yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'set_hs' into development

Browse source 
* set_hs:
  Add tests for mbedtls_set_hs_ca_chain()
  Add tests for mbedtls_ssl_set_hs_authmode()
  Add support for SNI CA and authmode in ssl_server2
  Add mbedtls_ssl_set_hs_authmode
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-22 18:20:56 +02:00
commit 96aba64e13
7 changed files with 265 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
include/mbedtls/ssl.h
View file

@ -166,6 +166,7 @@
#define MBEDTLS_SSL_VERIFY_NONE 0 #define MBEDTLS_SSL_VERIFY_NONE 0
#define MBEDTLS_SSL_VERIFY_OPTIONAL 1 #define MBEDTLS_SSL_VERIFY_OPTIONAL 1
#define MBEDTLS_SSL_VERIFY_REQUIRED 2 #define MBEDTLS_SSL_VERIFY_REQUIRED 2
#define MBEDTLS_SSL_VERIFY_UNSET 3 /* Used only for sni_authmode */
#define MBEDTLS_SSL_LEGACY_RENEGOTIATION 0 #define MBEDTLS_SSL_LEGACY_RENEGOTIATION 0
#define MBEDTLS_SSL_SECURE_RENEGOTIATION 1 #define MBEDTLS_SSL_SECURE_RENEGOTIATION 1
@ -1620,6 +1621,19 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *ca_chain, mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl ); mbedtls_x509_crl *ca_crl );
/**
* \brief Set authmode for the current handshake.
*
* \note Same as \c mbedtls_ssl_conf_authmode() but for use within
* the SNI callback.
*
* \param ssl SSL context
* \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
* MBEDTLS_SSL_VERIFY_REQUIRED
*/
void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
int authmode );
/** /**
* \brief Set server side ServerName TLS extension callback * \brief Set server side ServerName TLS extension callback
* (optional, server-side only). * (optional, server-side only).
@ -1629,12 +1643,15 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
* during a handshake. The ServerName callback has the * during a handshake. The ServerName callback has the
* following parameters: (void *parameter, mbedtls_ssl_context *ssl, * following parameters: (void *parameter, mbedtls_ssl_context *ssl,
* const unsigned char *hostname, size_t len). If a suitable * const unsigned char *hostname, size_t len). If a suitable
* certificate is found, the callback should set the * certificate is found, the callback must set the
* certificate(s) and key(s) to use with \c * certificate(s) and key(s) to use with \c
* mbedtls_ssl_set_hs_own_cert() (can be called repeatedly), * mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
* and optionally adjust the CA with \c * and may optionally adjust the CA and associated CRL with \c
* mbedtls_ssl_set_hs_ca_chain() and return 0. The callback * mbedtls_ssl_set_hs_ca_chain() as well as the client
* should return -1 to abort the handshake at this point. * authentication mode with \c mbedtls_ssl_set_hs_authmode(),
* then must return 0. If no matching name is found, the
* callback must either set a default cert, or
* return non-zero to abort the handshake at this point.
* *
* \param conf SSL configuration * \param conf SSL configuration
* \param f_sni verification function * \param f_sni verification function

1
include/mbedtls/ssl_internal.h
View file

@ -183,6 +183,7 @@ struct mbedtls_ssl_handshake_params
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
int sni_authmode; /*!< authmode from SNI callback */
mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */

10
library/ssl_srv.c
View file

@ -2349,16 +2349,24 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
size_t ct_len, sa_len; /* including length bytes */ size_t ct_len, sa_len; /* including length bytes */
unsigned char *buf, *p; unsigned char *buf, *p;
const mbedtls_x509_crt *crt; const mbedtls_x509_crt *crt;
int authmode;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
ssl->state++; ssl->state++;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
authmode = ssl->handshake->sni_authmode;
else
#endif
authmode = ssl->conf->authmode;
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) authmode == MBEDTLS_SSL_VERIFY_NONE )
{ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
return( 0 ); return( 0 );

39
library/ssl_tls.c
View file

@ -3855,6 +3855,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t i, n; size_t i, n;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
int authmode = ssl->conf->authmode;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
@ -3869,8 +3870,20 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ) {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
ssl->state++;
return( 0 );
}
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
authmode = ssl->handshake->sni_authmode;
#endif
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
authmode == MBEDTLS_SSL_VERIFY_NONE )
{ {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
@ -3903,7 +3916,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
return( 0 ); return( 0 );
else else
return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
@ -3924,10 +3937,10 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
else
return( 0 ); return( 0 );
else
return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
} }
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@ -4037,7 +4050,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
} }
#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) if( authmode != MBEDTLS_SSL_VERIFY_NONE )
{ {
mbedtls_x509_crt *ca_chain; mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl; mbedtls_x509_crl *ca_crl;
@ -4106,7 +4119,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
} }
if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_REQUIRED ) if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
ret = 0; ret = 0;
} }
@ -4860,6 +4873,10 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
#if defined(MBEDTLS_ECDH_C) #if defined(MBEDTLS_ECDH_C)
mbedtls_ecdh_init( &handshake->ecdh_ctx ); mbedtls_ecdh_init( &handshake->ecdh_ctx );
#endif #endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
#endif
} }
static void ssl_transform_init( mbedtls_ssl_transform *transform ) static void ssl_transform_init( mbedtls_ssl_transform *transform )
@ -5364,6 +5381,12 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
ssl->handshake->sni_ca_chain = ca_chain; ssl->handshake->sni_ca_chain = ca_chain;
ssl->handshake->sni_ca_crl = ca_crl; ssl->handshake->sni_ca_crl = ca_crl;
} }
void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
int authmode )
{
ssl->handshake->sni_authmode = authmode;
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)

112
programs/ssl/ssl_server2.c
View file

@ -210,8 +210,8 @@ int main( void )
#if defined(SNI_OPTION) #if defined(SNI_OPTION)
#define USAGE_SNI \ #define USAGE_SNI \
" sni=%%s name1,cert1,key1[,name2,cert2,key2[,...]]\n" \ " sni=%%s name1,cert1,key1,ca1,crl1,auth1[,...]\n" \
" default: disabled\n" " default: disabled\n"
#else #else
#define USAGE_SNI "" #define USAGE_SNI ""
#endif /* SNI_OPTION */ #endif /* SNI_OPTION */
@ -436,6 +436,21 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
return( ret ); return( ret );
} }
/*
* Return authmode from string, or -1 on error
*/
static int get_auth_mode( const char *s )
{
if( strcmp( s, "none" ) == 0 )
return( MBEDTLS_SSL_VERIFY_NONE );
if( strcmp( s, "optional" ) == 0 )
return( MBEDTLS_SSL_VERIFY_OPTIONAL );
if( strcmp( s, "required" ) == 0 )
return( MBEDTLS_SSL_VERIFY_REQUIRED );
return( -1 );
}
/* /*
* Used by sni_parse and psk_parse to handle coma-separated lists * Used by sni_parse and psk_parse to handle coma-separated lists
*/ */
@ -453,6 +468,9 @@ struct _sni_entry {
const char *name; const char *name;
mbedtls_x509_crt *cert; mbedtls_x509_crt *cert;
mbedtls_pk_context *key; mbedtls_pk_context *key;
mbedtls_x509_crt* ca;
mbedtls_x509_crl* crl;
int authmode;
sni_entry *next; sni_entry *next;
}; };
@ -468,6 +486,12 @@ void sni_free( sni_entry *head )
mbedtls_pk_free( cur->key ); mbedtls_pk_free( cur->key );
mbedtls_free( cur->key ); mbedtls_free( cur->key );
mbedtls_x509_crt_free( cur->ca );
mbedtls_free( cur->ca );
mbedtls_x509_crl_free( cur->crl );
mbedtls_free( cur->crl );
next = cur->next; next = cur->next;
mbedtls_free( cur ); mbedtls_free( cur );
cur = next; cur = next;
@ -475,8 +499,9 @@ void sni_free( sni_entry *head )
} }
/* /*
* Parse a string of triplets name1,crt1,key1[,name2,crt2,key2[,...]] * Parse a string of sextuples name1,crt1,key1,ca1,crl1,auth1[,...]
* into a usable sni_entry list. * into a usable sni_entry list. For ca1, crl1, auth1, the special value
* '-' means unset. If ca1 is unset, then crl1 is ignored too.
* *
* Modifies the input string! This is not production quality! * Modifies the input string! This is not production quality!
*/ */
@ -485,7 +510,7 @@ sni_entry *sni_parse( char *sni_string )
sni_entry *cur = NULL, *new = NULL; sni_entry *cur = NULL, *new = NULL;
char *p = sni_string; char *p = sni_string;
char *end = p; char *end = p;
char *crt_file, *key_file; char *crt_file, *key_file, *ca_file, *crl_file, *auth_str;
while( *end != '\0' ) while( *end != '\0' )
++end; ++end;
@ -499,30 +524,54 @@ sni_entry *sni_parse( char *sni_string )
return( NULL ); return( NULL );
} }
memset( new, 0, sizeof( sni_entry ) ); GET_ITEM( new->name );
GET_ITEM( crt_file );
GET_ITEM( key_file );
GET_ITEM( ca_file );
GET_ITEM( crl_file );
GET_ITEM( auth_str );
if( ( new->cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL || if( ( new->cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL ||
( new->key = mbedtls_calloc( 1, sizeof( mbedtls_pk_context ) ) ) == NULL ) ( new->key = mbedtls_calloc( 1, sizeof( mbedtls_pk_context ) ) ) == NULL )
{ goto error;
mbedtls_free( new->cert );
mbedtls_free( new );
sni_free( cur );
return( NULL );
}
mbedtls_x509_crt_init( new->cert ); mbedtls_x509_crt_init( new->cert );
mbedtls_pk_init( new->key ); mbedtls_pk_init( new->key );
GET_ITEM( new->name );
GET_ITEM( crt_file );
GET_ITEM( key_file );
if( mbedtls_x509_crt_parse_file( new->cert, crt_file ) != 0 || if( mbedtls_x509_crt_parse_file( new->cert, crt_file ) != 0 ||
mbedtls_pk_parse_keyfile( new->key, key_file, "" ) != 0 ) mbedtls_pk_parse_keyfile( new->key, key_file, "" ) != 0 )
{
goto error; goto error;
if( strcmp( ca_file, "-" ) != 0 )
{
if( ( new->ca = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
goto error;
mbedtls_x509_crt_init( new->ca );
if( mbedtls_x509_crt_parse_file( new->ca, ca_file ) != 0 )
goto error;
} }
if( strcmp( crl_file, "-" ) != 0 )
{
if( ( new->crl = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ) ) == NULL )
goto error;
mbedtls_x509_crl_init( new->crl );
if( mbedtls_x509_crl_parse_file( new->crl, crl_file ) != 0 )
goto error;
}
if( strcmp( auth_str, "-" ) != 0 )
{
if( ( new->authmode = get_auth_mode( auth_str ) ) < 0 )
goto error;
}
else
new->authmode = DFL_AUTH_MODE;
new->next = cur; new->next = cur;
cur = new; cur = new;
} }
@ -541,13 +590,19 @@ error:
int sni_callback( void *p_info, mbedtls_ssl_context *ssl, int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len ) const unsigned char *name, size_t name_len )
{ {
sni_entry *cur = (sni_entry *) p_info; const sni_entry *cur = (const sni_entry *) p_info;
while( cur != NULL ) while( cur != NULL )
{ {
if( name_len == strlen( cur->name ) && if( name_len == strlen( cur->name ) &&
memcmp( name, cur->name, name_len ) == 0 ) memcmp( name, cur->name, name_len ) == 0 )
{ {
if( cur->ca != NULL )
mbedtls_ssl_set_hs_ca_chain( ssl, cur->ca, cur->crl );
if( cur->authmode != DFL_AUTH_MODE )
mbedtls_ssl_set_hs_authmode( ssl, cur->authmode );
return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) ); return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) );
} }
@ -1055,13 +1110,7 @@ int main( int argc, char *argv[] )
} }
else if( strcmp( p, "auth_mode" ) == 0 ) else if( strcmp( p, "auth_mode" ) == 0 )
{ {
if( strcmp( q, "none" ) == 0 ) if( ( opt.auth_mode = get_auth_mode( q ) ) < 0 )
opt.auth_mode = MBEDTLS_SSL_VERIFY_NONE;
else if( strcmp( q, "optional" ) == 0 )
opt.auth_mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if( strcmp( q, "required" ) == 0 )
opt.auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else
goto usage; goto usage;
} }
else if( strcmp( p, "max_frag_len" ) == 0 ) else if( strcmp( p, "max_frag_len" ) == 0 )
@ -1892,6 +1941,19 @@ reset:
else if( ret != 0 ) else if( ret != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
{
char vrfy_buf[512];
uint32_t flags = mbedtls_ssl_get_verify_result( &ssl );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
#endif
goto reset; goto reset;
} }
else /* ret == 0 */ else /* ret == 0 */

2
tests/data_files/Readme-x509.txt
View file

@ -72,7 +72,7 @@ Certificate revocation lists
Signing CA in parentheses (same meaning as certificates). Signing CA in parentheses (same meaning as certificates).
- crl-ec-sha*: (2) server6.crt - crl-ec-sha*.pem: (2) server6.crt
- crl-future.pem: (2) server6.crt + unknown - crl-future.pem: (2) server6.crt + unknown
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown - crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown - crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown

137
tests/ssl-opt.sh
View file

@ -1597,7 +1597,7 @@ run_test "Authentication: client badcert, server required" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" \ -S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \ -s "x509_verify_cert() returned" \
-S "! The certificate is not correctly signed by the trusted CA" \ -s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \ -s "! mbedtls_ssl_handshake returned" \
-c "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed" -s "X509 - Certificate verification failed"
@ -1750,42 +1750,135 @@ run_test "SNI: no SNI callback" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$P_CLI server_name=localhost" \ "$P_CLI server_name=localhost" \
0 \ 0 \
-S "parse ServerName extension" \ -S "parse ServerName extension" \
-c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
-c "subject name *: C=NL, O=PolarSSL, CN=localhost" -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
run_test "SNI: matching cert 1" \ run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=localhost" \ "$P_CLI server_name=localhost" \
0 \ 0 \
-s "parse ServerName extension" \ -s "parse ServerName extension" \
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
-c "subject name *: C=NL, O=PolarSSL, CN=localhost" -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
run_test "SNI: matching cert 2" \ run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=polarssl.example" \ "$P_CLI server_name=polarssl.example" \
0 \ 0 \
-s "parse ServerName extension" \ -s "parse ServerName extension" \
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
run_test "SNI: no matching cert" \ run_test "SNI: no matching cert" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=nonesuch.example" \ "$P_CLI server_name=nonesuch.example" \
1 \ 1 \
-s "parse ServerName extension" \ -s "parse ServerName extension" \
-s "ssl_sni_wrapper() returned" \ -s "ssl_sni_wrapper() returned" \
-s "mbedtls_ssl_handshake returned" \ -s "mbedtls_ssl_handshake returned" \
-c "mbedtls_ssl_handshake returned" \ -c "mbedtls_ssl_handshake returned" \
-c "SSL - A fatal alert message was received from our peer" -c "SSL - A fatal alert message was received from our peer"
run_test "SNI: client auth no override: optional" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
"$P_CLI debug_level=3 server_name=localhost" \
0 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
-C "skip write certificate" \
-C "skip write certificate verify" \
-S "skip parse certificate verify"
run_test "SNI: client auth override: none -> optional" \
"$P_SRV debug_level=3 auth_mode=none \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
"$P_CLI debug_level=3 server_name=localhost" \
0 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
-C "skip write certificate" \
-C "skip write certificate verify" \
-S "skip parse certificate verify"
run_test "SNI: client auth override: optional -> none" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
"$P_CLI debug_level=3 server_name=localhost" \
0 \
-s "skip write certificate request" \
-C "skip parse certificate request" \
-c "got no certificate request" \
-c "skip write certificate" \
-c "skip write certificate verify" \
-s "skip parse certificate verify"
run_test "SNI: CA no override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
ca_file=data_files/test-ca.crt \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
"$P_CLI debug_level=3 server_name=localhost \
crt_file=data_files/server6.crt key_file=data_files/server6.key" \
1 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
-C "skip write certificate" \
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)"
run_test "SNI: CA override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
ca_file=data_files/test-ca.crt \
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
"$P_CLI debug_level=3 server_name=localhost \
crt_file=data_files/server6.crt key_file=data_files/server6.key" \
0 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
-C "skip write certificate" \
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-S "x509_verify_cert() returned" \
-S "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)"
run_test "SNI: CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
ca_file=data_files/test-ca.crt \
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
"$P_CLI debug_level=3 server_name=localhost \
crt_file=data_files/server6.crt key_file=data_files/server6.key" \
1 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
-C "skip write certificate" \
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
-S "! The certificate is not correctly signed by the trusted CA" \
-s "The certificate has been revoked (is on a CRL)"
# Tests for non-blocking I/O: exercise a variety of handshake flows # Tests for non-blocking I/O: exercise a variety of handshake flows