Merge pull request #5892 from AndrzejKurek/ssl-opt-client-kill-fix
Fix a bug with executing ssl-client2 in ssl-opt.sh in a subshell
diff --git a/ChangeLog.d/fix-time-format-pre-2000.txt b/ChangeLog.d/fix-time-format-pre-2000.txt
new file mode 100644
index 0000000..414201e
--- /dev/null
+++ b/ChangeLog.d/fix-time-format-pre-2000.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Encode X.509 dates before 1/1/2000 as UTCTime rather than
+ GeneralizedTime. Fixes #5465.
diff --git a/ChangeLog.d/tls13-fix-finished-fetch.txt b/ChangeLog.d/tls13-fix-finished-fetch.txt
new file mode 100644
index 0000000..28c30f9
--- /dev/null
+++ b/ChangeLog.d/tls13-fix-finished-fetch.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix handshake failure when the peer Finished message has not been received
+ yet when we first try to fetch it. The fetching is moved before the
+ preprocessing computations to avoid doing them multiple times, which was
+ causing the handshake to fail.
diff --git a/ChangeLog.d/x509_ext_types_accessor.txt b/ChangeLog.d/x509_ext_types_accessor.txt
new file mode 100644
index 0000000..13a3152
--- /dev/null
+++ b/ChangeLog.d/x509_ext_types_accessor.txt
@@ -0,0 +1,3 @@
+Features
+ * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
+ field within mbedtls_x509_crt context, as requested in #5585.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 0a99693..79d7ddd 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -642,15 +642,11 @@
MBEDTLS_SSL_HANDSHAKE_OVER,
MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
MBEDTLS_SSL_HELLO_RETRY_REQUEST,
MBEDTLS_SSL_ENCRYPTED_EXTENSIONS,
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY,
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED,
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
-#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
}
mbedtls_ssl_states;
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 3e331d4..aa45957 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -957,6 +957,23 @@
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+/**
+ * \brief Query certificate for given extension type
+ *
+ * \param[in] ctx Certificate context to be queried, must not be \c NULL
+ * \param ext_type Extension type being queried for, must be a valid
+ * extension type. Must be one of the MBEDTLS_X509_EXT_XXX
+ * values
+ *
+ * \return 0 if the given extension type is not present,
+ * non-zero otherwise
+ */
+static inline int mbedtls_x509_crt_has_ext_type( const mbedtls_x509_crt *ctx,
+ int ext_type )
+{
+ return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
+}
+
/** \} name Structures and functions for parsing and writing X.509 certificates */
#if defined(MBEDTLS_X509_CRT_WRITE_C)
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 239be53..3b49ec5 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -34,6 +34,9 @@
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
{ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
@@ -160,12 +163,14 @@
size_t verify_buffer_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
const unsigned char *p = buf;
uint16_t algorithm;
size_t signature_len;
mbedtls_pk_type_t sig_alg;
mbedtls_md_type_t md_alg;
- unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
+ psa_algorithm_t hash_alg = PSA_ALG_NONE;
+ unsigned char verify_hash[PSA_HASH_MAX_SIZE];
size_t verify_hash_len;
void const *options = NULL;
@@ -212,6 +217,12 @@
goto error;
}
+ hash_alg = mbedtls_psa_translate_md( md_alg );
+ if( hash_alg == 0 )
+ {
+ goto error;
+ }
+
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
( unsigned int ) algorithm ) );
@@ -229,38 +240,15 @@
p += 2;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
- /* Hash verify buffer with indicated hash function */
- switch( md_alg )
+ status = psa_hash_compute( hash_alg,
+ verify_buffer,
+ verify_buffer_len,
+ verify_hash,
+ sizeof( verify_hash ),
+ &verify_hash_len );
+ if( status != PSA_SUCCESS )
{
-#if defined(MBEDTLS_SHA256_C)
- case MBEDTLS_MD_SHA256:
- verify_hash_len = 32;
- ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
- break;
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA384_C)
- case MBEDTLS_MD_SHA384:
- verify_hash_len = 48;
- ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
- break;
-#endif /* MBEDTLS_SHA384_C */
-
-#if defined(MBEDTLS_SHA512_C)
- case MBEDTLS_MD_SHA512:
- verify_hash_len = 64;
- ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
- break;
-#endif /* MBEDTLS_SHA512_C */
-
- default:
- ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- break;
- }
-
- if( ret != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, "hash computation PSA error", status );
goto error;
}
@@ -991,11 +979,12 @@
size_t verify_buffer_len;
mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+ psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
size_t signature_len = 0;
- const mbedtls_md_info_t *md_info;
unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
size_t verify_hash_len;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
*out_len = 0;
@@ -1056,15 +1045,15 @@
p += 2;
/* Hash verify buffer with indicated hash function */
- md_info = mbedtls_md_info_from_type( md_alg );
- if( md_info == NULL )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ psa_algorithm = mbedtls_psa_translate_md( md_alg );
+ status = psa_hash_compute( psa_algorithm,
+ verify_buffer,
+ verify_buffer_len,
+ verify_hash,sizeof( verify_hash ),
+ &verify_hash_len );
+ if( status != PSA_SUCCESS )
+ return( psa_ssl_status_to_mbedtls( status ) );
- ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash );
- if( ret != 0 )
- return( ret );
-
- verify_hash_len = mbedtls_md_get_size( md_info );
MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
@@ -1190,13 +1179,15 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
- /* Preprocessing step: Compute handshake digest */
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
-
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
MBEDTLS_SSL_HS_FINISHED,
&buf, &buf_len ) );
+
+ /* Preprocessing step: Compute handshake digest */
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
+
MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
+
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
buf, buf_len );
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index f3843b1..6502307 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1628,14 +1628,17 @@
case MBEDTLS_SSL_CLIENT_CERTIFICATE:
ret = mbedtls_ssl_tls13_process_certificate( ssl );
- if( ret == 0 && ssl->session_negotiate->peer_cert != NULL )
+ if( ret == 0 )
{
- mbedtls_ssl_handshake_set_state(
- ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
+ if( ssl->session_negotiate->peer_cert != NULL )
+ {
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
+ }
+ else
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_FINISHED );
}
- else
- mbedtls_ssl_handshake_set_state(
- ssl, MBEDTLS_SSL_CLIENT_FINISHED );
break;
case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 6d1e7b3..2992dba 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -324,7 +324,7 @@
/*
* write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
*/
- if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
+ if( t[0] < '2' || ( t[0] == '2' && t[1] == '0' && t[2] < '5' ) )
{
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
(const unsigned char *) t + 2,
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 274f0de..5192342 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -105,19 +105,15 @@
mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_SERVER
Test moving clients handshake to state: HELLO_REQUEST
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HELLO_REQUEST:1
Test moving clients handshake to state: CLIENT_HELLO
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_HELLO:1
Test moving clients handshake to state: SERVER_HELLO
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO:1
Test moving clients handshake to state: SERVER_CERTIFICATE
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CERTIFICATE:1
Test moving clients handshake to state: SERVER_KEY_EXCHANGE
@@ -125,7 +121,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1
Test moving clients handshake to state: CERTIFICATE_REQUEST
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_REQUEST:1
Test moving clients handshake to state: SERVER_HELLO_DONE
@@ -133,7 +128,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO_DONE:1
Test moving clients handshake to state: CLIENT_CERTIFICATE
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CERTIFICATE:1
Test moving clients handshake to state: CLIENT_KEY_EXCHANGE
@@ -141,7 +135,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1
Test moving clients handshake to state: CERTIFICATE_VERIFY
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_VERIFY:1
Test moving clients handshake to state: CLIENT_CHANGE_CIPHER_SPEC
@@ -149,7 +142,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1
Test moving clients handshake to state: CLIENT_FINISHED
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_FINISHED:1
Test moving clients handshake to state: SERVER_CHANGE_CIPHER_SPEC
@@ -157,35 +149,27 @@
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1
Test moving clients handshake to state: SERVER_FINISHED
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_FINISHED:1
Test moving clients handshake to state: FLUSH_BUFFERS
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_FLUSH_BUFFERS:1
Test moving clients handshake to state: HANDSHAKE_WRAPUP
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1
Test moving clients handshake to state: HANDSHAKE_OVER
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_OVER:1
Test moving servers handshake to state: HELLO_REQUEST
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HELLO_REQUEST:1
Test moving servers handshake to state: CLIENT_HELLO
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_HELLO:1
Test moving servers handshake to state: SERVER_HELLO
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO:1
Test moving servers handshake to state: SERVER_CERTIFICATE
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CERTIFICATE:1
Test moving servers handshake to state: SERVER_KEY_EXCHANGE
@@ -193,7 +177,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1
Test moving servers handshake to state: CERTIFICATE_REQUEST
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_REQUEST:1
Test moving servers handshake to state: SERVER_HELLO_DONE
@@ -201,7 +184,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO_DONE:1
Test moving servers handshake to state: CLIENT_CERTIFICATE
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CERTIFICATE:1
Test moving servers handshake to state: CLIENT_KEY_EXCHANGE
@@ -209,7 +191,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1
Test moving servers handshake to state: CERTIFICATE_VERIFY
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_VERIFY:1
Test moving servers handshake to state: CLIENT_CHANGE_CIPHER_SPEC
@@ -217,7 +198,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1
Test moving servers handshake to state: CLIENT_FINISHED
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_FINISHED:1
Test moving servers handshake to state: SERVER_CHANGE_CIPHER_SPEC
@@ -225,7 +205,6 @@
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1
Test moving servers handshake to state: SERVER_FINISHED
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_FINISHED:1
Test moving servers handshake to state: FLUSH_BUFFERS
@@ -233,11 +212,9 @@
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_FLUSH_BUFFERS:1
Test moving servers handshake to state: HANDSHAKE_WRAPUP
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1
Test moving servers handshake to state: HANDSHAKE_OVER
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_OVER:1
Negative test moving clients ssl to state: VERIFY_REQUEST_SENT
@@ -248,10 +225,30 @@
depends_on:MBEDTLS_SSL_PROTO_TLS1_2
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:0
+TLS 1.3:Test moving clients handshake to state: ENCRYPTED_EXTENSIONS
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:1
+
+TLS 1.3:Test moving servers handshake to state: ENCRYPTED_EXTENSIONS
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:1
+
+TLS 1.3:Test moving clients handshake to state: CLIENT_CERTIFICATE_VERIFY
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:1
+
+TLS 1.3:Test moving servers handshake to state: CLIENT_CERTIFICATE_VERIFY
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:1
+
Handshake, tls1_2
depends_on:MBEDTLS_SSL_PROTO_TLS1_2
handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2
+Handshake, tls1_3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3
+
Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:0
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 2685e6a..8d683ad 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -886,6 +886,7 @@
*
* \retval 0 on success, otherwise error code.
*/
+
int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg,
mbedtls_test_message_socket_context *dtls_context,
mbedtls_test_message_queue *input_queue,
@@ -966,6 +967,8 @@
if( group_list != NULL )
mbedtls_ssl_conf_groups( &(ep->conf), group_list );
+ mbedtls_ssl_conf_authmode( &( ep->conf ), MBEDTLS_SSL_VERIFY_REQUIRED );
+
ret = mbedtls_ssl_setup( &( ep->ssl ), &( ep->conf ) );
TEST_ASSERT( ret == 0 );
@@ -2096,6 +2099,17 @@
}
TEST_ASSERT( mbedtls_ssl_is_handshake_over( &client.ssl ) == 1 );
+
+ /* Make sure server state is moved to HANDSHAKE_OVER also. */
+ TEST_ASSERT( mbedtls_move_handshake_to_state( &(server.ssl),
+ &(client.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER )
+ == expected_handshake_result );
+ if( expected_handshake_result != 0 )
+ {
+ goto exit;
+ }
+
TEST_ASSERT( mbedtls_ssl_is_handshake_over( &server.ssl ) == 1 );
/* Check that both sides have negotiated the expected version. */
@@ -4867,7 +4881,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void move_handshake_to_state(int endpoint_type, int state, int need_pass)
{
enum { BUFFSIZE = 1024 };
@@ -4896,12 +4910,16 @@
state );
if( need_pass )
{
- TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( ret == 0 ||
+ ret == MBEDTLS_ERR_SSL_WANT_READ ||
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE );
TEST_ASSERT( base_ep.ssl.state == state );
}
else
{
- TEST_ASSERT( ret != 0 );
+ TEST_ASSERT( ret != 0 &&
+ ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE );
TEST_ASSERT( base_ep.ssl.state != state );
}
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index e21b450..d04b7d8 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -2791,3 +2791,11 @@
X509 CRT verify restart: one int, int badsign, max_ops=500
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
+
+X509 ext types accessor: ext type present
+depends_on:MBEDTLS_X509_CRT_PARSE_C
+x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_KEY_USAGE
+
+X509 ext types accessor: ext type not present
+depends_on:MBEDTLS_X509_CRT_PARSE_C
+x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 8605b63..1d06fe3 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -401,6 +401,22 @@
* END_DEPENDENCIES
*/
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
+void x509_accessor_ext_types( int ext_type, int has_ext_type )
+{
+ mbedtls_x509_crt crt;
+ int expected_result = ext_type & has_ext_type;
+
+ mbedtls_x509_crt_init( &crt );
+
+ crt.ext_types = ext_type;
+
+ TEST_ASSERT( mbedtls_x509_crt_has_ext_type( &crt, has_ext_type ) == expected_result );
+
+ mbedtls_x509_crt_free( &crt );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void x509_parse_san( char * crt_file, char * result_str )
{
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 888c9ab..8d9a11a 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -58,6 +58,22 @@
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt"
+Certificate write check Server1 SHA1, not before 1970
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+
+Certificate write check Server1 SHA1, not after 2050
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+
+Certificate write check Server1 SHA1, not before 1970, not after 2050
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+
+Certificate write check Server1 SHA1, not before 2050, not after 2059
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+
Certificate write check Server1 SHA1, key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt"
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index f5001bd..8f5c947 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -242,8 +242,10 @@
mbedtls_x509write_cert crt;
unsigned char buf[4096];
unsigned char check_buf[5000];
+ unsigned char *p, *end;
+ unsigned char tag, sz;
mbedtls_mpi serial;
- int ret;
+ int ret, before_tag, after_tag;
size_t olen = 0, pem_len = 0, buf_index = 0;
int der_len = -1;
FILE *f;
@@ -374,7 +376,7 @@
TEST_EQUAL( flags, 0 );
TEST_EQUAL( ret, 0 );
}
- else
+ else if( *cert_check_file != '\0' )
{
f = fopen( cert_check_file, "r" );
TEST_ASSERT( f != NULL );
@@ -395,6 +397,54 @@
if( der_len == 0 )
goto exit;
+ // Not testing against file, check date format
+ if( *cert_check_file == '\0' )
+ {
+ // UTC tag if before 2050, 2 digits less for year
+ if( not_before[0] == '2' && ( not_before[1] > '0' || not_before[2] > '4' ) )
+ {
+ before_tag = MBEDTLS_ASN1_GENERALIZED_TIME;
+ }
+ else
+ {
+ before_tag = MBEDTLS_ASN1_UTC_TIME;
+ not_before += 2;
+ }
+ if( not_after[0] == '2' && ( not_after[1] > '0' || not_after[2] > '4' ) )
+ {
+ after_tag = MBEDTLS_ASN1_GENERALIZED_TIME;
+ }
+ else
+ {
+ after_tag = MBEDTLS_ASN1_UTC_TIME;
+ not_after += 2;
+ }
+ end = buf + sizeof( buf );
+ for( p = end - der_len ; p < end ; )
+ {
+ tag = *p++;
+ sz = *p++;
+ if( tag == MBEDTLS_ASN1_UTC_TIME || tag == MBEDTLS_ASN1_GENERALIZED_TIME )
+ {
+ // Check correct tag and time written
+ TEST_ASSERT( before_tag == tag );
+ TEST_ASSERT( memcmp( p, not_before, sz - 1 ) == 0 );
+ p += sz;
+ tag = *p++;
+ sz = *p++;
+ TEST_ASSERT( after_tag == tag );
+ TEST_ASSERT( memcmp( p, not_after, sz - 1 ) == 0 );
+ break;
+ }
+ // Increment if long form ASN1 length
+ if( sz & 0x80 )
+ p += sz & 0x0F;
+ if( tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+ p += sz;
+ }
+ TEST_ASSERT( p < end );
+ }
+
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, result length isn't
// deterministic over multiple runs, removing a single byte isn't enough to