From 83da34eb592238ff554bf6e3c0f865ca37ecc70c Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 16 Apr 2022 13:59:52 +0800 Subject: [PATCH 01/10] tls13:server:add dummy write certificate Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 46a6a49dd..41e772958 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1443,6 +1443,24 @@ cleanup: return( ret ); } +/* + * State Handler : MBEDTLS_SSL_SERVER_CERTIFICATE + */ +int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} + +/* + * State Handler : MBEDTLS_SSL_CERTIFICATE_VERIFY + */ +int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} + /* * TLS 1.3 State Machine -- server side */ @@ -1499,6 +1517,14 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + case MBEDTLS_SSL_SERVER_CERTIFICATE: + ret = ssl_tls13_write_server_certificate( ssl ); + break; + + case MBEDTLS_SSL_CERTIFICATE_VERIFY: + ret = ssl_tls13_write_certificate_verify( ssl ); + break; + default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); From 1bff711a36b41dfe1ba068ff387dea396d22c1d1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 16 Apr 2022 14:29:11 +0800 Subject: [PATCH 02/10] tls13:server:add server certificate writing Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 41e772958..c9de3b44c 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1449,7 +1449,12 @@ cleanup: int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) { ((void) ssl); - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + int ret = mbedtls_ssl_tls13_write_certificate( ssl ); + if(ret != 0) + return( ret ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); + return( 0 ); } /* From 4ff9e143560c651a6b434cdb41c7d11c6c1fbd05 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 16 Apr 2022 14:57:49 +0800 Subject: [PATCH 03/10] Add server certificate verfiy Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index c9de3b44c..297405730 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1448,7 +1448,6 @@ cleanup: */ int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) { - ((void) ssl); int ret = mbedtls_ssl_tls13_write_certificate( ssl ); if(ret != 0) return( ret ); @@ -1462,8 +1461,12 @@ int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) */ int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) { - ((void) ssl); - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl ); + if(ret != 0) + return( ret ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); + return( 0 ); } /* From c6e6dbf2e7225c816bf653f9e976177dfd215043 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 16 Apr 2022 19:42:57 +0800 Subject: [PATCH 04/10] fix various issues Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 297405730..02829e319 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1444,27 +1444,29 @@ cleanup: } /* - * State Handler : MBEDTLS_SSL_SERVER_CERTIFICATE + * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE */ -int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) { +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) int ret = mbedtls_ssl_tls13_write_certificate( ssl ); if(ret != 0) return( ret ); - +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); return( 0 ); } /* - * State Handler : MBEDTLS_SSL_CERTIFICATE_VERIFY + * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY */ -int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) { +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl ); if(ret != 0) return( ret ); - +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); return( 0 ); } From c8bdbf72d35b424cc2915985f6173c25c03b5804 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 23 Apr 2022 12:37:35 +0800 Subject: [PATCH 05/10] test:add state check for certificate and verify Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c9ec7b154..a5cafa7af 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11206,6 +11206,8 @@ run_test "TLS 1.3: Server side check - openssl" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11241,6 +11243,8 @@ run_test "TLS 1.3: Server side check - gnutls" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11294,6 +11298,8 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ From f1c3c4e77ce6d0a6c220e3ff58322fcdcc79eae9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 May 2022 11:36:35 +0800 Subject: [PATCH 06/10] fix various issues Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 02829e319..db6cbb678 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1449,8 +1449,11 @@ cleanup: static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - int ret = mbedtls_ssl_tls13_write_certificate( ssl ); - if(ret != 0) + int ret; + if( mbedtls_ssl_own_cert( ssl ) == NULL ) + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + ret = mbedtls_ssl_tls13_write_certificate( ssl ); + if( ret != 0 ) return( ret ); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); @@ -1464,7 +1467,7 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl ); - if(ret != 0) + if( ret != 0 ) return( ret ); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); From c450566b8538c748abc6d09b73dd74fff4995f2e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 May 2022 20:39:21 +0800 Subject: [PATCH 07/10] Update client auth tests Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a5cafa7af..9d8484442 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11225,6 +11225,8 @@ run_test "TLS 1.3: Server side check - openssl with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -s "=> write certificate request" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ @@ -11263,6 +11265,8 @@ run_test "TLS 1.3: Server side check - gnutls with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -s "=> write certificate request" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ @@ -11297,6 +11301,7 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ From 5a26f3000d945d1e770925a257132102d1c5fa53 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 May 2022 20:46:40 +0800 Subject: [PATCH 08/10] Refactor cert exchange states Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index db6cbb678..693e4510b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1376,7 +1376,6 @@ cleanup: MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST @@ -1448,14 +1447,17 @@ cleanup: */ static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if( mbedtls_ssl_own_cert( ssl ) == NULL ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + ret = mbedtls_ssl_tls13_write_certificate( ssl ); if( ret != 0 ) return( ret ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); return( 0 ); } @@ -1465,14 +1467,13 @@ static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) */ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl ); if( ret != 0 ) return( ret ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); return( 0 ); } +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * TLS 1.3 State Machine -- server side @@ -1528,7 +1529,6 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) case MBEDTLS_SSL_CERTIFICATE_REQUEST: ret = ssl_tls13_write_certificate_request( ssl ); break; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ case MBEDTLS_SSL_SERVER_CERTIFICATE: ret = ssl_tls13_write_server_certificate( ssl ); @@ -1537,6 +1537,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) case MBEDTLS_SSL_CERTIFICATE_VERIFY: ret = ssl_tls13_write_certificate_verify( ssl ); break; +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); From 23d1a256eca909a087671f19c37844b67938eb97 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 12 May 2022 18:08:59 +0800 Subject: [PATCH 09/10] fix hrr handler undefine fail Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 130 ++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 693e4510b..396fce6e8 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1185,6 +1185,71 @@ cleanup: return( ret ); } + +/* + * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST + */ +static int ssl_tls13_write_hello_retry_request_coordinate( + mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + if( ssl->handshake->hello_retry_request_count > 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + /* + * Create stateless transcript hash for HRR + */ + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) ); + ret = mbedtls_ssl_reset_transcript_for_hrr( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret ); + return( ret ); + } + mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); + + return( 0 ); +} + +static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *buf; + size_t buf_len, msg_len; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) ); + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, + &buf, &buf_len ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf, + buf + buf_len, + &msg_len, + 1 ) ); + mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); + + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, + msg_len ) ); + + ssl->handshake->hello_retry_request_count++; + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); + +cleanup: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); + return( ret ); +} + /* * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS */ @@ -1377,71 +1442,6 @@ cleanup: return( ret ); } -/* - * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST - */ - -static int ssl_tls13_write_hello_retry_request_coordinate( - mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ssl->handshake->hello_retry_request_count > 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - /* - * Create stateless transcript hash for HRR - */ - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) ); - ret = mbedtls_ssl_reset_transcript_for_hrr( ssl ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret ); - return( ret ); - } - mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); - - return( 0 ); -} - -static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char *buf; - size_t buf_len, msg_len; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); - - MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) ); - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, - &buf, &buf_len ) ); - - MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf, - buf + buf_len, - &msg_len, - 1 ) ); - mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); - - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, - msg_len ) ); - - ssl->handshake->hello_retry_request_count++; - - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); - -cleanup: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); - return( ret ); -} - /* * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE */ From b89125b81a74ead691be7b9ab4d962df1da84086 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 13 May 2022 15:45:49 +0800 Subject: [PATCH 10/10] Add test without server certificate Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 1 + tests/ssl-opt.sh | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 396fce6e8..ca1990813 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1450,6 +1450,7 @@ static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl ) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if( mbedtls_ssl_own_cert( ssl ) == NULL ) { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9d8484442..6041f1a13 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11329,6 +11329,17 @@ run_test "TLS 1.3: server: HRR check - mbedtls" \ -s "=> write hello retry request" \ -s "<= write hello retry request" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Server side check, no server certificate available" \ + "$P_SRV debug_level=4 crt_file=none key_file=none force_version=tls13" \ + "$P_CLI debug_level=4 force_version=tls13" \ + 1 \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "No certificate available." + for i in opt-testcases/*.sh do TEST_SUITE_NAME=${i##*/}