
|
|
|
-s "Found PSK KEX MODE" \
|
|
|
|
|
-s "No matched ciphersuite"
|
|
|
|
|
|
|
|
|
|
requires_openssl_tls1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_SRV_C
|
|
|
|
|
requires_config_enabled MBEDTLS_DEBUG_C
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
|
|
|
|
|
run_test "TLS 1.3: PSK: No valid ciphersuite. O->m" \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
|
|
|
|
|
"$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -ciphersuites TLS_AES_256_GCM_SHA384\
|
|
|
|
|
-psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70" \
|
|
|
|
|
1 \
|
|
|
|
|
-s "found psk key exchange modes extension" \
|
|
|
|
|
-s "found pre_shared_key extension" \
|
|
|
|
|
-s "Found PSK_EPHEMERAL KEX MODE" \
|
|
|
|
|
-s "Found PSK KEX MODE" \
|
|
|
|
|
-s "No matched ciphersuite"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Multiple PSKs: valid ticket, reconnect with ticket" \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8" \
|
|
|
|
|
"$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 2" \
|
|
|
|
|
-s "sent selected_identity: 0" \
|
|
|
|
|
-s "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "key exchange mode: ephemeral$" \
|
|
|
|
|
-S "ticket is not authentic"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \
|
|
|
|
|
"$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 2" \
|
|
|
|
|
-s "sent selected_identity: 1" \
|
|
|
|
|
-s "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "key exchange mode: ephemeral$" \
|
|
|
|
|
-s "ticket is not authentic"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \
|
|
|
|
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 1" \
|
|
|
|
|
-S "sent selected_identity:" \
|
|
|
|
|
-s "key exchange mode: ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-s "ticket is not authentic" \
|
|
|
|
|
-S "ticket is expired" \
|
|
|
|
|
-S "Invalid ticket start time" \
|
|
|
|
|
-S "Ticket age exceeds limitation" \
|
|
|
|
|
-S "Ticket age outside tolerance window"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \
|
|
|
|
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 1" \
|
|
|
|
|
-S "sent selected_identity:" \
|
|
|
|
|
-s "key exchange mode: ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "ticket is not authentic" \
|
|
|
|
|
-s "ticket is expired" \
|
|
|
|
|
-S "Invalid ticket start time" \
|
|
|
|
|
-S "Ticket age exceeds limitation" \
|
|
|
|
|
-S "Ticket age outside tolerance window"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \
|
|
|
|
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 1" \
|
|
|
|
|
-S "sent selected_identity:" \
|
|
|
|
|
-s "key exchange mode: ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "ticket is not authentic" \
|
|
|
|
|
-S "ticket is expired" \
|
|
|
|
|
-s "Invalid ticket start time" \
|
|
|
|
|
-S "Ticket age exceeds limitation" \
|
|
|
|
|
-S "Ticket age outside tolerance window"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \
|
|
|
|
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 1" \
|
|
|
|
|
-S "sent selected_identity:" \
|
|
|
|
|
-s "key exchange mode: ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "ticket is not authentic" \
|
|
|
|
|
-S "ticket is expired" \
|
|
|
|
|
-S "Invalid ticket start time" \
|
|
|
|
|
-s "Ticket age exceeds limitation" \
|
|
|
|
|
-S "Ticket age outside tolerance window"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \
|
|
|
|
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 1" \
|
|
|
|
|
-S "sent selected_identity:" \
|
|
|
|
|
-s "key exchange mode: ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "ticket is not authentic" \
|
|
|
|
|
-S "ticket is expired" \
|
|
|
|
|
-S "Invalid ticket start time" \
|
|
|
|
|
-S "Ticket age exceeds limitation" \
|
|
|
|
|
-s "Ticket age outside tolerance window"
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
|
2022-12-15 13:46:23 +01:00
|
|
|
MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
2022-11-08 14:49:47 +01:00
|
|
|
run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \
|
|
|
|
|
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
-c "Pre-configured PSK number = 1" \
|
|
|
|
|
-S "sent selected_identity:" \
|
|
|
|
|
-s "key exchange mode: ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "ticket is not authentic" \
|
|
|
|
|
-S "ticket is expired" \
|
|
|
|
|
-S "Invalid ticket start time" \
|
|
|
|
|
-S "Ticket age exceeds limitation" \
|
|
|
|
|
-s "Ticket age outside tolerance window"
|
|
|
|
|
|
|
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
run_test "TLS 1.3: G->m: ephemeral_all/psk, fail, no common kex mode" \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 $(get_srv_psk_list)" \
|
|
|
|
|
"$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+VERS-TLS1.3 \
|
|
|
|
|
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
|
|
|
|
|
localhost" \
|
|
|
|
|
1 \
|
|
|
|
|
-s "found psk key exchange modes extension" \
|
|
|
|
|
-s "found pre_shared_key extension" \
|
|
|
|
|
-s "Found PSK_EPHEMERAL KEX MODE" \
|
|
|
|
|
-S "Found PSK KEX MODE" \
|
|
|
|
|
-S "key exchange mode: psk$" \
|
|
|
|
|
-S "key exchange mode: psk_ephemeral" \
|
|
|
|
|
-S "key exchange mode: ephemeral"
|
|
|
|
|
|
2022-11-07 07:03:44 +01:00
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
|
|
|
run_test "TLS 1.3: G->m: PSK: configured psk only, good." \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
|
|
|
|
|
"$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \
|
|
|
|
|
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
|
|
|
|
|
localhost" \
|
|
|
|
|
0 \
|
|
|
|
|
-s "found psk key exchange modes extension" \
|
|
|
|
|
-s "found pre_shared_key extension" \
|
|
|
|
|
-s "Found PSK_EPHEMERAL KEX MODE" \
|
|
|
|
|
-s "Found PSK KEX MODE" \
|
|
|
|
|
-s "key exchange mode: psk$"
|
|
|
|
|
|
|
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
|
|
|
requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
|
|
|
run_test "TLS 1.3: G->m: PSK: configured psk_ephemeral only, good." \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
|
|
|
|
|
"$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \
|
|
|
|
|
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
|
|
|
|
|
localhost" \
|
|
|
|
|
0 \
|
|
|
|
|
-s "found psk key exchange modes extension" \
|
|
|
|
|
-s "found pre_shared_key extension" \
|
|
|
|
|
-s "Found PSK_EPHEMERAL KEX MODE" \
|
|
|
|
|
-s "Found PSK KEX MODE" \
|
|
|
|
|
-s "key exchange mode: psk_ephemeral$"
|
|
|
|
|
|
|
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
|
|
|
requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
|
|
|
run_test "TLS 1.3: G->m: PSK: configured ephemeral only, good." \
|
|
|
|
|
"$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
|
|
|
|
|
"$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \
|
|
|
|
|
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
|
|
|
|
|
localhost" \
|
|
|
|
|
0 \
|
|
|
|
|
-s "key exchange mode: ephemeral$"
|
|
|
|
|
|
2022-11-16 04:23:46 +01:00
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_DEBUG_C
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_EARLY_DATA
|
2022-11-16 09:51:01 +01:00
|
|
|
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
2022-11-16 04:23:46 +01:00
|
|
|
run_test "TLS 1.3 m->G: EarlyData: basic check, good" \
|
|
|
|
|
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
|
2022-12-05 08:55:24 +01:00
|
|
|
"$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \
|
2022-11-16 04:23:46 +01:00
|
|
|
1 \
|
|
|
|
|
-c "Reconnecting with saved session" \
|
|
|
|
|
-c "NewSessionTicket: early_data(42) extension received." \
|
|
|
|
|
-c "ClientHello: early_data(42) extension exists." \
|
|
|
|
|
-c "EncryptedExtensions: early_data(42) extension received." \
|
2022-10-27 12:21:05 +02:00
|
|
|
-c "EncryptedExtensions: early_data(42) extension exists." \
|
2022-11-16 04:23:46 +01:00
|
|
|
-s "Parsing extension 'Early Data/42' (0 bytes)" \
|
|
|
|
|
-s "Sending extension Early Data/42 (0 bytes)" \
|
|
|
|
|
-s "early data accepted"
|
|
|
|
|
|
|
|
|
|
requires_gnutls_tls1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_DEBUG_C
|
|
|
|
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_EARLY_DATA
|
2022-11-16 09:51:01 +01:00
|
|
|
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
2022-11-17 10:23:32 +01:00
|
|
|
run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \
|
2022-11-16 04:23:46 +01:00
|
|
|
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
|
2022-12-05 08:55:24 +01:00
|
|
|
"$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \
|
2022-11-16 04:23:46 +01:00
|
|
|
0 \
|
|
|
|
|
-c "Reconnecting with saved session" \
|
|
|
|
|
-C "NewSessionTicket: early_data(42) extension received." \
|
|
|
|
|
-c "ClientHello: early_data(42) extension does not exist." \
|
|
|
|
|
-C "EncryptedExtensions: early_data(42) extension received." \
|
2022-10-27 12:21:05 +02:00
|
|
|
-C "EncryptedExtensions: early_data(42) extension exists."
|
2022-11-16 04:23:46 +01:00
|
|
|
|
2022-11-16 09:51:01 +01:00
|
|
|
#TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked.
|
2022-11-16 04:23:46 +01:00
|
|
|
skip_next_test
|
2022-11-16 09:51:01 +01:00
|
|
|
requires_openssl_tls1_3
|
|
|
|
|
requires_config_enabled MBEDTLS_DEBUG_C
|
2022-11-16 04:23:46 +01:00
|
|
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
2022-11-16 09:51:01 +01:00
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_EARLY_DATA
|
|
|
|
|
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
|
|
|
|
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
2022-11-16 04:23:46 +01:00
|
|
|
run_test "TLS 1.3, ext PSK, early data" \
|
|
|
|
|
"$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
|
|
|
|
|
"$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
|
|
|
|
|
1 \
|
|
|
|
|
-c "Reconnecting with saved session" \
|
|
|
|
|
-c "NewSessionTicket: early_data(42) extension received." \
|
|
|
|
|
-c "ClientHello: early_data(42) extension exists." \
|
|
|
|
|
-c "EncryptedExtensions: early_data(42) extension received." \
|
|
|
|
|
-c "EncryptedExtensions: early_data(42) extension ( ignored )."
|
|
|
|
|
|
2022-12-09 07:27:08 +01:00
|
|
|
get_resumption_with_ticket_flags_criteria()
|
|
|
|
|
{
|
|
|
|
|
ticket_flags=$1
|
|
|
|
|
psk_modes=$2
|
|
|
|
|
if [ "$ticket_flags" = "none" ] || \
|
|
|
|
|
( [ "$psk_modes" != "psk_all" ] && \
|
|
|
|
|
[ "$ticket_flags" != "psk_all" ] && \
|
|
|
|
|
[ "$psk_modes" != "$ticket_flags" ] );
|
|
|
|
|
then
|
|
|
|
|
# ticket_flags is incompatible with the psk_kex_modes
|
|
|
|
|
echo ' -c "Pre-configured PSK number = 1"' \
|
|
|
|
|
' -S "sent selected_identity:"' \
|
|
|
|
|
' -s "key exchange mode: ephemeral"' \
|
|
|
|
|
' -S "key exchange mode: psk_ephemeral"' \
|
|
|
|
|
' -S "key exchange mode: psk$"' \
|
|
|
|
|
' -s "No suitable key exchange mode"' \
|
|
|
|
|
' -s "No matched PSK or ticket"'
|
|
|
|
|
else
|
|
|
|
|
# ticket_flags is compatible with the psk_kex_modes
|
|
|
|
|
echo ' -c "Pre-configured PSK number = 1"' \
|
|
|
|
|
' -S "No suitable key exchange mode"' \
|
|
|
|
|
' -s "found matched identity"'
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
run_tests_tls13_resumption_with_ticket_flags()
|
|
|
|
|
{
|
|
|
|
|
# all tests in this sequence requires the same configuration.
|
|
|
|
|
SKIP_THIS_TESTS="$SKIP_NEXT"
|
|
|
|
|
|
|
|
|
|
DUMMY_TICKET_BASE=6
|
|
|
|
|
TLS13_KEX_MODES="ephemeral:psk_or_ephemeral:ephemeral_all:all"
|
|
|
|
|
PSK_KEX_MODES="none:psk:psk_ephemeral:psk_all"
|
|
|
|
|
|
|
|
|
|
for m in $(seq 4); do
|
|
|
|
|
kex_mode="$(echo "$TLS13_KEX_MODES" | cut -d ":" -f "$m")"
|
|
|
|
|
# ephemeral only mode doesn't support resumption
|
|
|
|
|
if [ "$kex_mode" = "ephemeral" ]; then continue; fi
|
|
|
|
|
|
|
|
|
|
for n in $(seq 4); do
|
|
|
|
|
supported_psk_modes="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$m")"
|
|
|
|
|
dummy_ticket_flags="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$n")"
|
|
|
|
|
|
|
|
|
|
eval "set -- $(get_resumption_with_ticket_flags_criteria "$dummy_ticket_flags" "$supported_psk_modes")"
|
|
|
|
|
|
|
|
|
|
SKIP_NEXT="$SKIP_THIS_TESTS"
|
|
|
|
|
run_test "TLS 1.3 m->m: Resumption with ticket flags, $supported_psk_modes->$dummy_ticket_flags." \
|
|
|
|
|
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=$((n + DUMMY_TICKET_BASE))" \
|
|
|
|
|
"$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=$kex_mode reconnect=1" \
|
|
|
|
|
0 \
|
|
|
|
|
"$@"
|
|
|
|
|
done
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \
|
|
|
|
|
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
|
|
|
|
|
requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
|
|
|
|
|
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
|
|
|
requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
|
|
|
|
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
|
|
|
run_tests_tls13_resumption_with_ticket_flags
|
|
|
|
|
|
