Enable SNI test for both tls12 and tls13
Change-Id: Iae5c39668db7caa1a59d7e67f226a5286d91db22
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index e9250fc..b498fd4 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1687,7 +1687,7 @@
}
else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) );
ret = 0;
}
else
@@ -1793,7 +1793,7 @@
}
else
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
}
#endif
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index e130fa5..25faa06 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -335,6 +335,98 @@
return( 1 );
}
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
+ */
+#if defined(MBEDTLS_ECDSA_C)
+static int ssl_check_key_curve( mbedtls_pk_context *pk,
+ const mbedtls_ecp_curve_info **curves )
+{
+ const mbedtls_ecp_curve_info **crv = curves;
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
+
+ while( *crv != NULL )
+ {
+ if( (*crv)->grp_id == grp_id )
+ return( 0 );
+ crv++;
+ }
+
+ return( -1 );
+}
+#endif /* MBEDTLS_ECDSA_C */
+
+/*
+ * Try picking a certificate for this ciphersuite,
+ * return 0 on success and -1 on failure.
+ */
+static int ssl_pick_cert( mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
+{
+ mbedtls_ssl_key_cert *cur, *list;
+#if defined(MBEDTLS_ECDSA_C)
+ mbedtls_pk_type_t pk_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+#endif /* MBEDTLS_ECDSA_C */
+ uint32_t flags;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->sni_key_cert != NULL )
+ list = ssl->handshake->sni_key_cert;
+ else
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+ list = ssl->conf->key_cert;
+
+ if( list == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
+ return( -1 );
+ }
+
+ for( cur = list; cur != NULL; cur = cur->next )
+ {
+ flags = 0;
+ MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
+ cur->cert );
+
+ /*
+ * This avoids sending the client a cert it'll reject based on
+ * keyUsage or other extensions.
+ */
+ if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
+ MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
+ "(extended) key usage extension" ) );
+ continue;
+ }
+
+#if defined(MBEDTLS_ECDSA_C)
+ if( pk_alg == MBEDTLS_PK_ECDSA &&
+ ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
+ continue;
+ }
+#endif /* MBEDTLS_ECDSA_C */
+
+ break;
+ }
+
+ /* Do not update ssl->handshake->key_cert unless there is a match */
+ if( cur != NULL )
+ {
+ ssl->handshake->key_cert = cur;
+ MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
+ ssl->handshake->key_cert->cert );
+ return( 0 );
+ }
+
+ return( -1 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
/*
*
* STATE HANDLING: ClientHello
@@ -699,7 +791,16 @@
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
ssl->handshake->sni_name = NULL;
ssl->handshake->sni_name_len = 0;
-#endif
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if( (ssl_pick_cert( ssl, ssl->handshake->ciphersuite_info ) != 0) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+ "no suitable certificate" ) );
+ return( 0 );
+ }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
/* Update checksum with either
* - The entire content of the CH message, if no PSK extension is present
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d3996c4..7124c8f 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -5363,7 +5363,6 @@
# tests for SNI
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: no SNI callback" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
@@ -5373,7 +5372,6 @@
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5385,7 +5383,6 @@
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5397,7 +5394,6 @@
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: no matching cert" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5410,7 +5406,6 @@
-c "mbedtls_ssl_handshake returned" \
-c "SSL - A fatal alert message was received from our peer"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: client auth no override: optional" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5424,7 +5419,6 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: client auth override: none -> optional" \
"$P_SRV debug_level=3 auth_mode=none \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5438,7 +5432,6 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: client auth override: optional -> none" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5448,11 +5441,8 @@
-s "skip write certificate request" \
-C "skip parse certificate request" \
-c "got no certificate request" \
- -c "skip write certificate" \
- -c "skip write certificate verify" \
- -s "skip parse certificate verify"
+ -c "skip write certificate"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: CA no override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5471,7 +5461,6 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: CA override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5490,7 +5479,6 @@
-S "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -11406,7 +11394,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check - openssl with sni" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
- sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
0 \
-s "parse ServerName extension" \
@@ -11420,7 +11408,7 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check - gnutls with sni" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
- sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
0 \
-s "parse ServerName extension" \