Merge pull request #9421 from mfil/feature/implement_tls_exporter
Implement TLS-Exporter
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index c203112..15f44aa 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,6 +7,12 @@
---
+**WARNING:** if the bug you are reporting has or may have security implications,
+we ask that you report it privately to
+<mbed-tls-security@lists.trustedfirmware.org>
+so that we can prepare and release a fix before publishing the details.
+See [SECURITY.md](https://github.com/Mbed-TLS/mbedtls/blob/development/SECURITY.md).
+
### Summary
@@ -25,6 +31,10 @@
### Actual behavior
+**WARNING:* if the actual behaviour suggests memory corruption (like a crash or an error
+from a memory checker), then the bug should be assumed to have security
+implications (until proven otherwise), and we ask what you report it privately,
+see the note at the top of this template.
### Steps to reproduce
diff --git a/.gitignore b/.gitignore
index 2917cfb..9226eec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,5 @@
# Random seed file created by test scripts and sample programs
seedfile
-# MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework
-00000000ffffff52.psa_its
# Log files created by all.sh to reduce the logs in case a component runs
# successfully
quiet-make.*
diff --git a/ChangeLog.d/mbedtls_ssl_set_hostname.txt b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
new file mode 100644
index 0000000..250a5ba
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
@@ -0,0 +1,16 @@
+Default behavior changes
+ * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
+ mbedtls_ssl_handshake() now fails with
+ MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ if certificate-based authentication of the server is attempted.
+ This is because authenticating a server without knowing what name
+ to expect is usually insecure.
+
+Security
+ * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
+ if they use certificate authentication (i.e. not pre-shared keys).
+ Otherwise, in many scenarios, the server could be impersonated.
+ The library will now prevent the handshake and return
+ MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ if mbedtls_ssl_set_hostname() has not been called.
+ Reported by Daniel Stenberg.
diff --git a/ChangeLog.d/removal-of-rng.txt b/ChangeLog.d/removal-of-rng.txt
new file mode 100644
index 0000000..a8a19f4
--- /dev/null
+++ b/ChangeLog.d/removal-of-rng.txt
@@ -0,0 +1,5 @@
+API changes
+ * All API functions now use the PSA random generator psa_get_random()
+ internally. As a consequence, functions no longer take RNG parameters.
+ Please refer to the migration guide at :
+ tf-psa-crypto/docs/4.0-migration-guide.md.
diff --git a/ChangeLog.d/tls12-check-finished-calc.txt b/ChangeLog.d/tls12-check-finished-calc.txt
new file mode 100644
index 0000000..cd52d32
--- /dev/null
+++ b/ChangeLog.d/tls12-check-finished-calc.txt
@@ -0,0 +1,6 @@
+Security
+ * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
+ or there was a cryptographic hardware failure when calculating the
+ Finished message, it could be calculated incorrectly. This would break
+ the security guarantees of the TLS handshake.
+ CVE-2025-27810
diff --git a/README.md b/README.md
index 448f372..fc1536e 100644
--- a/README.md
+++ b/README.md
@@ -79,7 +79,7 @@
* If not cross-compiling, running `make` with any target, or just `make`, will automatically generate required files.
* On non-Windows systems, when not cross-compiling, CMake will generate the required files automatically.
* Run `make generated_files` to generate all the configuration-independent files.
-* On Unix/POSIX systems, run `tests/scripts/check-generated-files.sh -u` to generate all the configuration-independent files.
+* On Unix/POSIX systems, run `framework/scripts/make_generated_files.py` to generate all the configuration-independent files.
* On Windows, run `scripts\make_generated_files.bat` to generate all the configuration-independent files.
### Make
diff --git a/framework b/framework
index 28dc4ca..a39ba59 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 28dc4cae3f71f5425dd42953c6f2f38d49123bee
+Subproject commit a39ba59344fd4f1d0ee267ca414b9420d5dca9f5
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 88a31f2..c77cec8 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -165,6 +165,39 @@
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00
/** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
+/* Error space gap */
+/** Attempt to verify a certificate without an expected hostname.
+ * This is usually insecure.
+ *
+ * In TLS clients, when a client authenticates a server through its
+ * certificate, the client normally checks three things:
+ * - the certificate chain must be valid;
+ * - the chain must start from a trusted CA;
+ * - the certificate must cover the server name that is expected by the client.
+ *
+ * Omitting any of these checks is generally insecure, and can allow a
+ * malicious server to impersonate a legitimate server.
+ *
+ * The third check may be safely skipped in some unusual scenarios,
+ * such as networks where eavesdropping is a risk but not active attacks,
+ * or a private PKI where the client equally trusts all servers that are
+ * accredited by the root CA.
+ *
+ * You should call mbedtls_ssl_set_hostname() with the expected server name
+ * before starting a TLS handshake on a client (unless the client is
+ * set up to only use PSK-based authentication, which does not rely on the
+ * host name). If you have determined that server name verification is not
+ * required for security in your scenario, call mbedtls_ssl_set_hostname()
+ * with \p NULL as the server name.
+ *
+ * This error is raised if all of the following conditions are met:
+ *
+ * - A TLS client is configured with the authentication mode
+ * #MBEDTLS_SSL_VERIFY_REQUIRED (default).
+ * - Certificate authentication is enabled.
+ * - The client does not call mbedtls_ssl_set_hostname().
+ */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME -0x5D80
/*
* Constants from RFC 8446 for TLS 1.3 PSK modes
@@ -1230,8 +1263,8 @@
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C)
- char *ticket_alpn; /*!< ALPN negotiated in the session
- during which the ticket was generated. */
+ char *MBEDTLS_PRIVATE(ticket_alpn); /*!< ALPN negotiated in the session
+ during which the ticket was generated. */
#endif
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C)
@@ -1590,6 +1623,14 @@
* Miscellaneous
*/
int MBEDTLS_PRIVATE(state); /*!< SSL handshake: current state */
+
+ /** Mask of `MBEDTLS_SSL_CONTEXT_FLAG_XXX`.
+ * See `mbedtls_ssl_context_flags_t` in ssl_misc.h.
+ *
+ * This field is not saved by mbedtls_ssl_session_save().
+ */
+ uint32_t MBEDTLS_PRIVATE(flags);
+
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int MBEDTLS_PRIVATE(renego_status); /*!< Initial, in progress, pending? */
int MBEDTLS_PRIVATE(renego_records_seen); /*!< Records since renego request, or with DTLS,
@@ -1897,6 +1938,17 @@
* \note The PSA crypto subsystem must have been initialized by
* calling psa_crypto_init() before calling this function.
*
+ * \note After setting up a client context, if certificate-based
+ * authentication is enabled, you should call
+ * mbedtls_ssl_set_hostname() to specifiy the expected
+ * name of the server. Otherwise, if server authentication
+ * is required (which is the case by default) and the
+ * selected key exchange involves a certificate (i.e. is not
+ * based on a pre-shared key), the certificate authentication
+ * will fail. See
+ * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ * for more information.
+ *
* \param ssl SSL context
* \param conf SSL configuration to use
*
@@ -3746,16 +3798,29 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Set or reset the hostname to check against the received
- * server certificate. It sets the ServerName TLS extension,
- * too, if that extension is enabled. (client-side only)
+ * peer certificate. On a client, this also sets the
+ * ServerName TLS extension, if that extension is enabled.
+ * On a TLS 1.3 client, this also sets the server name in
+ * the session resumption ticket, if that feature is enabled.
*
* \param ssl SSL context
- * \param hostname the server hostname, may be NULL to clear hostname
-
- * \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
+ * \param hostname The server hostname. This may be \c NULL to clear
+ * the hostname.
*
- * \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
- * allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ * \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN.
+ *
+ * \note If the hostname is \c NULL on a client, then the server
+ * is not authenticated: it only needs to have a valid
+ * certificate, not a certificate matching its name.
+ * Therefore you should always call this function on a client,
+ * unless the connection is set up to only allow
+ * pre-shared keys, or in scenarios where server
+ * impersonation is not a concern. See the documentation of
+ * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ * for more details.
+ *
+ * \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
+ * allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* too long input hostname.
*
* Hostname set to the one provided on success (cleared
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 9a2485d..9228a3b 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -16,6 +16,9 @@
#include "mbedtls/error.h"
#include "mbedtls/ssl.h"
+#include "mbedtls/debug.h"
+#include "debug_internal.h"
+
#include "mbedtls/cipher.h"
#include "psa/crypto.h"
@@ -51,6 +54,22 @@
#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
#endif
+/** Flag values for mbedtls_ssl_context::flags. */
+typedef enum {
+ /** Set if mbedtls_ssl_set_hostname() has been called. */
+ MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET = 1,
+} mbedtls_ssl_context_flags_t;
+
+/** Flags from ::mbedtls_ssl_context_flags_t to keep in
+ * mbedtls_ssl_session_reset().
+ *
+ * The flags that are in this list are kept until explicitly updated or
+ * until mbedtls_ssl_free(). The flags that are not listed here are
+ * reset to 0 in mbedtls_ssl_session_reset().
+ */
+#define MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION \
+ (MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET)
+
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
@@ -1289,12 +1308,30 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_DEBUG_C)
+/* Declared in "ssl_debug_helpers.h". We can't include this file from
+ * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
+ * type definitions. TODO: split the type definitions and the helper
+ * functions into different headers.
+ */
+const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
+#endif
+
static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
mbedtls_ssl_states state)
{
+ MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
+ ssl->state, mbedtls_ssl_states_str(ssl->state),
+ (int) state, mbedtls_ssl_states_str(state)));
ssl->state = (int) state;
}
+static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
+}
+
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index be0dc92..dba8d74 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3699,6 +3699,7 @@
rec->buf_len = rec->data_offset + rec->data_len;
if (rec->data_len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("rejecting empty record"));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
@@ -5044,7 +5045,7 @@
ssl->out_msglen = 1;
ssl->out_msg[0] = 1;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -5106,7 +5107,7 @@
mbedtls_ssl_update_in_pointers(ssl);
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9812a2a..f95f3c7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1410,7 +1410,8 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
+ ssl->flags &= MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION;
ssl->tls_version = ssl->conf->max_tls_version;
mbedtls_ssl_session_reset_msg_layer(ssl, partial);
@@ -2456,6 +2457,31 @@
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+/** Whether mbedtls_ssl_set_hostname() has been called.
+ *
+ * \param[in] ssl SSL context
+ *
+ * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
+ * (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
+ * otherwise \c 0.
+ */
+static int mbedtls_ssl_has_set_hostname_been_called(
+ const mbedtls_ssl_context *ssl)
+{
+ return (ssl->flags & MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET) != 0;
+}
+#endif
+
+static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
+{
+ if (ssl->hostname != NULL) {
+ mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
+ }
+ ssl->hostname = NULL;
+}
+
int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
{
/* Initialize to suppress unnecessary compiler warning */
@@ -2473,10 +2499,7 @@
/* Now it's clear that we will overwrite the old hostname,
* so we can free it safely */
-
- if (ssl->hostname != NULL) {
- mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
- }
+ mbedtls_ssl_free_hostname(ssl);
/* Passing NULL as hostname shall clear the old one */
@@ -2493,6 +2516,8 @@
ssl->hostname[hostname_len] = '\0';
}
+ ssl->flags |= MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET;
+
return 0;
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -4211,7 +4236,7 @@
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
ret = 0;
break;
@@ -4362,7 +4387,7 @@
}
#endif
- ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
@@ -5120,7 +5145,7 @@
* Most of them already set to the correct value by mbedtls_ssl_init() and
* mbedtls_ssl_reset(), so we only need to set the remaining ones.
*/
- ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
/* Adjust pointers for header fields of outgoing records to
@@ -5230,9 +5255,7 @@
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
- if (ssl->hostname != NULL) {
- mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
- }
+ mbedtls_ssl_free_hostname(ssl);
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
@@ -6704,7 +6727,7 @@
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -6721,7 +6744,7 @@
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -6744,7 +6767,7 @@
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -6752,7 +6775,7 @@
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
if (ssl->handshake->client_auth == 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
}
@@ -6806,7 +6829,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -7260,7 +7283,7 @@
exit:
if (ret == 0) {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
}
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
@@ -7438,7 +7461,7 @@
#endif
mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
- ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
}
@@ -7455,6 +7478,7 @@
ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
+ return ret;
}
/*
@@ -7481,16 +7505,16 @@
if (ssl->handshake->resume != 0) {
#if defined(MBEDTLS_SSL_CLI_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
}
#endif
} else {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
}
/*
@@ -7568,6 +7592,7 @@
ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
+ return ret;
}
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
@@ -7615,16 +7640,16 @@
if (ssl->handshake->resume != 0) {
#if defined(MBEDTLS_SSL_CLI_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
}
#endif
} else {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -8748,6 +8773,25 @@
return ret;
}
+static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
+ const char **hostname)
+{
+ if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
+ if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
+ ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+ return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
+ }
+ }
+
+ *hostname = ssl->hostname;
+ if (*hostname == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
+ }
+
+ return 0;
+}
+
int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
int authmode,
mbedtls_x509_crt *chain,
@@ -8773,7 +8817,13 @@
p_vrfy = ssl->conf->p_vrfy;
}
- int ret = 0;
+ const char *hostname = "";
+ int ret = get_hostname_for_verification(ssl, &hostname);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
+ return ret;
+ }
+
int have_ca_chain_or_callback = 0;
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if (ssl->conf->f_ca_cb != NULL) {
@@ -8786,7 +8836,7 @@
ssl->conf->f_ca_cb,
ssl->conf->p_ca_cb,
ssl->conf->cert_profile,
- ssl->hostname,
+ hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy);
} else
@@ -8813,7 +8863,7 @@
chain,
ca_chain, ca_crl,
ssl->conf->cert_profile,
- ssl->hostname,
+ hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy, rs_ctx);
}
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index e0743e1..df7dfbf 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1118,7 +1118,7 @@
ssl->handshake->cookie_len = cookie_len;
/* Start over at ClientHello */
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
ret = mbedtls_ssl_reset_checksum(ssl);
if (0 != ret) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
@@ -1327,7 +1327,7 @@
ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->id_len != n ||
memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->resume = 0;
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@@ -1336,7 +1336,7 @@
ssl->session_negotiate->id_len = n;
memcpy(ssl->session_negotiate->id, buf + 35, n);
} else {
- ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
}
MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
@@ -1839,7 +1839,7 @@
}
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
((void) p);
@@ -2147,7 +2147,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
exit:
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
@@ -2165,7 +2165,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2192,7 +2192,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2210,7 +2210,7 @@
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->client_auth =
(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
@@ -2381,7 +2381,7 @@
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@@ -2683,7 +2683,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -2712,7 +2712,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2754,14 +2754,14 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
if (ssl->handshake->client_auth == 0 ||
mbedtls_ssl_own_cert(ssl) == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2843,7 +2843,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -2917,7 +2917,7 @@
/* We're not waiting for a NewSessionTicket message any more */
ssl->handshake->new_session_ticket = 0;
- ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
/*
* Zero-length ticket means the server changed his mind and doesn't want
@@ -2978,13 +2978,13 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
ssl->handshake->new_session_ticket != 0) {
- ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_NEW_SESSION_TICKET);
}
#endif
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@@ -3069,7 +3069,7 @@
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index e178550..2b2b49f 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1597,7 +1597,7 @@
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->handshake->ciphersuite_info = ciphersuite_info;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@@ -2015,7 +2015,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
- ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -2183,7 +2183,7 @@
* New session, create a new session id,
* unless we're about to issue a session ticket
*/
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@@ -2207,7 +2207,7 @@
* Resuming a session
*/
n = ssl->session_negotiate->id_len;
- ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
@@ -2333,7 +2333,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2356,7 +2356,7 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
@@ -3080,7 +3080,7 @@
/* Key exchanges not involving ephemeral keys don't use
* ServerKeyExchange, so end here. */
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
@@ -3134,7 +3134,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -3156,7 +3156,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@@ -3461,7 +3461,7 @@
return ret;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
@@ -3479,7 +3479,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -3505,20 +3505,20 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
if (ssl->session_negotiate->peer_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert_digest == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@@ -3530,7 +3530,7 @@
return ret;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
/* Process the message contents */
if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
@@ -3714,7 +3714,7 @@
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@@ -3803,7 +3803,7 @@
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 8fea581..bb67c40 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -68,6 +68,7 @@
#define DFL_MAX_VERSION -1
#define DFL_SHA1 -1
#define DFL_AUTH_MODE -1
+#define DFL_SET_HOSTNAME 1
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
#define DFL_RECSPLIT -1
@@ -409,6 +410,9 @@
#define USAGE2 \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
+ " set_hostname=%%s call mbedtls_ssl_set_hostname()?" \
+ " options: no, server_name, NULL\n" \
+ " default: server_name (but ignored if certs disabled)\n" \
USAGE_IO \
USAGE_KEY_OPAQUE \
USAGE_CA_CALLBACK \
@@ -511,6 +515,8 @@
int max_version; /* maximum protocol version accepted */
int allow_sha1; /* flag for SHA-1 support */
int auth_mode; /* verify mode for connection */
+ int set_hostname; /* call mbedtls_ssl_set_hostname()? */
+ /* 0=no, 1=yes, -1=NULL */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* negotiate truncated hmac or not */
int recsplit; /* enable record splitting? */
@@ -961,6 +967,7 @@
opt.max_version = DFL_MAX_VERSION;
opt.allow_sha1 = DFL_SHA1;
opt.auth_mode = DFL_AUTH_MODE;
+ opt.set_hostname = DFL_SET_HOSTNAME;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.recsplit = DFL_RECSPLIT;
@@ -1355,6 +1362,16 @@
} else {
goto usage;
}
+ } else if (strcmp(p, "set_hostname") == 0) {
+ if (strcmp(q, "no") == 0) {
+ opt.set_hostname = 0;
+ } else if (strcmp(q, "server_name") == 0) {
+ opt.set_hostname = 1;
+ } else if (strcmp(q, "NULL") == 0) {
+ opt.set_hostname = -1;
+ } else {
+ goto usage;
+ }
} else if (strcmp(p, "max_frag_len") == 0) {
if (strcmp(q, "512") == 0) {
opt.mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_512;
@@ -2058,10 +2075,24 @@
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- if ((ret = mbedtls_ssl_set_hostname(&ssl, opt.server_name)) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",
- ret);
- goto exit;
+ switch (opt.set_hostname) {
+ case -1:
+ if ((ret = mbedtls_ssl_set_hostname(&ssl, NULL)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",
+ ret);
+ goto exit;
+ }
+ break;
+ case 0:
+ /* Skip the call */
+ break;
+ default:
+ if ((ret = mbedtls_ssl_set_hostname(&ssl, opt.server_name)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",
+ ret);
+ goto exit;
+ }
+ break;
}
#endif
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 354e97e..e194b58 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -316,7 +316,6 @@
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function
* for more info.
*/
@@ -351,7 +350,6 @@
return (int) (size - n);
#endif /* MBEDTLS_X509_REMOVE_INFO */
}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
static void mbedtls_print_supported_sig_algs(void)
{
diff --git a/scripts/config.py b/scripts/config.py
index 417f6e2..3fc3614 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -96,7 +96,6 @@
'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency
'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # interface and behavior change
'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
- 'MBEDTLS_PSA_INJECT_ENTROPY', # conflicts with platform entropy sources
'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_A_CRYPTO_IF_PRESENT
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index 418b668..f10b23b 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -6,31 +6,10 @@
@rem * Either a C compiler called "cc" must be on the PATH, or
@rem the "CC" environment variable must point to a C compiler.
-@rem @@@@ library\** @@@@
-python tf-psa-crypto\scripts\generate_driver_wrappers.py || exit /b 1
-perl scripts\generate_errors.pl || exit /b 1
-perl scripts\generate_query_config.pl || exit /b 1
-perl scripts\generate_features.pl || exit /b 1
-python framework\scripts\generate_ssl_debug_helpers.py || exit /b 1
-
-@rem @@@@ programs\** @@@@
+@rem @@@@ tf-psa-crypto @@@@
cd tf-psa-crypto
-python scripts\generate_psa_constants.py || exit /b 1
-python framework\scripts\generate_config_tests.py || exit /b 1
+python framework\scripts\make_generated_files.py || exit /b 1
cd ..
-@rem @@@@ tests\** @@@@
-python framework\scripts\generate_bignum_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
-python framework\scripts\generate_config_tests.py || exit /b 1
-python framework\scripts\generate_ecp_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
-python framework\scripts\generate_psa_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
-python framework\scripts\generate_test_keys.py --output tests\include\test\test_keys.h || exit /b 1
-python tf-psa-crypto\framework\scripts\generate_test_keys.py --output tf-psa-crypto\tests\include\test\test_keys.h || exit /b 1
-python framework\scripts\generate_test_cert_macros.py --output tests\include\test\test_certs.h || exit /b 1
-python framework\scripts\generate_tls_handshake_tests.py || exit /b 1
-python framework\scripts\generate_tls13_compat_tests.py || exit /b 1
-
-@rem @@@@ Build @@@@
-@rem Call generate_visualc_files.pl last to be sure everything else has been
-@rem generated before.
-perl scripts\generate_visualc_files.pl || exit /b 1
+@rem @@@@ mbedtls @@@@
+python framework\scripts\make_generated_files.py || exit /b 1
diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h
deleted file mode 100644
index f230fd3..0000000
--- a/tests/configs/user-config-for-test.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* TF_PSA_CRYPTO_USER_CONFIG_FILE for testing.
- * Only used for a few test configurations.
- *
- * Typical usage (note multiple levels of quoting):
- * make CFLAGS="'-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
- */
-
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
-/* The #MBEDTLS_PSA_INJECT_ENTROPY feature requires two extra platform
- * functions, which must be configured as #MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
- * and #MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO. The job of these functions
- * is to read and write from the entropy seed file, which is located
- * in the PSA ITS file whose uid is #PSA_CRYPTO_ITS_RANDOM_SEED_UID.
- * (These could have been provided as library functions, but for historical
- * reasons, they weren't, and so each integrator has to provide a copy
- * of these functions.)
- *
- * Provide implementations of these functions for testing. */
-#include <stddef.h>
-int mbedtls_test_inject_entropy_seed_read(unsigned char *buf, size_t len);
-int mbedtls_test_inject_entropy_seed_write(unsigned char *buf, size_t len);
-#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_test_inject_entropy_seed_read
-#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_test_inject_entropy_seed_write
-#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 769749d..95bfdb6 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -476,6 +476,18 @@
* /p second_ssl is used as second endpoint and their sockets have to be
* connected before calling this function.
*
+ * For example, to perform a full handshake:
+ * ```
+ * mbedtls_test_move_handshake_to_state(
+ * &server.ssl, &client.ssl,
+ * MBEDTLS_SSL_HANDSHAKE_OVER);
+ * mbedtls_test_move_handshake_to_state(
+ * &client.ssl, &server.ssl,
+ * MBEDTLS_SSL_HANDSHAKE_OVER);
+ * ```
+ * Note that you need both calls to reach the handshake-over state on
+ * both sides.
+ *
* \retval 0 on success, otherwise error code.
*/
int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl,
diff --git a/tests/psa-client-server/psasim/src/psa_sim_generate.pl b/tests/psa-client-server/psasim/src/psa_sim_generate.pl
index 5770dea..3eec226 100755
--- a/tests/psa-client-server/psasim/src/psa_sim_generate.pl
+++ b/tests/psa-client-server/psasim/src/psa_sim_generate.pl
@@ -27,7 +27,6 @@
'mbedtls_psa_crypto_free', # redefined rather than wrapped
'mbedtls_psa_external_get_random', # not in the default config, uses unsupported type
'mbedtls_psa_get_stats', # uses unsupported type
- 'mbedtls_psa_inject_entropy', # not in the default config, generally not for client use anyway
'mbedtls_psa_platform_get_builtin_key', # not in the default config, uses unsupported type
'psa_get_key_slot_number', # not in the default config, uses unsupported type
'psa_key_derivation_verify_bytes', # not implemented yet
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b1261bf..089cb6b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1,112 +1,16 @@
#! /usr/bin/env bash
-# all.sh (transitional wrapper)
+# all.sh (mbedtls part)
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-# This is a transitional wrapper that's only meant for the CI.
-# Developers should directly invoke on or two of:
-# - tests/scripts/mbedtls-all.sh ...
-# - (cd tf-psa-crypto && tests/scripts/all.sh ...)
-#
-# During the transition, it's illegal for a tf-psa-crypto component to have
-# the same name as an mbedtls components; since this wrapper handles both
-# sides at once, component names need to be globally unique. Once the
-# transition period is over, unicity on each side will be enough.
-#
-# For context, here are the steps of the transition:
-# 1. We have an all.sh in tf-psa-crypto but for now we don't invoke it directly
-# on the CI, only through this transitional wrapper in mbedtls. (tf-psa-crypto
-# doesn't have its own CI initially and runs Mbed TLS's instead.)
-# 2. We move all relevant components to tf-psa-crypto so that it gets the level of
-# coverage we want. We need to make sure the new names are unique.
-# 3. We change the CI job on tf-psa-crypto to stop checking out mbedtls and running
-# its all.sh - instead we do the normal thing of checking out tf-psa-crypto and
-# running its all.sh. (In two steps: (a) add the new job, (b) remove the old
-# one.)
-# 4. We remove the transitional wrapper in mbedtls and we're now free to rename
-# tf-psa-crypto components as we want. If we followed a consistent naming
-# pattern, this can be as simple as s/_tf_psa_crypto// in components-*.sh.
+# This file is executable; it is the entry point for users and the CI.
+# See "Files structure" in all-core.sh for other files used.
# This script must be invoked from the project's root.
-# There are exactly 4 ways this is invoked in the CI:
-# 1. tests/scripts/all.sh --help
-# 2. tests/scripts/all.sh --list-all-components
-# 3. tests/scripts/all.sh --list-components
-# 4. tests/scripts/all.sh --seed 4 --keep-going single_component_name
-# This wrapper does not support other invocations.
+FRAMEWORK="$PWD/framework"
+source $FRAMEWORK/scripts/all-core.sh
-set -eu
-
-# Cases 1-3
-if [ "$#" -eq 1 ]; then
- if [ "$1" = '--help' ]; then
- # It doesn't matter which one we use, they're the same
- tests/scripts/mbedtls-all.sh "$1"
- exit 0
- fi
- if [ "$1" = '--list-all-components' -o "$1" = '--list-components' ]; then
- # Invoke both
- tests/scripts/mbedtls-all.sh "$1"
- (cd tf-psa-crypto && tests/scripts/all.sh "$1")
- exit 0
- fi
-fi
-
-if [ "$#" -ne 4 -o "${1:-unset}" != '--seed' -o "${3:-unset}" != '--keep-going' ]; then
- echo "This invocation is not supported by the transitional wrapper." >&2
- echo "See the comments at the top of $0." >&2
- exit 1
-fi
-
-# Case 4: invoke the right all.sh for this component
-comp_name=$4
-
-# Get the list of components available on each side.
-COMP_MBEDTLS=$(tests/scripts/mbedtls-all.sh --list-all-components | tr '\n' ' ')
-COMP_CRYPTO=$(cd tf-psa-crypto && tests/scripts/all.sh --list-all-components | tr '\n' ' ')
-
-# tell if $1 is in space-separated list $2
-is_in() {
- needle=$1
- haystack=$2
- case " $haystack " in
- *" $needle "*) echo 1;;
- *) echo 0;;
- esac
-}
-
-is_crypto=$(is_in "$comp_name" "$COMP_CRYPTO")
-is_mbedtls=$(is_in "$comp_name" "$COMP_MBEDTLS")
-
-# Component should be on exactly one side (see comment near the top).
-if [ "$is_crypto" -eq 1 -a "$is_mbedtls" -eq 1 ]; then
- echo "Component '$comp_name' is both in crypto and Mbed TLS". >&2
- echo "See the comments at the top of $0." >&2
- exit 1
-fi
-if [ "$is_crypto" -eq 0 -a "$is_mbedtls" -eq 0 ]; then
- echo "Component '$comp_name' is neither in crypto nor in Mbed TLS". >&2
- echo "See the comments at the top of $0." >&2
- exit 1
-fi
-
-
-# Invoke the real thing
-if [ "$is_crypto" -eq 1 ]; then
- # Make sure the path to the outcomes file is absolute. This is done by
- # pre_prepare_outcome_file() however by the time it runs we've already
- # changed the working directory, so do it now.
- if [ -n "${MBEDTLS_TEST_OUTCOME_FILE+set}" ]; then
- case "$MBEDTLS_TEST_OUTCOME_FILE" in
- [!/]*) MBEDTLS_TEST_OUTCOME_FILE="$PWD/$MBEDTLS_TEST_OUTCOME_FILE";;
- esac
- export MBEDTLS_TEST_OUTCOME_FILE
- fi
- cd tf-psa-crypto
- exec tests/scripts/all.sh "$@"
-else
- exec tests/scripts/mbedtls-all.sh "$@"
-fi
+main "$@"
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 5f8f910..c7c9ed5 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -118,10 +118,11 @@
# Untested platform-specific optimizations.
# https://github.com/Mbed-TLS/mbedtls/issues/9588
'Config: MBEDTLS_HAVE_SSE2',
- # Obsolete configuration option, to be replaced by
+ # Obsolete configuration options, to be replaced by
# PSA entropy drivers.
# https://github.com/Mbed-TLS/mbedtls/issues/8150
'Config: MBEDTLS_NO_PLATFORM_ENTROPY',
+ 'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
# Untested aspect of the platform interface.
# https://github.com/Mbed-TLS/mbedtls/issues/9589
'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
deleted file mode 100755
index e3c8e08..0000000
--- a/tests/scripts/check-generated-files.sh
+++ /dev/null
@@ -1,189 +0,0 @@
-#! /usr/bin/env sh
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-#
-# Purpose
-#
-# Check if generated files are up-to-date.
-
-set -eu
-
-if [ $# -ne 0 ] && [ "$1" = "--help" ]; then
- cat <<EOF
-$0 [-l | -u]
-This script checks that all generated file are up-to-date. If some aren't, by
-default the scripts reports it and exits in error; with the -u option, it just
-updates them instead.
-
- -u Update the files rather than return an error for out-of-date files.
- -l List generated files, but do not update them.
-EOF
- exit
-fi
-
-. framework/scripts/project_detection.sh
-
-if in_mbedtls_repo; then
- if [ -d tf-psa-crypto ]; then
- crypto_core_dir='tf-psa-crypto/core'
- builtin_drivers_dir='tf-psa-crypto/drivers/builtin/src'
- else
- crypto_core_dir='library'
- builtin_drivers_dir='library'
- fi
-elif in_tf_psa_crypto_repo; then
- crypto_core_dir='core'
- builtin_drivers_dir='drivers/builtin/src/'
-else
- echo "Must be run from Mbed TLS root or TF-PSA-Crypto root" >&2
- exit 1
-fi
-
-UPDATE=
-LIST=
-while getopts lu OPTLET; do
- case $OPTLET in
- l) LIST=1;;
- u) UPDATE=1;;
- esac
-done
-
-# check SCRIPT FILENAME[...]
-# check SCRIPT DIRECTORY
-# Run SCRIPT and check that it does not modify any of the specified files.
-# In the first form, there can be any number of FILENAMEs, which must be
-# regular files.
-# In the second form, there must be a single DIRECTORY, standing for the
-# list of files in the directory. Running SCRIPT must not modify any file
-# in the directory and must not add or remove files either.
-# If $UPDATE is empty, abort with an error status if a file is modified.
-check()
-{
- SCRIPT=$1
- shift
-
- if [ -n "$LIST" ]; then
- printf '%s\n' "$@"
- return
- fi
-
- directory=
- if [ -d "$1" ]; then
- directory="$1"
- rm -f "$directory"/*.bak
- set -- "$1"/*
- fi
-
- for FILE in "$@"; do
- if [ -e "$FILE" ]; then
- cp -p "$FILE" "$FILE.bak"
- else
- rm -f "$FILE.bak"
- fi
- done
-
- # In the case of the config tests, generate only the files to be checked
- # by the caller as they are divided into Mbed TLS and TF-PSA-Crypto
- # specific ones.
- if [ "${SCRIPT##*/}" = "generate_config_tests.py" ]; then
- "$SCRIPT" "$@"
- else
- "$SCRIPT"
- fi
-
- # Compare the script output to the old files and remove backups
- for FILE in "$@"; do
- if diff "$FILE" "$FILE.bak" >/dev/null 2>&1; then
- # Move the original file back so that $FILE's timestamp doesn't
- # change (avoids spurious rebuilds with make).
- mv "$FILE.bak" "$FILE"
- else
- echo "'$FILE' was either modified or deleted by '$SCRIPT'"
- if [ -z "$UPDATE" ]; then
- exit 1
- else
- rm -f "$FILE.bak"
- fi
- fi
- done
-
- if [ -n "$directory" ]; then
- old_list="$*"
- set -- "$directory"/*
- new_list="$*"
- # Check if there are any new files
- if [ "$old_list" != "$new_list" ]; then
- echo "Files were deleted or created by '$SCRIPT'"
- echo "Before: $old_list"
- echo "After: $new_list"
- if [ -z "$UPDATE" ]; then
- exit 1
- fi
- fi
- fi
-}
-
-# Note: if the format of calls to the "check" function changes, update
-# framework/scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
-# the format must be "check SCRIPT FILENAME...". For other source files,
-# any shell syntax is permitted (including e.g. command substitution).
-
-# Note: Instructions to generate those files are replicated in:
-# - **/Makefile (to (re)build them with make)
-# - **/CMakeLists.txt (to (re)build them with cmake)
-# - scripts/make_generated_files.bat (to generate them under Windows)
-
-# These checks are common to Mbed TLS and TF-PSA-Crypto
-
-# The first case is temporary for the hybrid situation with a tf-psa-crypto
-# directory in Mbed TLS that is not just a TF-PSA-Crypto submodule.
-if [ -d tf-psa-crypto ]; then
- cd tf-psa-crypto
- check scripts/generate_psa_constants.py ./programs/psa/psa_constant_names_generated.c
- check framework/scripts/generate_bignum_tests.py $(framework/scripts/generate_bignum_tests.py --list)
- check framework/scripts/generate_config_tests.py $(framework/scripts/generate_config_tests.py --list)
- check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
- check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
- cd ..
- # Generated files that are present in the repository even in the development
- # branch. (This is intended to be temporary, until the generator scripts are
- # fully reviewed and the build scripts support a generated header file.)
- check framework/scripts/generate_psa_wrappers.py tf-psa-crypto/tests/include/test/psa_test_wrappers.h tf-psa-crypto/tests/src/psa_test_wrappers.c
- check tf-psa-crypto/scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
- ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
- check framework/scripts/generate_config_tests.py tests/suites/test_suite_config.mbedtls_boolean.data
-else
- check scripts/generate_psa_constants.py ./programs/psa/psa_constant_names_generated.c
- check framework/scripts/generate_bignum_tests.py $(framework/scripts/generate_bignum_tests.py --list)
- if in_tf_psa_crypto_repo; then
- check framework/scripts/generate_config_tests.py tests/suites/test_suite_config.psa_boolean.data
- else
- check framework/scripts/generate_config_tests.py tests/suites/test_suite_config.mbedtls_boolean.data
- fi
- check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
- check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
- check scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
- ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
- # Generated files that are present in the repository even in the development
- # branch. (This is intended to be temporary, until the generator scripts are
- # fully reviewed and the build scripts support a generated header file.)
- check framework/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c
-fi
-
-check framework/scripts/generate_test_keys.py tests/include/test/test_keys.h
-
-# Additional checks for Mbed TLS only
-if in_mbedtls_repo; then
- check scripts/generate_errors.pl library/error.c
- check scripts/generate_query_config.pl programs/test/query_config.c
- check scripts/generate_features.pl library/version_features.c
- check framework/scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
- check framework/scripts/generate_tls_handshake_tests.py tests/opt-testcases/handshake-generated.sh
- check framework/scripts/generate_tls13_compat_tests.py tests/opt-testcases/tls13-compat.sh
- check framework/scripts/generate_test_cert_macros.py tests/include/test/test_certs.h
- # generate_visualc_files enumerates source files (library/*.c). It doesn't
- # care about their content, but the files must exist. So it must run after
- # the step that creates or updates these files.
- check scripts/generate_visualc_files.pl visualc/VS2017
-fi
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index 3d58895..cb66e37 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -261,21 +261,6 @@
tests/ssl-opt.sh -f 'Default\|opaque'
}
-component_test_psa_inject_entropy () {
- msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY"
- scripts/config.py full
- scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY
- scripts/config.py set MBEDTLS_ENTROPY_NV_SEED
- scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
- scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
- make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
-
- msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
- make test
-}
-
component_full_no_pkparse_pkwrite () {
msg "build: full without pkparse and pkwrite"
diff --git a/tests/scripts/mbedtls-all.sh b/tests/scripts/mbedtls-all.sh
deleted file mode 100755
index 089cb6b..0000000
--- a/tests/scripts/mbedtls-all.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#! /usr/bin/env bash
-
-# all.sh (mbedtls part)
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-# This file is executable; it is the entry point for users and the CI.
-# See "Files structure" in all-core.sh for other files used.
-
-# This script must be invoked from the project's root.
-
-FRAMEWORK="$PWD/framework"
-source $FRAMEWORK/scripts/all-core.sh
-
-main "$@"
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 020631a..1d03eaf 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -863,6 +863,10 @@
ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
TEST_ASSERT(ret == 0);
+ if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
+ ret = mbedtls_ssl_set_hostname(&(ep->ssl), "localhost");
+ }
+
#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C)
if (endpoint_type == MBEDTLS_SSL_IS_SERVER && dtls_context != NULL) {
mbedtls_ssl_conf_dtls_cookies(&(ep->conf), NULL, NULL, NULL);
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 90b3143..cd1cae0 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -476,6 +476,11 @@
esac
case " $CMD_LINE " in
+ *\ ca_callback=1\ *)
+ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK;;
+ esac
+
+ case " $CMD_LINE " in
*"programs/ssl/dtls_client "*|\
*"programs/ssl/ssl_client1 "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
@@ -2277,7 +2282,6 @@
"$P_CLI" \
0
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "CA callback on client" \
"$P_SRV debug_level=3" \
"$P_CLI ca_callback=1 debug_level=3 " \
@@ -2286,7 +2290,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "CA callback on server" \
@@ -5971,6 +5974,215 @@
-C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
+# The next few tests check what happens if the server has a valid certificate
+# that does not match its name (impersonation).
+
+run_test "Authentication: hostname match, client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name=localhost debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname match, client required, CA callback" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name=localhost debug_level=3 ca_callback=1" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -c "use CA callback for X.509 CRT verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch (wrong), client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name=wrong-name debug_level=1" \
+ 1 \
+ -c "does not match with the expected CN" \
+ -c "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch (empty), client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name= debug_level=1" \
+ 1 \
+ -c "does not match with the expected CN" \
+ -c "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch (truncated), client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name=localhos debug_level=1" \
+ 1 \
+ -c "does not match with the expected CN" \
+ -c "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch (last char), client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name=localhoss debug_level=1" \
+ 1 \
+ -c "does not match with the expected CN" \
+ -c "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch (trailing), client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required server_name=localhostt debug_level=1" \
+ 1 \
+ -c "does not match with the expected CN" \
+ -c "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch, client optional" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=optional server_name=wrong-name debug_level=2" \
+ 0 \
+ -c "does not match with the expected CN" \
+ -c "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname mismatch, client none" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname null, client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname null, client optional" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=optional set_hostname=NULL debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname null, client none" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname unset, client required" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required set_hostname=no debug_level=2" \
+ 1 \
+ -C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -c "get_hostname_for_verification() returned -" \
+ -C "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname unset, client required, CA callback" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=required set_hostname=no debug_level=3 ca_callback=1" \
+ 1 \
+ -C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -c "get_hostname_for_verification() returned -" \
+ -C "use CA callback for X.509 CRT verification" \
+ -C "x509_verify_cert() returned -" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname unset, client optional" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=optional set_hostname=no debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -c "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname unset, client none" \
+ "$P_SRV" \
+ "$P_CLI auth_mode=none set_hostname=no debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname unset, client default, server picks cert, 1.2" \
+ "$P_SRV force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=2" \
+ 1 \
+ -C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -c "get_hostname_for_verification() returned -" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Authentication: hostname unset, client default, server picks cert, 1.3" \
+ "$P_SRV force_version=tls13 tls13_kex_modes=ephemeral" \
+ "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=2" \
+ 1 \
+ -C "does not match with the expected CN" \
+ -c "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -c "get_hostname_for_verification() returned -" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" \
+ "$P_SRV force_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
+ "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" \
+ "$P_SRV force_version=tls13 tls13_kex_modes=psk psk=73776f726466697368 psk_identity=foo" \
+ "$P_CLI psk=73776f726466697368 psk_identity=foo set_hostname=no debug_level=2" \
+ 0 \
+ -C "does not match with the expected CN" \
+ -C "Certificate verification without having set hostname" \
+ -C "Certificate verification without CN verification" \
+ -C "x509_verify_cert() returned -" \
+ -C "X509 - Certificate verification failed"
+
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
# the client informs the server about the supported curves - it does, though, in the
@@ -6315,7 +6527,6 @@
# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests
# When updating these tests, modify the matching authentication tests accordingly
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server badcert, client required" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -6327,7 +6538,6 @@
-c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server badcert, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -6339,7 +6549,6 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server badcert, client none" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
@@ -6358,7 +6567,6 @@
# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
# different means to have the server ignoring the client's supported curve list.
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
@@ -6369,7 +6577,6 @@
-c "! Certificate verification flags" \
-C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
@@ -6380,7 +6587,6 @@
-c "! Certificate verification flags"\
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client SHA384, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
@@ -6392,7 +6598,6 @@
-c "Supported Signature Algorithm found: 04 " \
-c "Supported Signature Algorithm found: 05 "
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client SHA256, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
@@ -6404,7 +6609,6 @@
-c "Supported Signature Algorithm found: 04 " \
-c "Supported Signature Algorithm found: 05 "
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client badcert, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -6426,7 +6630,6 @@
# detect that its write end of the connection is closed and abort
# before reading the alert message.
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client cert not trusted, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
@@ -6444,7 +6647,6 @@
-s "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client badcert, server optional" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -6465,7 +6667,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server max_int chain, client default" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
@@ -6476,7 +6677,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server max_int+1 chain, client default" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
@@ -6487,7 +6687,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
@@ -6499,7 +6698,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
"$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
@@ -6510,7 +6708,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int+1 chain, server required" \
"$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
@@ -6521,7 +6718,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int chain, server required" \
"$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8ec582a..4567dbd 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -106,6 +106,315 @@
#define TEST_GCM_OR_CHACHAPOLY_ENABLED
#endif
+typedef enum {
+ RECOMBINE_NOMINAL, /* param: ignored */
+ RECOMBINE_SPLIT_FIRST, /* param: offset of split (<=0 means from end) */
+ RECOMBINE_TRUNCATE_FIRST, /* param: offset of truncation (<=0 means from end) */
+ RECOMBINE_INSERT_EMPTY, /* param: offset (<0 means from end) */
+ RECOMBINE_INSERT_RECORD, /* param: record type */
+ RECOMBINE_COALESCE, /* param: number of records (INT_MAX=all) */
+ RECOMBINE_COALESCE_SPLIT_ONCE, /* param: offset of split (<=0 means from end) */
+ RECOMBINE_COALESCE_SPLIT_BOTH_ENDS, /* param: offset, must be >0 */
+} recombine_records_instruction_t;
+
+/* Keep this in sync with the recombine_server_first_flight()
+ * See comment there. */
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
+ defined(PSA_WANT_ALG_SHA_256) && \
+ defined(PSA_WANT_ECC_SECP_R1_256) && \
+ defined(PSA_WANT_ECC_SECP_R1_384) && \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
+ defined(PSA_WANT_ALG_ECDSA_ANY)
+
+/* Split the first record into two pieces of lengths offset and
+ * record_length-offset. If offset is zero or negative, count from the end of
+ * the record. */
+static int recombine_split_first_record(mbedtls_test_ssl_buffer *buf,
+ int offset)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+
+ if (offset > 0) {
+ TEST_LE_S(offset, record_length);
+ } else {
+ TEST_LE_S(-offset, record_length);
+ offset = record_length + offset;
+ }
+
+ /* Check that we have room to insert a record header */
+ TEST_LE_U(buf->content_length + header_length, buf->capacity);
+
+ /* Make room for a record header */
+ size_t new_record_start = header_length + offset;
+ size_t new_content_start = new_record_start + header_length;
+ memmove(buf->buffer + new_content_start,
+ buf->buffer + new_record_start,
+ buf->content_length - new_record_start);
+ buf->content_length += header_length;
+
+ /* Construct a header for the new record based on the existing one */
+ memcpy(buf->buffer + new_record_start, buf->buffer, header_length);
+ MBEDTLS_PUT_UINT16_BE(record_length - offset,
+ buf->buffer, new_content_start - 2);
+
+ /* Adjust the length of the first record */
+ MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);
+
+ return 0;
+
+exit:
+ return -1;
+}
+
+/* Truncate the first record, keeping only the first offset bytes.
+ * If offset is zero or negative, count from the end of the record.
+ * Remove the subsequent records.
+ */
+static int recombine_truncate_first_record(mbedtls_test_ssl_buffer *buf,
+ int offset)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+
+ if (offset > 0) {
+ TEST_LE_S(offset, record_length);
+ } else {
+ TEST_LE_S(-offset, record_length);
+ offset = record_length + offset;
+ }
+
+ /* Adjust the length of the first record */
+ MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);
+
+ /* Wipe the rest */
+ size_t truncated_end = header_length + offset;
+ memset(buf->buffer + truncated_end, '!',
+ buf->content_length - truncated_end);
+ buf->content_length = truncated_end;
+
+ return 0;
+
+exit:
+ return -1;
+}
+
+/* Insert a (dummy) record at the given offset. If offset is negative,
+ * count from the end of the first record. */
+static int recombine_insert_record(mbedtls_test_ssl_buffer *buf,
+ int offset,
+ uint8_t inserted_record_type)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+
+ if (offset >= 0) {
+ TEST_LE_S(offset, record_length);
+ } else {
+ TEST_LE_S(-offset, record_length);
+ offset = record_length + offset;
+ }
+
+ uint8_t inserted_content[42] = { 0 };
+ size_t inserted_content_length = 0;
+ switch (inserted_record_type) {
+ case MBEDTLS_SSL_MSG_ALERT:
+ inserted_content[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
+ inserted_content[1] = MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION;
+ inserted_content_length = 2;
+ break;
+ case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+ inserted_content[0] = 0x01;
+ inserted_content_length = 1;
+ break;
+ case MBEDTLS_SSL_MSG_APPLICATION_DATA:
+ inserted_content_length = sizeof(inserted_content);
+ break;
+ default:
+ /* Leave the content empty */
+ break;
+ }
+
+ /* Check that we have room to insert two record headers plus the new
+ * content. */
+ TEST_LE_U(buf->content_length + 2 * header_length + inserted_content_length,
+ buf->capacity);
+
+ /* Make room for the inserted record and a record header for the fragment */
+ size_t inserted_record_start = header_length + offset;
+ size_t inserted_content_start = inserted_record_start + header_length;
+ size_t tail_record_start = inserted_content_start + inserted_content_length;
+ size_t tail_content_start = tail_record_start + header_length;
+ memmove(buf->buffer + tail_content_start,
+ buf->buffer + inserted_record_start,
+ buf->content_length - inserted_record_start);
+ buf->content_length += 2 * header_length;
+
+ /* Construct the inserted record based on the existing one */
+ memcpy(buf->buffer + inserted_record_start, buf->buffer, header_length);
+ buf->buffer[inserted_record_start] = inserted_record_type;
+ MBEDTLS_PUT_UINT16_BE(inserted_content_length,
+ buf->buffer, inserted_content_start - 2);
+ memcpy(buf->buffer + inserted_content_start,
+ inserted_content, inserted_content_length);
+
+ /* Construct header for the last fragment based on the existing one */
+ memcpy(buf->buffer + tail_record_start, buf->buffer, header_length);
+ MBEDTLS_PUT_UINT16_BE(record_length - offset,
+ buf->buffer, tail_content_start - 2);
+
+ /* Adjust the length of the first record */
+ MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);
+
+ return 0;
+
+exit:
+ return -1;
+}
+
+/* Coalesce TLS handshake records.
+ * DTLS is not supported.
+ * Encrypted or authenticated handshake records are not supported.
+ * Assume the buffer content is a valid sequence of records.
+ *
+ * Coalesce only the first max records, or all the records if there are
+ * fewer than max.
+ * Return the number of coalesced records, or -1 on error.
+ */
+static int recombine_coalesce_handshake_records(mbedtls_test_ssl_buffer *buf,
+ int max)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ if (buf->buffer[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ return 0;
+ }
+
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+ TEST_LE_U(header_length + record_length, buf->content_length);
+
+ int count;
+ for (count = 1; count < max; count++) {
+ size_t next_start = header_length + record_length;
+ if (next_start >= buf->content_length) {
+ /* We've already reached the last record. */
+ break;
+ }
+
+ TEST_LE_U(next_start + header_length, buf->content_length);
+ if (buf->buffer[next_start] != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ /* There's another record, but it isn't a handshake record. */
+ break;
+ }
+ size_t next_length =
+ MBEDTLS_GET_UINT16_BE(buf->buffer, next_start + header_length - 2);
+ TEST_LE_U(next_start + header_length + next_length, buf->content_length);
+
+ /* Erase the next record header */
+ memmove(buf->buffer + next_start,
+ buf->buffer + next_start + header_length,
+ buf->content_length - next_start);
+ buf->content_length -= header_length;
+ /* Update the first record length */
+ record_length += next_length;
+ TEST_LE_U(record_length, 0xffff);
+ MBEDTLS_PUT_UINT16_BE(record_length, buf->buffer, header_length - 2);
+ }
+
+ return count;
+
+exit:
+ return -1;
+}
+
+static int recombine_records(mbedtls_test_ssl_endpoint *server,
+ recombine_records_instruction_t instruction,
+ int param)
+{
+ mbedtls_test_ssl_buffer *buf = server->socket.output;
+ int ret;
+
+ /* buf is a circular buffer. For simplicity, this code assumes that
+ * the data is located at the beginning. This should be ok since
+ * this function is only meant to be used on the first flight
+ * emitted by a server. */
+ TEST_EQUAL(buf->start, 0);
+
+ switch (instruction) {
+ case RECOMBINE_NOMINAL:
+ break;
+
+ case RECOMBINE_SPLIT_FIRST:
+ ret = recombine_split_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_TRUNCATE_FIRST:
+ ret = recombine_truncate_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_INSERT_EMPTY:
+ /* Insert an empty handshake record. */
+ ret = recombine_insert_record(buf, param, MBEDTLS_SSL_MSG_HANDSHAKE);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_INSERT_RECORD:
+ /* Insert an extra record at a position where splitting
+ * would be ok. */
+ ret = recombine_insert_record(buf, 5, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_COALESCE:
+ ret = recombine_coalesce_handshake_records(buf, param);
+ /* If param != INT_MAX, enforce that there were that many
+ * records to coalesce. In particular, 1 < param < INT_MAX
+ * ensures that library will see some coalesced records. */
+ if (param == INT_MAX) {
+ TEST_LE_S(1, ret);
+ } else {
+ TEST_EQUAL(ret, param);
+ }
+ break;
+
+ case RECOMBINE_COALESCE_SPLIT_ONCE:
+ ret = recombine_coalesce_handshake_records(buf, INT_MAX);
+ /* Require at least two coalesced records, otherwise this
+ * doesn't lead to a meaningful test (use
+ * RECOMBINE_SPLIT_FIRST instead). */
+ TEST_LE_S(2, ret);
+ ret = recombine_split_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_COALESCE_SPLIT_BOTH_ENDS:
+ ret = recombine_coalesce_handshake_records(buf, INT_MAX);
+ /* Accept a single record, which will be split at both ends */
+ TEST_LE_S(1, ret);
+ TEST_LE_S(1, param);
+ ret = recombine_split_first_record(buf, -param);
+ TEST_LE_S(0, ret);
+ ret = recombine_split_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ default:
+ TEST_FAIL("Instructions not understood");
+ }
+
+ return 1;
+
+exit:
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED etc */
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -2871,6 +3180,165 @@
}
/* END_CASE */
+/* This test case doesn't actually depend on certificates,
+ * but our helper code for mbedtls_test_ssl_endpoint does.
+ * Also, it needs specific hashes, algs and curves for the
+ * hardcoded test certificates. In principle both RSA and ECDSA
+ * can be used, but we hardcode ECDSA in order to avoid having
+ * to express dependencies like "RSA or ECDSA with those curves". */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ALG_ECDSA_ANY */
+void recombine_server_first_flight(int version,
+ int instruction, int param,
+ char *client_log, char *server_log,
+ int goal_state, int expected_ret)
+{
+ /* Make sure we have a buffer that's large enough for the longest
+ * data that the library might ever send, plus a bit extra so that
+ * we can inject more content. The library won't ever send more than
+ * 2^14 bytes of handshake messages, so we round that up. In practice
+ * we could surely get away with a much smaller buffer. The main
+ * variable part is the server certificate. */
+ enum { BUFFSIZE = 17000 };
+ mbedtls_test_ssl_endpoint client;
+ memset(&client, 0, sizeof(client));
+ mbedtls_test_ssl_endpoint server;
+ memset(&server, 0, sizeof(server));
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_test_init_handshake_options(&server_options);
+#if defined(MBEDTLS_DEBUG_C)
+ mbedtls_test_ssl_log_pattern cli_pattern = { .pattern = client_log };
+ mbedtls_test_ssl_log_pattern srv_pattern = { .pattern = server_log };
+#else
+ (void) client_log;
+ (void) server_log;
+#endif
+ int ret = 0;
+
+ MD_OR_USE_PSA_INIT();
+#if defined(MBEDTLS_DEBUG_C)
+ mbedtls_debug_set_threshold(3);
+#endif
+
+ // Does't really matter but we want to know to declare dependencies.
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+
+ client_options.client_min_version = version;
+ client_options.client_max_version = version;
+#if defined(MBEDTLS_DEBUG_C)
+ client_options.cli_log_obj = &cli_pattern;
+ client_options.cli_log_fun = mbedtls_test_ssl_log_analyzer;
+#endif
+ TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL,
+ NULL), 0);
+
+ server_options.server_min_version = version;
+ server_options.server_max_version = version;
+#if defined(MBEDTLS_DEBUG_C)
+ server_options.srv_log_obj = &srv_pattern;
+ server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+#endif
+ TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL,
+ NULL), 0);
+
+ TEST_EQUAL(mbedtls_test_mock_socket_connect(&client.socket,
+ &server.socket,
+ BUFFSIZE), 0);
+
+ /* Client: emit the first flight from the client */
+ while (ret == 0) {
+ mbedtls_test_set_step(client.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&client.ssl);
+ }
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+ ret = 0;
+ TEST_EQUAL(client.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+
+ /* Server: parse the first flight from the client
+ * and emit the first flight from the server */
+ while (ret == 0) {
+ mbedtls_test_set_step(1000 + server.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&server.ssl);
+ }
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+ ret = 0;
+ TEST_EQUAL(server.ssl.state, MBEDTLS_SSL_SERVER_HELLO_DONE + 1);
+
+ /* Recombine the first flight from the server */
+ TEST_ASSERT(recombine_records(&server, instruction, param));
+
+ /* Client: parse the first flight from the server
+ * and emit the second flight from the client */
+ while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) {
+ mbedtls_test_set_step(client.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&client.ssl);
+ if (client.ssl.state == goal_state && ret != 0) {
+ TEST_EQUAL(ret, expected_ret);
+ goto goal_reached;
+ }
+ }
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* A default TLS 1.3 handshake has only 1 flight from the server,
+ * while the default (non-resumption) 1.2 handshake has two. */
+ if (version >= MBEDTLS_SSL_VERSION_TLS1_3 &&
+ goal_state >= MBEDTLS_SSL_HANDSHAKE_OVER) {
+ TEST_EQUAL(ret, 0);
+ } else
+#endif
+ {
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+ }
+ ret = 0;
+
+ /* Server: parse the first flight from the client
+ * and emit the second flight from the server */
+ if (instruction == RECOMBINE_TRUNCATE_FIRST) {
+ /* Close without a notification. The case of closing with a
+ * notification is tested via RECOMBINE_INSERT_RECORD to insert
+ * an alert record (which we reject, making the client SSL
+ * context become invalid). */
+ mbedtls_test_mock_socket_close(&server.socket);
+ goto goal_reached;
+ }
+ while (ret == 0 && !mbedtls_ssl_is_handshake_over(&server.ssl)) {
+ mbedtls_test_set_step(1000 + server.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&server.ssl);
+ }
+ TEST_EQUAL(ret, 0);
+
+ /* Client: parse the second flight from the server */
+ while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) {
+ mbedtls_test_set_step(client.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&client.ssl);
+ }
+ if (client.ssl.state == goal_state) {
+ TEST_EQUAL(ret, expected_ret);
+ } else {
+ TEST_EQUAL(ret, 0);
+ }
+
+goal_reached:
+#if defined(MBEDTLS_DEBUG_C)
+ TEST_ASSERT(cli_pattern.counter >= 1);
+ TEST_ASSERT(srv_pattern.counter >= 1);
+#endif
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client, NULL);
+ mbedtls_test_ssl_endpoint_free(&server, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ MD_OR_USE_PSA_DONE();
+#if defined(MBEDTLS_DEBUG_C)
+ mbedtls_debug_set_threshold(0);
+#endif
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
void renegotiation(int legacy_renegotiation)
{
diff --git a/tests/suites/test_suite_ssl.records.data b/tests/suites/test_suite_ssl.records.data
new file mode 100644
index 0000000..8220cb0
--- /dev/null
+++ b/tests/suites/test_suite_ssl.records.data
@@ -0,0 +1,162 @@
+Recombine server flight 1: TLS 1.2, nominal
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_NOMINAL:0:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.3, nominal
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_NOMINAL:0:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce 2
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE:2:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce 3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE:3:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce all
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE:INT_MAX:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+# TLS 1.3 has a single non-encrypted handshake record, so this doesn't
+# actually perform any coalescing. Run the test case anyway, but this does
+# very little beyond exercising the test code itself a little.
+Recombine server flight 1: TLS 1.3, coalesce all
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_COALESCE:INT_MAX:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, split first at 4
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.3, split first at 4
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, split first at end-1
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:-1:"subsequent handshake fragment\: 1,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.3, split first at end-1
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:-1:"subsequent handshake fragment\: 1,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+# The library doesn't support an initial handshake fragment that doesn't
+# contain the full 4-byte handshake header.
+Recombine server flight 1: TLS 1.2, split first at 3 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:3:"handshake message too short\: 3":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, split first at 3 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:3:"handshake message too short\: 3":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, split first at 2 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:2:"handshake message too short\: 2":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, split first at 2 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:2:"handshake message too short\: 2":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, split first at 1 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:1:"handshake message too short\: 1":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, split first at 1 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:1:"handshake message too short\: 1":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, truncate at 4 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_TRUNCATE_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_WANT_READ
+
+Recombine server flight 1: TLS 1.3, truncate at 4 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_TRUNCATE_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_WANT_READ
+
+Recombine server flight 1: TLS 1.2, insert empty record after first (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:0:"rejecting empty record":"":MBEDTLS_SSL_SERVER_CERTIFICATE:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert empty record after first (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:0:"rejecting empty record":"":MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert empty record at start (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_EMPTY:0:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert empty record at start (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_EMPTY:0:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert empty record at 42 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_EMPTY:42:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert empty record at 42 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_EMPTY:42:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert ChangeCipherSpec record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.3, insert ChangeCipherSpec record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.2, insert alert record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_ALERT:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.3, insert alert record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_ALERT:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.2, insert data record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_APPLICATION_DATA:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.3, insert data record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_APPLICATION_DATA:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.2, insert CID record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CID:"unknown record type":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert CID record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CID:"unknown record type":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert unknown record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:255:"unknown record type 255":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert unknown record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:255:"unknown record type 255":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+# Since there is a single unencrypted handshake message in the first flight
+# from the server, and the test code that recombines handshake records can only
+# handle plaintext records, we can't have TLS 1.3 tests with coalesced
+# handshake messages. Hence most coalesce-and-split test cases are 1.2-only.
+
+Recombine server flight 1: TLS 1.2, coalesce and split at 4
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE_SPLIT_ONCE:4:"initial handshake fragment\: 4, 0..4 of":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+# The last message of the first flight from the server is ServerHelloDone,
+# which is an empty handshake message, i.e. of length 4. The library doesn't
+# support fragmentation of a handshake header, so the last place where we
+# can split the flight is 4+1 = 5 bytes before it ends, with 1 byte in the
+# previous handshake message and 4 bytes of ServerHelloDone including header.
+Recombine server flight 1: TLS 1.2, coalesce and split at end-5
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE_SPLIT_ONCE:-5:"subsequent handshake fragment\: 5,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce and split at both ends
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE_SPLIT_BOTH_ENDS:5:"subsequent handshake fragment\: 5,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 376cd12..107d923 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -11,37 +11,6 @@
#include "mbedtls/pk.h"
#include "mbedtls/psa_util.h"
-#if defined(MBEDTLS_PEM_WRITE_C) && \
- defined(MBEDTLS_X509_CRT_WRITE_C) && \
- defined(MBEDTLS_X509_CRT_PARSE_C) && \
- defined(PSA_WANT_ALG_SHA_1) && \
- defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
- const unsigned char *input, unsigned char *output,
- size_t output_max_len)
-{
- return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, NULL, NULL,
- olen, input, output, output_max_len);
-}
-
-static int mbedtls_rsa_sign_func(void *ctx,
- mbedtls_md_type_t md_alg, unsigned int hashlen,
- const unsigned char *hash, unsigned char *sig)
-{
- return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx,
- mbedtls_psa_get_random,
- MBEDTLS_PSA_RANDOM_STATE,
- md_alg,
- hashlen,
- hash,
- sig);
-}
-static size_t mbedtls_rsa_key_len_func(void *ctx)
-{
- return ((const mbedtls_rsa_context *) ctx)->len;
-}
-#endif
-
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
@@ -436,19 +405,6 @@
issuer_key_type = mbedtls_pk_get_type(&issuer_key);
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
- /* For RSA PK contexts, create a copy as an alternative RSA context. */
- if (pk_wrap == 1 && issuer_key_type == MBEDTLS_PK_RSA) {
- TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&issuer_key_alt,
- mbedtls_pk_rsa(issuer_key),
- mbedtls_rsa_decrypt_func,
- mbedtls_rsa_sign_func,
- mbedtls_rsa_key_len_func) == 0);
-
- key = &issuer_key_alt;
- }
-#endif
-
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) {
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 43ea7fa..4a9f29b 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 43ea7fa25cd8a288c5b75dbb0b4eb47df6ffca8b
+Subproject commit 4a9f29b05c661bd874c75d80339fcce00adea4e0
diff --git a/visualc/VS2017/.gitignore b/visualc/VS2017/.gitignore
index a9ded4a..e45eaf6 100644
--- a/visualc/VS2017/.gitignore
+++ b/visualc/VS2017/.gitignore
@@ -1,4 +1,4 @@
-# Files that may be left over from check-generated-files.sh
+# Files that may be left over from make_generated-files.py --check
/*.bak
# Visual Studio artifacts