yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #6194 from xkqian/tls13_add_psk_client_cases

Browse source 
TLS 1.3: Add PSK client cases
This commit is contained in:
Ronald Cron 2022-09-28 17:08:06 +02:00 committed by GitHub
commit 77c691f099
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 1463 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
library/ssl_tls13_client.c
View file

@ -1327,11 +1327,11 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
int ret = 0;
size_t selected_identity;
int psk_type;
const unsigned char *psk;
size_t psk_len;
const unsigned char *psk_identity;
size_t psk_identity_len;
int psk_type;
/* Check which PSK we've offered.
*
@ -1667,6 +1667,23 @@ cleanup:
return( ret );
}
#if defined(MBEDTLS_DEBUG_C)
static const char *ssl_tls13_get_kex_mode_str(int mode)
{
switch( mode )
{
case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
return "psk";
case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
return "ephemeral";
case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
return "psk_ephemeral";
default:
return "unknown mode";
}
}
#endif /* MBEDTLS_DEBUG_C */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
{
@ -1687,19 +1704,16 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
/* Only the pre_shared_key extension was received */
case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) );
break;
/* Only the key_share extension was received */
case MBEDTLS_SSL_EXT_KEY_SHARE:
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) );
break;
/* Both the pre_shared_key and key_share extensions were received */
case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) );
break;
/* Neither pre_shared_key nor key_share extension was received */
@ -1709,6 +1723,19 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
goto cleanup;
}
if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) )
{
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
MBEDTLS_SSL_DEBUG_MSG( 2,
( "Key exchange mode(%s) is not supported.",
ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
goto cleanup;
}
MBEDTLS_SSL_DEBUG_MSG( 3,
( "Selected key exchange mode: %s",
ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
/* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
*
* TODO: We don't have to do this in case we offered 0-RTT and the

1
tests/data_files/simplepass.psk Normal file
View file

@ -0,0 +1 @@
0a0b0c:010203

1431
tests/opt-testcases/tls13-kex-modes.sh
View file

File diff suppressed because it is too large Load diff

46
tests/ssl-opt.sh
View file

@ -12143,52 +12143,6 @@ run_test "TLS 1.3: Server side check - mbedtls with sni" \
-s "parse ServerName extension" \
-s "HTTP/1.0 200 OK"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3, default suite, PSK" \
"$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
"$P_CLI nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
0 \
-c "=> write client hello" \
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "<= write client hello"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3, default suite, PSK - openssl" \
"$O_NEXT_SRV -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
"$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
0 \
-c "=> write client hello" \
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "<= write client hello"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3, default suite, PSK - gnutls" \
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+CIPHER-ALL:%NO_TICKETS --pskhint=0a0b0c" \
"$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
1 \
-c "=> write client hello" \
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
-s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello"
for i in opt-testcases/*.sh
do
TEST_SUITE_NAME=${i##*/}