Merge pull request #5749 from yuhaoth/pr/add-tls13-finished-message-and-wrapup
TLS 1.3: Add Finished Message and wrapup
This commit is contained in:
commit
8fba70f66c
6 changed files with 207 additions and 118 deletions
|
@ -1750,6 +1750,15 @@ static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
|
|||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
|
||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
|
||||
mbedtls_ssl_handshake_set_state(
|
||||
ssl,
|
||||
|
@ -1825,6 +1834,14 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
|
|||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
"mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
|
||||
return ( ret );
|
||||
}
|
||||
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
|
||||
return( 0 );
|
||||
}
|
||||
|
@ -1844,11 +1861,6 @@ static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
|
|||
*/
|
||||
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
|
||||
mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
|
||||
mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
|
||||
|
||||
mbedtls_ssl_tls13_handshake_wrapup( ssl );
|
||||
|
||||
|
|
|
@ -1120,80 +1120,6 @@ static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_ssl_key_set traffic_keys;
|
||||
mbedtls_ssl_transform *transform_application = NULL;
|
||||
|
||||
ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
"mbedtls_ssl_tls13_key_schedule_stage_application", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
"mbedtls_ssl_tls13_generate_application_keys", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
transform_application =
|
||||
mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
|
||||
if( transform_application == NULL )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_ssl_tls13_populate_transform(
|
||||
transform_application,
|
||||
ssl->conf->endpoint,
|
||||
ssl->session_negotiate->ciphersuite,
|
||||
&traffic_keys,
|
||||
ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ssl->transform_application = transform_application;
|
||||
|
||||
cleanup:
|
||||
|
||||
mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_free( transform_application );
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
|
||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
|
||||
static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
|
||||
{
|
||||
return( ssl_tls13_postprocess_server_finished_message( ssl ) );
|
||||
}
|
||||
#else
|
||||
((void) ssl);
|
||||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
@ -1211,7 +1137,6 @@ int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
|
||||
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
|
||||
buf, buf_len );
|
||||
MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
|
||||
|
||||
cleanup:
|
||||
|
||||
|
@ -1248,14 +1173,6 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
// TODO: Add back resumption keys calculation after MVP.
|
||||
((void) ssl);
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
unsigned char *end,
|
||||
|
@ -1296,7 +1213,6 @@ int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
|
|||
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
|
||||
buf, msg_len );
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
|
||||
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len ) );
|
||||
cleanup:
|
||||
|
@ -1310,6 +1226,12 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
|
|||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
|
||||
mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
|
||||
mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
|
||||
|
||||
/*
|
||||
* Free the previous session and switch to the current one.
|
||||
*/
|
||||
|
|
|
@ -1473,9 +1473,6 @@ int mbedtls_ssl_tls13_generate_application_keys(
|
|||
handshake->tls13_master_secrets.app,
|
||||
transcript, transcript_len,
|
||||
app_secrets );
|
||||
/* Erase master secrets */
|
||||
mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
|
||||
sizeof( ssl->handshake->tls13_master_secrets ) );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
|
@ -1598,4 +1595,67 @@ cleanup:
|
|||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_tls13_generate_resumption_master_secret(
|
||||
mbedtls_ssl_context *ssl )
|
||||
{
|
||||
/* Erase master secrets */
|
||||
mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
|
||||
sizeof( ssl->handshake->tls13_master_secrets ) );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_ssl_key_set traffic_keys;
|
||||
mbedtls_ssl_transform *transform_application = NULL;
|
||||
|
||||
ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
"mbedtls_ssl_tls13_key_schedule_stage_application", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
"mbedtls_ssl_tls13_generate_application_keys", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
transform_application =
|
||||
mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
|
||||
if( transform_application == NULL )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_ssl_tls13_populate_transform(
|
||||
transform_application,
|
||||
ssl->conf->endpoint,
|
||||
ssl->session_negotiate->ciphersuite,
|
||||
&traffic_keys,
|
||||
ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ssl->transform_application = transform_application;
|
||||
|
||||
cleanup:
|
||||
|
||||
mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_free( transform_application );
|
||||
}
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
|
|
@ -610,6 +610,19 @@ int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
|
|||
int mbedtls_ssl_tls13_generate_application_keys(
|
||||
mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys );
|
||||
|
||||
/**
|
||||
* \brief Compute TLS 1.3 resumption master secret.
|
||||
*
|
||||
* \param ssl The SSL context to operate on. This must be in
|
||||
* key schedule stage \c Application, see
|
||||
* mbedtls_ssl_tls13_key_schedule_stage_application().
|
||||
*
|
||||
* \returns \c 0 on success.
|
||||
* \returns A negative error code on failure.
|
||||
*/
|
||||
int mbedtls_ssl_tls13_generate_resumption_master_secret(
|
||||
mbedtls_ssl_context *ssl );
|
||||
|
||||
/**
|
||||
* \brief Calculate the verify_data value for the client or server TLS 1.3
|
||||
* Finished message.
|
||||
|
@ -649,6 +662,17 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
|
|||
*/
|
||||
int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
|
||||
|
||||
/**
|
||||
* \brief Compute TLS 1.3 application transform
|
||||
*
|
||||
* \param ssl The SSL context to operate on. The early secret must have been
|
||||
* computed.
|
||||
*
|
||||
* \returns \c 0 on success.
|
||||
* \returns A negative error code on failure.
|
||||
*/
|
||||
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
|
||||
|
|
|
@ -1476,6 +1476,67 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_SERVER_FINISHED
|
||||
*/
|
||||
static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
ret = mbedtls_ssl_tls13_write_finished_message( ssl );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
|
||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
return( ret );
|
||||
}
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_CLIENT_FINISHED
|
||||
*/
|
||||
static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1,
|
||||
( "Switch to handshake traffic keys for inbound traffic" ) );
|
||||
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
|
||||
|
||||
ret = mbedtls_ssl_tls13_process_finished_message( ssl );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||
"mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
|
||||
}
|
||||
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
|
||||
*/
|
||||
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
|
||||
|
||||
mbedtls_ssl_tls13_handshake_wrapup( ssl );
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* TLS 1.3 State Machine -- server side
|
||||
*/
|
||||
|
@ -1540,6 +1601,18 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
|
|||
break;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
case MBEDTLS_SSL_SERVER_FINISHED:
|
||||
ret = ssl_tls13_write_server_finished( ssl );
|
||||
break;
|
||||
|
||||
case MBEDTLS_SSL_CLIENT_FINISHED:
|
||||
ret = ssl_tls13_process_client_finished( ssl );
|
||||
break;
|
||||
|
||||
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
|
||||
ret = ssl_tls13_handshake_wrapup( ssl );
|
||||
break;
|
||||
|
||||
default:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
|
|
|
@ -81,7 +81,7 @@ fi
|
|||
if [ -n "${OPENSSL_NEXT:-}" ]; then
|
||||
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
|
||||
O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
|
||||
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
|
||||
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
|
||||
else
|
||||
O_NEXT_SRV=false
|
||||
O_NEXT_SRV_NO_CERT=false
|
||||
|
@ -11224,31 +11224,34 @@ run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \
|
|||
-c "Protocol is TLSv1.3" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
requires_openssl_tls1_3
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_SRV_C
|
||||
requires_openssl_tls1_3
|
||||
run_test "TLS 1.3: Server side check - openssl" \
|
||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
|
||||
"$O_NEXT_CLI -msg -debug -tls1_3" \
|
||||
1 \
|
||||
"$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \
|
||||
0 \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> parse client hello" \
|
||||
-s "<= parse client hello"
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP"
|
||||
|
||||
# Skip this test before openssl exit code issue fixed
|
||||
# On fail, openssl return different exit code on OpenCI and internal CI for
|
||||
# this test.
|
||||
skip_next_test
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_SRV_C
|
||||
requires_openssl_tls1_3
|
||||
run_test "TLS 1.3: Server side check - openssl with client authentication" \
|
||||
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
|
||||
"$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
|
||||
"$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \
|
||||
1 \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
|
@ -11258,7 +11261,6 @@ run_test "TLS 1.3: Server side check - openssl with client authentication" \
|
|||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||
-s "=> write certificate request" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> parse client hello" \
|
||||
-s "<= parse client hello"
|
||||
|
||||
|
@ -11270,16 +11272,16 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
|
|||
run_test "TLS 1.3: Server side check - gnutls" \
|
||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
|
||||
"$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
|
||||
1 \
|
||||
0 \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> parse client hello" \
|
||||
-s "<= parse client hello"
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
requires_gnutls_tls1_3
|
||||
requires_gnutls_next_no_ticket
|
||||
|
@ -11298,7 +11300,6 @@ run_test "TLS 1.3: Server side check - gnutls with client authentication" \
|
|||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||
-s "=> write certificate request" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> parse client hello" \
|
||||
-s "<= parse client hello"
|
||||
|
||||
|
@ -11309,16 +11310,17 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
|
|||
run_test "TLS 1.3: Server side check - mbedtls" \
|
||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
|
||||
"$P_CLI debug_level=4 force_version=tls13" \
|
||||
1 \
|
||||
0 \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||
-s "=> write certificate request" \
|
||||
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> parse client hello" \
|
||||
-s "<= parse client hello"
|
||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
|
@ -11331,12 +11333,9 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
|
|||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||
-s "=> write certificate request" \
|
||||
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> parse client hello" \
|
||||
-s "<= parse client hello"
|
||||
|
||||
|
@ -11348,14 +11347,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
run_test "TLS 1.3: server: HRR check - mbedtls" \
|
||||
"$P_SRV debug_level=4 force_version=tls13 curves=secp384r1" \
|
||||
"$P_CLI debug_level=4 force_version=tls13 curves=secp256r1,secp384r1" \
|
||||
1 \
|
||||
0 \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
|
||||
-c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
-s "selected_group: secp384r1" \
|
||||
-s "SSL - The requested feature is not available" \
|
||||
-s "=> write hello retry request" \
|
||||
-s "<= write hello retry request"
|
||||
|
||||
|
|
Loading…
Reference in a new issue