Update test cases and support sni ca override

Change-Id: I6052acde0b0ec1c25537f8dd81a35562da05a393
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-06-02 09:29:18 +00:00
parent f4f0f6961a
commit 129aeb9b0e
3 changed files with 18 additions and 43 deletions

View file

@ -8240,13 +8240,6 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
size_t server_name_list_len, hostname_len; size_t server_name_list_len, hostname_len;
const unsigned char *server_name_list_end; const unsigned char *server_name_list_end;
if( ssl->conf->p_sni == NULL )
{
MBEDTLS_SSL_DEBUG_MSG(
3, ( "No SNI callback configured. Skip SNI parsing." ) );
return( 0 );
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
@ -8273,9 +8266,8 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
if( ret != 0 ) if( ret != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
mbedtls_ssl_send_alert_message( MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME );
MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME ); return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME );
} }
return( 0 ); return( 0 );

View file

@ -688,6 +688,19 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
p += extension_data_len; p += extension_data_len;
} }
/*
* Server certification selection (after processing TLS extensions)
*/
if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
return( ret );
}
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
ssl->handshake->sni_name = NULL;
ssl->handshake->sni_name_len = 0;
#endif
/* Update checksum with either /* Update checksum with either
* - The entire content of the CH message, if no PSK extension is present * - The entire content of the CH message, if no PSK extension is present
* - The content up to but excluding the PSK extension, if present. * - The content up to but excluding the PSK extension, if present.

View file

@ -11409,18 +11409,8 @@ run_test "TLS 1.3: Server side check - openssl with sni" \
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ "$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
0 \ 0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
-s "parse ServerName extension" \ -s "parse ServerName extension" \
-s "=> parse client hello" \ -s "HTTP/1.0 200 OK"
-s "<= parse client hello"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@ -11433,18 +11423,8 @@ run_test "TLS 1.3: Server side check - gnutls with sni" \
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \ "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
0 \ 0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
-s "parse ServerName extension" \ -s "parse ServerName extension" \
-s "=> parse client hello" \ -s "HTTP/1.0 200 OK"
-s "<= parse client hello"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
@ -11457,18 +11437,8 @@ run_test "TLS 1.3: Server side check - mbedtls with sni" \
"$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key \ "$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key \
force_version=tls13" \ force_version=tls13" \
0 \ 0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
-s "parse ServerName extension" \ -s "parse ServerName extension" \
-s "=> parse client hello" \ -s "HTTP/1.0 200 OK"
-s "<= parse client hello"
for i in opt-testcases/*.sh for i in opt-testcases/*.sh
do do