Merge pull request #1216 from Mbed-TLS/mbedtls-3.6.0_mergeback
Mbedtls 3.6.0 mergeback
diff --git a/tests/compat.sh b/tests/compat.sh
index a101ffd..d7a91b4 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -131,22 +131,28 @@
# list_test_cases lists all potential test cases in compat.sh without execution
list_test_cases() {
- reset_ciphersuites
for TYPE in $TYPES; do
+ reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
add_gnutls_ciphersuites
add_mbedtls_ciphersuites
- done
- for VERIFY in $VERIFIES; do
- VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
- for MODE in $MODES; do
- print_test_case m O "$O_CIPHERS"
- print_test_case O m "$O_CIPHERS"
- print_test_case m G "$G_CIPHERS"
- print_test_case G m "$G_CIPHERS"
- print_test_case m m "$M_CIPHERS"
+ # PSK cipher suites do not allow client certificate verification.
+ SUB_VERIFIES=$VERIFIES
+ if [ "$TYPE" = "PSK" ]; then
+ SUB_VERIFIES="NO"
+ fi
+
+ for VERIFY in $SUB_VERIFIES; do
+ VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
+ for MODE in $MODES; do
+ print_test_case m O "$O_CIPHERS"
+ print_test_case O m "$O_CIPHERS"
+ print_test_case m G "$G_CIPHERS"
+ print_test_case G m "$G_CIPHERS"
+ print_test_case m m "$M_CIPHERS"
+ done
done
done
}
@@ -264,12 +270,6 @@
# Ciphersuite for GnuTLS
G_CIPHERS=$( filter "$G_CIPHERS" )
fi
-
- # For GnuTLS client -> Mbed TLS server,
- # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
- if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then
- G_CIPHERS=""
- fi
}
reset_ciphersuites()
@@ -939,13 +939,7 @@
;;
[Gg]nu*)
- # need to force IPv4 with UDP, but keep localhost for auth
- if is_dtls "$MODE"; then
- G_HOST="127.0.0.1"
- else
- G_HOST="localhost"
- fi
- CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
+ CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 localhost"
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 5c791be..a7c4020 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -6871,12 +6871,23 @@
0 \
-c "Read from server: .* bytes read"
+# Tests for version negotiation. Some information to ease the understanding
+# of the version negotiation test titles below:
+# . 1.2/1.3 means that only TLS 1.2/TLS 1.3 is enabled.
+# . 1.2+1.3 means that both TLS 1.2 and TLS 1.3 are enabled.
+# . 1.2+(1.3)/(1.2)+1.3 means that TLS 1.2/1.3 is enabled and that
+# TLS 1.3/1.2 may be enabled or not.
+# . max=1.2 means that both TLS 1.2 and TLS 1.3 are enabled at build time but
+# TLS 1.3 is disabled at runtime (maximum negotiable version is TLS 1.2).
+# . min=1.3 means that both TLS 1.2 and TLS 1.3 are enabled at build time but
+# TLS 1.2 is disabled at runtime (minimum negotiable version is TLS 1.3).
+
# Tests for version negotiation, MbedTLS client and server
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Version negotiation check m->m: 1.2 / 1.2 -> 1.2" \
+run_test "Version nego m->m: cli 1.2, srv 1.2 -> 1.2" \
"$P_SRV" \
"$P_CLI" \
0 \
@@ -6888,7 +6899,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2 (max=1.2) -> 1.2" \
+run_test "Version nego m->m: cli max=1.2, srv max=1.2 -> 1.2" \
"$P_SRV max_version=tls12" \
"$P_CLI max_version=tls12" \
0 \
@@ -6900,7 +6911,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "Version negotiation check m->m: 1.3 / 1.3 -> 1.3" \
+run_test "Version nego m->m: cli 1.3, srv 1.3 -> 1.3" \
"$P_SRV" \
"$P_CLI" \
0 \
@@ -6912,7 +6923,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.3 (min=1.3) -> 1.3" \
+run_test "Version nego m->m: cli min=1.3, srv min=1.3 -> 1.3" \
"$P_SRV min_version=tls13" \
"$P_CLI min_version=tls13" \
0 \
@@ -6924,7 +6935,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "Version negotiation check m->m: 1.2+1.3 / 1.2+1.3 -> 1.3" \
+run_test "Version nego m->m: cli 1.2+1.3, srv 1.2+1.3 -> 1.3" \
"$P_SRV" \
"$P_CLI" \
0 \
@@ -6936,7 +6947,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "Version negotiation check m->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \
+run_test "Version nego m->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
"$P_SRV min_version=tls13" \
"$P_CLI" \
0 \
@@ -6948,7 +6959,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Version negotiation check m->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \
+run_test "Version nego m->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \
"$P_SRV max_version=tls12" \
"$P_CLI" \
0 \
@@ -6960,7 +6971,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \
+run_test "Version nego m->m: cli max=1.2, srv 1.2+1.3 -> 1.2" \
"$P_SRV" \
"$P_CLI max_version=tls12" \
0 \
@@ -6972,7 +6983,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.2+1.3 -> 1.3" \
+run_test "Version nego m->m: cli min=1.3, srv 1.2+1.3 -> 1.3" \
"$P_SRV" \
"$P_CLI min_version=tls13" \
0 \
@@ -6983,7 +6994,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \
+run_test "Not supported version m->m: cli max=1.2, srv min=1.3" \
"$P_SRV min_version=tls13" \
"$P_CLI max_version=tls12" \
1 \
@@ -6995,7 +7006,7 @@
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check m->m: 1.3 (min=1.3) / 1.2 (max=1.2)" \
+run_test "Not supported version m->m: cli min=1.3, srv max=1.2" \
"$P_SRV max_version=tls12" \
"$P_CLI min_version=tls13" \
1 \
@@ -7009,7 +7020,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check G->m: 1.2 / 1.2+(1.3) -> 1.2" \
+run_test "Server version nego G->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
0 \
@@ -7019,7 +7030,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check G->m: 1.2 / 1.2 (max=1.2) -> 1.2" \
+run_test "Server version nego G->m: cli 1.2, srv max=1.2 -> 1.2" \
"$P_SRV max_version=tls12" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
0 \
@@ -7029,7 +7040,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check G->m: 1.3 / (1.2)+1.3 -> 1.3" \
+run_test "Server version nego G->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
0 \
@@ -7040,7 +7051,7 @@
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check G->m: 1.3 / 1.3 (min=1.3) -> 1.3" \
+run_test "Server version nego G->m: cli 1.3, srv min=1.3 -> 1.3" \
"$P_SRV min_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
0 \
@@ -7050,7 +7061,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \
+run_test "Server version nego G->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
@@ -7060,7 +7071,7 @@
requires_gnutls_next_disable_tls13_compat
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \
+run_test "Server version nego G->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \
0 \
@@ -7078,7 +7089,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \
+run_test "Server version nego G->m: cli 1.2+1.3 (1.2 preferred!), srv 1.2+1.3 -> 1.2" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
1 \
@@ -7088,7 +7099,7 @@
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check G->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \
+run_test "Server version nego G->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
"$P_SRV min_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
@@ -7098,7 +7109,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \
+run_test "Server version nego G->m: cli 1.2+1.3, srv 1.2 -> 1.2" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
@@ -7108,7 +7119,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check G->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \
+run_test "Server version nego G->m: cli 1.2+1.3, max=1.2 -> 1.2" \
"$P_SRV max_version=tls12" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
@@ -7116,7 +7127,7 @@
-s "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_SRV_C
-run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \
+run_test "Not supported version G->m: cli 1.0, (1.2)+(1.3)" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \
1 \
@@ -7124,7 +7135,7 @@
-S "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_SRV_C
-run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \
+run_test "Not supported version G->m: cli 1.1, (1.2)+(1.3)" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \
1 \
@@ -7133,7 +7144,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "Not supported version check G->m: 1.2 / 1.3" \
+run_test "Not supported version G->m: cli 1.2, srv 1.3" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
1 \
@@ -7142,7 +7153,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check G->m: 1.3 / 1.2" \
+run_test "Not supported version G->m: cli 1.3, srv 1.2" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
1 \
@@ -7152,7 +7163,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check G->m: 1.2 / 1.3 (min=1.3)" \
+run_test "Not supported version G->m: cli 1.2, srv min=1.3" \
"$P_SRV min_version=tls13" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
1 \
@@ -7161,7 +7172,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \
+run_test "Not supported version G->m: cli 1.3, srv max=1.2" \
"$P_SRV max_version=tls12" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
1 \
@@ -7173,7 +7184,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check O->m: 1.2 / 1.2+(1.3) -> 1.2" \
+run_test "Server version nego O->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_2" \
0 \
@@ -7183,7 +7194,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check O->m: 1.2 / 1.2 (max=1.2) -> 1.2" \
+run_test "Server version nego O->m: cli 1.2, srv max=1.2 -> 1.2" \
"$P_SRV max_version=tls12" \
"$O_NEXT_CLI -tls1_2" \
0 \
@@ -7194,7 +7205,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check O->m: 1.3 / (1.2)+1.3 -> 1.3" \
+run_test "Server version nego O->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_3" \
0 \
@@ -7206,7 +7217,7 @@
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check O->m: 1.3 / 1.3 (min=1.3) -> 1.3" \
+run_test "Server version nego O->m: cli 1.3, srv min=1.3 -> 1.3" \
"$P_SRV min_version=tls13" \
"$O_NEXT_CLI -tls1_3" \
0 \
@@ -7217,7 +7228,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check O->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \
+run_test "Server version nego O->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$O_NEXT_CLI" \
0 \
@@ -7227,7 +7238,7 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "Server version nego check O->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \
+run_test "Server version nego O->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$O_NEXT_CLI -no_middlebox" \
0 \
@@ -7239,7 +7250,7 @@
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "Server version nego check O->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \
+run_test "Server version nego O->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
"$P_SRV min_version=tls13" \
"$O_NEXT_CLI" \
0 \
@@ -7249,7 +7260,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check O->m: 1.2+1.3 / 1.2 -> 1.2" \
+run_test "Server version nego O->m: cli 1.2+1.3, srv 1.2 -> 1.2" \
"$P_SRV" \
"$O_NEXT_CLI" \
0 \
@@ -7259,7 +7270,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Server version nego check O->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \
+run_test "Server version nego O->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \
"$P_SRV max_version=tls12" \
"$O_NEXT_CLI" \
0 \
@@ -7267,7 +7278,7 @@
-s "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_SRV_C
-run_test "Not supported version check O->m: 1.0 / (1.2)+(1.3)" \
+run_test "Not supported version O->m: cli 1.0, srv (1.2)+(1.3)" \
"$P_SRV" \
"$O_CLI -tls1" \
1 \
@@ -7275,7 +7286,7 @@
-S "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_SRV_C
-run_test "Not supported version check O->m: 1.1 / (1.2)+(1.3)" \
+run_test "Not supported version O->m: cli 1.1, srv (1.2)+(1.3)" \
"$P_SRV" \
"$O_CLI -tls1_1" \
1 \
@@ -7284,7 +7295,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "Not supported version check O->m: 1.2 / 1.3" \
+run_test "Not supported version O->m: cli 1.2, srv 1.3" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_2" \
1 \
@@ -7293,7 +7304,7 @@
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check O->m: 1.3 / 1.2" \
+run_test "Not supported version O->m: cli 1.3, srv 1.2" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_3" \
1 \
@@ -7303,7 +7314,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check O->m: 1.2 / 1.3 (min=1.3)" \
+run_test "Not supported version O->m: cli 1.2, srv min=1.3" \
"$P_SRV min_version=tls13" \
"$O_NEXT_CLI -tls1_2" \
1 \
@@ -7312,7 +7323,7 @@
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
-run_test "Not supported version check O->m: 1.3 / 1.2 (max=1.2)" \
+run_test "Not supported version O->m: cli 1.3, srv max=1.2" \
"$P_SRV max_version=tls12" \
"$O_NEXT_CLI -tls1_3" \
1 \
@@ -7323,7 +7334,7 @@
# Tests of version negotiation on client side against GnuTLS and OpenSSL server
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "Not supported version check: srv max TLS 1.0" \
+run_test "Not supported version: srv max TLS 1.0" \
"$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \
"$P_CLI" \
1 \
@@ -7333,7 +7344,7 @@
-C "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "Not supported version check: srv max TLS 1.1" \
+run_test "Not supported version: srv max TLS 1.1" \
"$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \
"$P_CLI" \
1 \
@@ -7347,7 +7358,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
-run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \
+run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.0" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \
"$P_CLI debug_level=4" \
1 \
@@ -7360,7 +7371,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
-run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \
+run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.1" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \
"$P_CLI debug_level=4" \
1 \
@@ -7373,7 +7384,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
-run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \
+run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.2" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \
"$P_CLI force_version=tls13 debug_level=4" \
1 \
@@ -7387,7 +7398,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
-run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \
+run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.0" \
"$O_NEXT_SRV -msg -tls1" \
"$P_CLI debug_level=4" \
1 \
@@ -7401,7 +7412,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
-run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \
+run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.1" \
"$O_NEXT_SRV -msg -tls1_1" \
"$P_CLI debug_level=4" \
1 \
@@ -7415,7 +7426,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
-run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \
+run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.2" \
"$O_NEXT_SRV -msg -tls1_2" \
"$P_CLI force_version=tls13 debug_level=4" \
1 \
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 388879d..ddcbd83 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -2593,11 +2593,6 @@
mbedtls_pk_context pk_priv, pk_priv_copy_public, pk_pub, pk_pub_copy_public;
mbedtls_svc_key_id_t priv_key_id = MBEDTLS_SVC_KEY_ID_INIT;
mbedtls_svc_key_id_t pub_key_id = MBEDTLS_SVC_KEY_ID_INIT;
- unsigned char *in_buf = NULL;
- size_t in_buf_len = MBEDTLS_MD_MAX_SIZE;
- unsigned char out_buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
- unsigned char out_buf2[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
- size_t out_buf_len, out_buf2_len;
mbedtls_pk_init(&pk_priv);
mbedtls_pk_init(&pk_priv_copy_public);
@@ -2620,14 +2615,13 @@
TEST_EQUAL(mbedtls_pk_copy_from_psa(pub_key_id, &pk_pub), 0);
TEST_EQUAL(mbedtls_pk_copy_public_from_psa(pub_key_id, &pk_pub_copy_public), 0);
- /* Destoy both PSA keys to prove that generated PK contexts are independent
+ /* Destroy both PSA keys to prove that generated PK contexts are independent
* from them. */
priv_key_id = psa_copy_and_destroy(priv_key_id);
pub_key_id = psa_copy_and_destroy(pub_key_id);
- /* Test #1:
- * - check that the generated PK contexts are of the correct type.
- * - [only for RSA] check that the padding mode is correct.
+ /* - Check that the generated PK contexts are of the correct type.
+ * - [Only for RSA] check that the padding mode is correct.
*/
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
TEST_EQUAL(mbedtls_pk_get_type(&pk_priv), MBEDTLS_PK_ECKEY);
@@ -2648,135 +2642,23 @@
#endif /* MBEDTLS_RSA_C */
}
- /* Test #2: check that the 2 generated PK contexts form a valid private/public key pair. */
+ /* Check that generated private/public PK contexts form a valid private/public key pair. */
TEST_EQUAL(mbedtls_pk_check_pair(&pk_pub, &pk_priv, mbedtls_test_rnd_std_rand, NULL), 0);
- /* Get the MD alg to be used for the tests below from the provided key policy. */
- mbedtls_md_type_t md_for_test = MBEDTLS_MD_ALG_FOR_TEST; /* Default */
- if ((PSA_ALG_GET_HASH(key_alg) != PSA_ALG_NONE) &&
- (PSA_ALG_GET_HASH(key_alg) != PSA_ALG_ANY_HASH)) {
- md_for_test = mbedtls_md_type_from_psa_alg(key_alg);
- }
- /* Use also the same MD algorithm for PSA sign/verify checks. This is helpful
- * for the cases in which the key policy algorithm is ANY_HASH type. */
- psa_algorithm_t psa_alg_for_test =
- (key_alg & ~PSA_ALG_HASH_MASK) |
- (mbedtls_md_psa_alg_from_type(md_for_test) & PSA_ALG_HASH_MASK);
-
- in_buf_len = mbedtls_md_get_size_from_type(md_for_test);
- TEST_CALLOC(in_buf, in_buf_len);
- memset(in_buf, 0x1, in_buf_len);
-
- /* Test #3: sign/verify with the following pattern:
- * - Sign using the PK context generated from the private key.
- * - Verify from the same PK context used for signature.
- * - Verify with the PK context generated using public key.
- * - Verify using the public PSA key directly.
- */
-
- /* Edge cases: in a build with RSA key support but not RSA padding modes,
- * or with ECDSA verify support but not signature, the signature might be
- * impossible. */
- int pk_can_sign = 0;
-#if defined(MBEDTLS_PKCS1_V15)
- if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(key_alg) || key_alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
- pk_can_sign = 1;
- }
-#endif
-#if defined(MBEDTLS_PKCS1_V21)
- if (PSA_ALG_IS_RSA_PSS(key_alg) || PSA_ALG_IS_RSA_OAEP(key_alg)) {
- pk_can_sign = 1;
- }
-#endif
-#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
- if (PSA_ALG_IS_ECDSA(key_alg) || PSA_ALG_IS_DETERMINISTIC_ECDSA(key_alg)) {
- pk_can_sign = 1;
- }
-#endif
- if (pk_can_sign) {
- TEST_EQUAL(mbedtls_pk_sign(&pk_priv, md_for_test, in_buf, in_buf_len,
- out_buf, sizeof(out_buf), &out_buf_len,
- mbedtls_test_rnd_std_rand, NULL), 0);
-
- TEST_EQUAL(mbedtls_pk_verify(&pk_priv, md_for_test, in_buf, in_buf_len,
- out_buf, out_buf_len), 0);
- TEST_EQUAL(mbedtls_pk_verify(&pk_pub, md_for_test, in_buf, in_buf_len,
- out_buf, out_buf_len), 0);
- }
-
- if (PSA_ALG_IS_HASH_AND_SIGN(key_alg)) {
-#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
- /* ECDSA signature requires PK->PSA format conversion. */
- if (PSA_ALG_IS_ECDSA(key_alg)) {
- TEST_EQUAL(mbedtls_ecdsa_der_to_raw(mbedtls_pk_get_bitlen(&pk_pub),
- out_buf, out_buf_len, out_buf,
- sizeof(out_buf), &out_buf_len), 0);
- }
-#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
- PSA_ASSERT(psa_verify_hash(pub_key_id, psa_alg_for_test, in_buf, in_buf_len,
- out_buf, out_buf_len));
- }
-
- /* Test #4: check sign/verify interoperability also in the opposite direction:
- * sign with PSA and verify with PK. Key's policy must include a valid hash
- * algorithm (not any).
- */
- if (PSA_ALG_IS_HASH_AND_SIGN(key_alg)) {
- PSA_ASSERT(psa_sign_hash(priv_key_id, psa_alg_for_test, in_buf, in_buf_len,
- out_buf, sizeof(out_buf), &out_buf_len));
-#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
- /* ECDSA signature requires PSA->PK format conversion */
- if (PSA_ALG_IS_ECDSA(key_alg)) {
- TEST_EQUAL(mbedtls_ecdsa_raw_to_der(mbedtls_pk_get_bitlen(&pk_pub),
- out_buf, out_buf_len, out_buf,
- sizeof(out_buf), &out_buf_len), 0);
- }
-#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
- TEST_EQUAL(mbedtls_pk_verify(&pk_pub, md_for_test, in_buf, in_buf_len,
- out_buf, out_buf_len), 0);
- }
-
- /* Test #5: in case of RSA key pair try also encryption/decryption. */
- if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(key_alg)) {
- /* Encrypt with the public key only PK context. */
- TEST_EQUAL(mbedtls_pk_encrypt(&pk_pub, in_buf, in_buf_len,
- out_buf, &out_buf_len, sizeof(out_buf),
- mbedtls_test_rnd_std_rand, NULL), 0);
-
- /* Decrypt with key pair PK context and compare with original data. */
- TEST_EQUAL(mbedtls_pk_decrypt(&pk_priv, out_buf, out_buf_len,
- out_buf2, &out_buf2_len, sizeof(out_buf2),
- mbedtls_test_rnd_std_rand, NULL), 0);
- TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len);
-
- if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(key_alg)) {
- /* Decrypt with PSA private key directly and compare with original data. */
- PSA_ASSERT(psa_asymmetric_decrypt(priv_key_id, key_alg, out_buf, out_buf_len,
- NULL, 0,
- out_buf2, sizeof(out_buf2), &out_buf2_len));
- TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len);
-
- /* Encrypt with PSA public key directly, decrypt with public key PK context
- * and compare with original data. */
- PSA_ASSERT(psa_asymmetric_encrypt(pub_key_id, key_alg, in_buf, in_buf_len,
- NULL, 0,
- out_buf, sizeof(out_buf), &out_buf_len));
- TEST_EQUAL(mbedtls_pk_decrypt(&pk_priv, out_buf, out_buf_len,
- out_buf2, &out_buf2_len, sizeof(out_buf2),
- mbedtls_test_rnd_std_rand, NULL), 0);
- TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len);
- }
- }
+ /* Check consistency between copied PSA keys and generated PK contexts. */
+ TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(priv_key_id, &pk_priv), 1);
+ TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(priv_key_id, &pk_pub), 1);
+ TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(pub_key_id, &pk_priv), 1);
+ TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(pub_key_id, &pk_pub), 1);
/* Test that the keys from mbedtls_pk_copy_public_from_psa() are identical
- * to the public key from mbedtls_pk_copy_from_psa(). */
+ * to the public keys from mbedtls_pk_copy_from_psa(). */
mbedtls_test_set_step(1);
TEST_ASSERT(pk_public_same(&pk_pub, &pk_priv_copy_public));
mbedtls_test_set_step(2);
TEST_ASSERT(pk_public_same(&pk_pub, &pk_pub_copy_public));
exit:
- mbedtls_free(in_buf);
mbedtls_pk_free(&pk_priv);
mbedtls_pk_free(&pk_priv_copy_public);
mbedtls_pk_free(&pk_pub);