Merge pull request #6079 from yuhaoth/pr/add-tls13-parse-pre_shared_key_offered_psks
TLS 1.3: PSK: Add parser/writer of pre_shared_key extension on server side.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a0d0aa7..bb86788 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -131,7 +131,10 @@
set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
endif()
- if (NOT EXISTS ${link})
+ # Linking to non-existent file is not desirable. At best you will have a
+ # dangling link, but when building in tree, this can create a symbolic link
+ # to itself.
+ if (EXISTS ${target} AND NOT EXISTS ${link})
if (CMAKE_HOST_UNIX)
set(command ln -s ${target} ${link})
else()
diff --git a/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt b/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
new file mode 100644
index 0000000..1d59c22
--- /dev/null
+++ b/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a long-standing build failure when building x86 PIC code with old
+ gcc (4.x). The code will be slower, but will compile. We do however
+ recommend upgrading to a more recent compiler instead. Fixes #1910.
diff --git a/ChangeLog.d/fix_cmake_gen_files b/ChangeLog.d/fix_cmake_gen_files
new file mode 100644
index 0000000..3b2c099
--- /dev/null
+++ b/ChangeLog.d/fix_cmake_gen_files
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix an issue in releases with GEN_FILES turned off whereby missing
+ generated files could be turned into symlinks to themselves.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index bc09e7a..c6a54f7 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -669,6 +669,7 @@
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO,
MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST,
+ MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH,
}
mbedtls_ssl_states;
diff --git a/library/bn_mul.h b/library/bn_mul.h
index 962d7a9..831e1d7 100644
--- a/library/bn_mul.h
+++ b/library/bn_mul.h
@@ -91,12 +91,28 @@
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
/*
+ * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a
+ * fixed reserved register when building as PIC, leading to errors
+ * like: bn_mul.h:46:13: error: PIC register clobbered by 'ebx' in 'asm'
+ *
+ * This is fixed by an improved register allocator in GCC 5+. From the
+ * release notes:
+ * Register allocation improvements: Reuse of the PIC hard register,
+ * instead of using a fixed register, was implemented on x86/x86-64
+ * targets. This improves generated PIC code performance as more hard
+ * registers can be used.
+ */
+#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__)
+#define MULADDC_CANNOT_USE_EBX
+#endif
+
+/*
* Disable use of the i386 assembly code below if option -O0, to disable all
* compiler optimisations, is passed, detected with __OPTIMIZE__
* This is done as the number of registers used in the assembly code doesn't
* work with the -O0 option.
*/
-#if defined(__i386__) && defined(__OPTIMIZE__)
+#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX)
#define MULADDC_X1_INIT \
{ mbedtls_mpi_uint t; \
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 20f1aff..e7453d5 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -432,7 +432,8 @@
static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
- size_t *out_len )
+ size_t *out_len,
+ size_t *binders_len )
{
int ret;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@@ -443,6 +444,7 @@
int tls12_uses_ec = 0;
*out_len = 0;
+ *binders_len = 0;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char propose_tls12 =
@@ -641,6 +643,21 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
+ * MUST be the last extension in the ClientHello.
+ */
+ if( propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
+ {
+ ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
+ ssl, p, end, &output_len, binders_len );
+ if( ret != 0 )
+ return( ret );
+ p += output_len;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
/* Write the length of the list of extensions. */
extensions_len = p - p_extensions_len - 2;
@@ -837,7 +854,7 @@
{
int ret = 0;
unsigned char *buf;
- size_t buf_len, msg_len;
+ size_t buf_len, msg_len, binders_len;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
@@ -849,7 +866,8 @@
MBEDTLS_SSL_PROC_CHK( ssl_write_client_hello_body( ssl, buf,
buf + buf_len,
- &msg_len ) );
+ &msg_len,
+ &binders_len ) );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
@@ -883,8 +901,22 @@
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
{
- mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
- buf, msg_len );
+
+ mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
+ msg_len );
+ ssl->handshake->update_checksum( ssl, buf, msg_len - binders_len );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if( binders_len > 0 )
+ {
+ MBEDTLS_SSL_PROC_CHK(
+ mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
+ ssl, buf + msg_len - binders_len, buf + msg_len ) );
+ ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len,
+ binders_len );
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl,
buf_len,
msg_len ) );
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ecc2a62..1821553 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2454,4 +2454,49 @@
unsigned char *obuf, size_t buf_len, size_t *olen );
#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+/* Check if we have any PSK to offer, returns 0 if PSK is available.
+ * Assign the psk and ticket if pointers are present.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_get_psk_to_offer(
+ const mbedtls_ssl_context *ssl,
+ int *psk_type,
+ const unsigned char **psk, size_t *psk_len,
+ const unsigned char **psk_identity, size_t *psk_identity_len );
+
+/**
+ * \brief Given an SSL context and its associated configuration, write the TLS
+ * 1.3 specific Pre-Shared key extension.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Base address of the buffer where to write the extension
+ * \param[in] end End address of the buffer where to write the extension
+ * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
+ * written into the buffer \p buf by this function plus
+ * the length of the binders to be written.
+ * \param[out] binders_len Length of the binders to be written at the end of
+ * the extension.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf, unsigned char *end,
+ size_t *out_len, size_t *binders_len );
+
+/**
+ * \brief Given an SSL context and its associated configuration, write the TLS
+ * 1.3 specific Pre-Shared key extension binders at the end of the
+ * ClientHello.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Base address of the buffer where to write the binders
+ * \param[in] end End address of the buffer where to write the binders
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf, unsigned char *end );
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
#endif /* ssl_misc.h */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 292e931..887daf8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -443,6 +443,7 @@
static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
unsigned char *buf,
size_t buf_len );
+
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_session_load_tls12( mbedtls_ssl_session *session,
const unsigned char *buf,
@@ -1890,6 +1891,19 @@
}
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static size_t ssl_session_save_tls13( const mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t buf_len )
+{
+ ((void) session);
+ ((void) buf);
+ ((void) buf_len);
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
size_t taglen,
psa_algorithm_t *alg,
@@ -2816,6 +2830,7 @@
{
unsigned char *p = buf;
size_t used = 0;
+ size_t remaining_len;
if( !omit_header )
{
@@ -2843,17 +2858,25 @@
}
/* Forward to version-specific serialization routine. */
+ remaining_len = (buf_len >= used) ? buf_len - used : 0;
switch( session->tls_version )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
case MBEDTLS_SSL_VERSION_TLS1_2:
{
- size_t remaining_len = used <= buf_len ? buf_len - used : 0;
used += ssl_session_save_tls12( session, p, remaining_len );
break;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ case MBEDTLS_SSL_VERSION_TLS1_3:
+ {
+ used += ssl_session_save_tls13( session, p, remaining_len );
+ break;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
default:
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index e38f117..cd3be46 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -595,6 +595,289 @@
return( 0 );
}
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+/*
+ * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
+ *
+ * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
+ *
+ * struct {
+ * PskKeyExchangeMode ke_modes<1..255>;
+ * } PskKeyExchangeModes;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len )
+{
+ unsigned char *p = buf;
+ int ke_modes_len = 0;
+
+ ((void) ke_modes_len );
+ *out_len = 0;
+
+ /* Skip writing extension if no PSK key exchange mode
+ * is enabled in the config.
+ */
+ if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
+ return( 0 );
+ }
+
+ /* Require 7 bytes of data, otherwise fail,
+ * even if extension might be shorter.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
+
+ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
+
+ /* Skip extension length (2 bytes) and
+ * ke_modes length (1 byte) for now.
+ */
+ p += 5;
+
+ if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
+ {
+ *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
+ ke_modes_len++;
+
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
+ }
+
+ if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
+ {
+ *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
+ ke_modes_len++;
+
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
+ }
+
+ /* Now write the extension and ke_modes length */
+ MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
+ buf[4] = ke_modes_len;
+
+ *out_len = p - buf;
+ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
+ return ( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+/*
+ * mbedtls_ssl_tls13_write_pre_shared_key_ext() structure:
+ *
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ * PskIdentity identities<7..2^16-1>;
+ * PskBinderEntry binders<33..2^16-1>;
+ * } OfferedPsks;
+ *
+ * struct {
+ * select (Handshake.msg_type) {
+ * case client_hello: OfferedPsks;
+ * ...
+ * };
+ * } PreSharedKeyExtension;
+ *
+ */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+
+int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf, unsigned char *end,
+ size_t *out_len, size_t *binders_len )
+{
+ unsigned char *p = buf;
+ const unsigned char *psk;
+ size_t psk_len;
+ const unsigned char *psk_identity;
+ size_t psk_identity_len;
+ int psk_type;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
+ const int *ciphersuites;
+ psa_algorithm_t psa_hash_alg;
+ int hash_len = 0;
+ size_t identities_len, l_binders_len;
+ uint32_t obfuscated_ticket_age = 0;
+
+ *out_len = 0;
+ *binders_len = 0;
+
+ /* Check if we have any PSKs to offer. If so, return the first.
+ *
+ * NOTE: Ultimately, we want to be able to offer multiple PSKs,
+ * in which case we want to iterate over them here.
+ *
+ * As it stands, however, we only ever offer one, chosen
+ * by the following heuristic:
+ * - If a ticket has been configured, offer the corresponding PSK.
+ * - If no ticket has been configured by an external PSK has been
+ * configured, offer that.
+ * - Otherwise, skip the PSK extension.
+ */
+
+ if( mbedtls_ssl_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
+ &psk_identity, &psk_identity_len ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
+ return( 0 );
+ }
+
+ if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
+ {
+ /*
+ * Ciphersuite list
+ */
+ ciphersuites = ssl->conf->ciphersuite_list;
+ for( int i = 0; ciphersuites[i] != 0; i++ )
+ {
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
+ ciphersuites[i] );
+
+ if( mbedtls_ssl_validate_ciphersuite(
+ ssl, ciphersuite_info,
+ MBEDTLS_SSL_VERSION_TLS1_3,
+ MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
+ continue;
+
+ /* In this implementation we only add one pre-shared-key
+ * extension.
+ */
+ ssl->session_negotiate->ciphersuite = ciphersuites[i];
+ break;
+ }
+ }
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite );
+ /* No suitable ciphersuite for the PSK */
+ if( ciphersuite_info == NULL )
+ return( 0 );
+
+ psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
+ hash_len = PSA_HASH_LENGTH( psa_hash_alg );
+ if( hash_len == -1 )
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+ /* Check if we have space to write the extension, binder included.
+ * - extension_type (2 bytes)
+ * - extension_data_len (2 bytes)
+ * - identities_len (2 bytes)
+ * - identity_len (2 bytes)
+ * - identity (psk_identity_len bytes)
+ * - obfuscated_ticket_age (4 bytes)
+ * - binders_len (2 bytes)
+ * - binder_len (1 byte)
+ * - binder (hash_len bytes)
+ */
+
+ identities_len = 6 + psk_identity_len;
+ l_binders_len = 1 + hash_len;
+
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding pre_shared_key extension, "
+ "omitting PSK binder list" ) );
+
+ /* Extension header */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
+ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
+ MBEDTLS_PUT_UINT16_BE( 2 + identities_len + 2 + l_binders_len , p, 2 );
+
+ MBEDTLS_PUT_UINT16_BE( identities_len, p, 4 );
+ MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 );
+ p += 8;
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, psk_identity_len );
+ memcpy( p, psk_identity, psk_identity_len );
+ p += psk_identity_len;
+
+ /* add obfuscated ticket age */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+ MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 );
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 + l_binders_len );
+ *out_len = ( p - buf ) + l_binders_len + 2;
+ *binders_len = l_binders_len + 2;
+
+ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+
+ return( 0 );
+}
+
+int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf, unsigned char *end )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ const unsigned char *psk_identity;
+ size_t psk_identity_len;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
+ psa_algorithm_t psa_hash_alg;
+ int hash_len = 0;
+ const unsigned char *psk = NULL;
+ size_t psk_len = 0;
+ int psk_type;
+ unsigned char transcript[MBEDTLS_MD_MAX_SIZE];
+ size_t transcript_len;
+
+ if( mbedtls_ssl_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
+ &psk_identity, &psk_identity_len ) != 0 )
+ {
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite );
+ if( ciphersuite_info == NULL )
+ return( 0 );
+
+ psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
+ hash_len = PSA_HASH_LENGTH( psa_hash_alg );
+ if( ( hash_len == -1 ) || ( ( end - buf ) != 3 + hash_len ) )
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) );
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 + hash_len );
+ /* 2 bytes length field for array of psk binders */
+ MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 );
+ p += 2;
+
+ /* 1 bytes length field for next psk binder */
+ *p++ = MBEDTLS_BYTE_0( hash_len );
+
+ /* Get current state of handshake transcript. */
+ ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
+ transcript, sizeof( transcript ),
+ &transcript_len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_tls13_create_psk_binder( ssl,
+ mbedtls_psa_translate_md( ciphersuite_info->mac ),
+ psk, psk_len, psk_type,
+ transcript, p );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
+ return( ret );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -631,6 +914,22 @@
p += ext_len;
}
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ /* For PSK-based key exchange we need the pre_shared_key extension
+ * and the psk_key_exchange_modes extension.
+ *
+ * The pre_shared_key extension MUST be the last extension in the
+ * ClientHello. Servers MUST check that it is the last extension and
+ * otherwise fail the handshake with an "illegal_parameter" alert.
+ *
+ * Add the psk_key_exchange_modes extension.
+ */
+ ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
+ if( ret != 0 )
+ return( ret );
+ p += ext_len;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
*out_len = p - buf;
return( 0 );
@@ -929,6 +1228,92 @@
return( 0 );
}
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+/*
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ *
+ * select (Handshake.msg_type) {
+ * ...
+ * case server_hello: uint16 selected_identity;
+ * };
+ *
+ * } PreSharedKeyExtension;
+ *
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ int ret = 0;
+ size_t selected_identity;
+
+ const unsigned char *psk;
+ size_t psk_len;
+ const unsigned char *psk_identity;
+ size_t psk_identity_len;
+
+
+ /* Check which PSK we've offered.
+ *
+ * NOTE: Ultimately, we want to offer multiple PSKs, and in this
+ * case, we need to iterate over them here.
+ */
+ if( mbedtls_ssl_get_psk_to_offer( ssl, NULL, &psk, &psk_len,
+ &psk_identity, &psk_identity_len ) != 0 )
+ {
+ /* If we haven't offered a PSK, the server must not send
+ * a PSK identity extension. */
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+ }
+
+ MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 2 );
+ selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
+
+ /* We have offered only one PSK, so the only valid choice
+ * for the server is PSK index 0.
+ *
+ * This will change once we support multiple PSKs. */
+ if( selected_identity > 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) );
+
+ if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ }
+
+ /* Set the chosen PSK
+ *
+ * TODO: We don't have to do this in case we offered 0-RTT and the
+ * server accepted it, because in this case we've already
+ * set the handshake PSK. */
+ ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
+ return( ret );
+ }
+
+ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+ return( 0 );
+}
+
+#endif
+
/* Parse ServerHello message and configure context
*
* struct {
@@ -1139,12 +1524,24 @@
goto cleanup;
break;
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
+ if( is_hrr )
+ {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
+ goto cleanup;
+ }
- fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
- goto cleanup;
+ if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
+ ssl, p, extension_data_end ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret );
+ return( ret );
+ }
+ break;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 265d6d3..1e63c77 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1505,4 +1505,41 @@
}
#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+/* Check if we have any PSK to offer, returns 0 if PSK is available.
+ * Assign the psk and ticket if pointers are present.
+ */
+int mbedtls_ssl_get_psk_to_offer(
+ const mbedtls_ssl_context *ssl,
+ int *psk_type,
+ const unsigned char **psk, size_t *psk_len,
+ const unsigned char **psk_identity, size_t *psk_identity_len )
+{
+ int ptrs_present = 0;
+
+ if( psk_type != NULL && psk != NULL && psk_len != NULL &&
+ psk_identity != NULL && psk_identity_len != NULL )
+ {
+ ptrs_present = 1;
+ }
+
+ /* Check if an external PSK has been configured. */
+ if( ssl->conf->psk != NULL )
+ {
+ if( ptrs_present )
+ {
+ *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
+ *psk = ssl->conf->psk;
+ *psk_len = ssl->conf->psk_len;
+ *psk_identity = ssl->conf->psk_identity;
+ *psk_identity_len = ssl->conf->psk_identity_len;
+ }
+
+ return( 0 );
+ }
+
+ return( 1 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index dcefbce..3bfffb1 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1003,6 +1003,11 @@
*/
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ /* Store minor version for later use with ticket serialization. */
+ ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#endif
+
/* ...
* Random random;
* ...
@@ -2296,11 +2301,274 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
mbedtls_ssl_tls13_handshake_wrapup( ssl );
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
+#else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+#endif
return( 0 );
}
/*
+ * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ */
+#define SSL_NEW_SESSION_TICKET_SKIP 0
+#define SSL_NEW_SESSION_TICKET_WRITE 1
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
+{
+ /* Check whether the use of session tickets is enabled */
+ if( ssl->conf->f_ticket_write == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) );
+ return( SSL_NEW_SESSION_TICKET_SKIP );
+ }
+
+ return( SSL_NEW_SESSION_TICKET_WRITE );
+}
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
+ unsigned char *ticket_nonce,
+ size_t ticket_nonce_size )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_session *session = ssl->session;
+ mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ psa_algorithm_t psa_hash_alg;
+ int hash_length;
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
+
+#if defined(MBEDTLS_HAVE_TIME)
+ session->start = mbedtls_time( NULL );
+#endif
+
+ /* Generate ticket_age_add */
+ if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
+ (unsigned char *) &session->ticket_age_add,
+ sizeof( session->ticket_age_add ) ) != 0 ) )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
+ return( ret );
+ }
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
+ (unsigned int)session->ticket_age_add ) );
+
+ /* Generate ticket_nonce */
+ ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
+ return( ret );
+ }
+ MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
+ ticket_nonce, ticket_nonce_size );
+
+ ciphersuite_info =
+ (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
+ psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
+ hash_length = PSA_HASH_LENGTH( psa_hash_alg );
+ if( hash_length == -1 ||
+ (size_t)hash_length > sizeof( session->resumption_key ) )
+ {
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ /* In this code the psk key length equals the length of the hash */
+ session->resumption_key_len = hash_length;
+ session->ciphersuite = ciphersuite_info->id;
+
+ /* Compute resumption key
+ *
+ * HKDF-Expand-Label( resumption_master_secret,
+ * "resumption", ticket_nonce, Hash.length )
+ */
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ psa_hash_alg,
+ session->app_secrets.resumption_master_secret,
+ hash_length,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
+ ticket_nonce,
+ ticket_nonce_size,
+ session->resumption_key,
+ hash_length );
+
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 2,
+ "Creating the ticket-resumed PSK failed",
+ ret );
+ return ( ret );
+ }
+ MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
+ session->resumption_key,
+ session->resumption_key_len );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
+ session->app_secrets.resumption_master_secret,
+ hash_length );
+
+ return( 0 );
+}
+
+/* This function creates a NewSessionTicket message in the following format:
+ *
+ * struct {
+ * uint32 ticket_lifetime;
+ * uint32 ticket_age_add;
+ * opaque ticket_nonce<0..255>;
+ * opaque ticket<1..2^16-1>;
+ * Extension extensions<0..2^16-2>;
+ * } NewSessionTicket;
+ *
+ * The ticket inside the NewSessionTicket message is an encrypted container
+ * carrying the necessary information so that the server is later able to
+ * re-start the communication.
+ *
+ * The following fields are placed inside the ticket by the
+ * f_ticket_write() function:
+ *
+ * - creation time (start)
+ * - flags (flags)
+ * - age add (ticket_age_add)
+ * - key (key)
+ * - key length (key_len)
+ * - ciphersuite (ciphersuite)
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len,
+ unsigned char *ticket_nonce,
+ size_t ticket_nonce_size )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ mbedtls_ssl_session *session = ssl->session;
+ size_t ticket_len;
+ uint32_t ticket_lifetime;
+
+ *out_len = 0;
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
+
+ /*
+ * ticket_lifetime 4 bytes
+ * ticket_age_add 4 bytes
+ * ticket_nonce 1 + ticket_nonce_size bytes
+ * ticket >=2 bytes
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
+
+ /* Generate ticket and ticket_lifetime */
+ ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
+ session,
+ p + 9 + ticket_nonce_size + 2,
+ end,
+ &ticket_len,
+ &ticket_lifetime);
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
+ return( ret );
+ }
+ /* RFC 8446 4.6.1
+ * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
+ * unsigned integer in network byte order from the time of ticket
+ * issuance. Servers MUST NOT use any value greater than
+ * 604800 seconds (7 days). The value of zero indicates that the
+ * ticket should be discarded immediately. Clients MUST NOT cache
+ * tickets for longer than 7 days, regardless of the ticket_lifetime,
+ * and MAY delete tickets earlier based on local policy. A server
+ * MAY treat a ticket as valid for a shorter period of time than what
+ * is stated in the ticket_lifetime.
+ */
+ ticket_lifetime %= 604800;
+ MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
+ ( unsigned int )ticket_lifetime ) );
+
+ /* Write ticket_age_add */
+ MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
+ ( unsigned int )session->ticket_age_add ) );
+
+ /* Write ticket_nonce */
+ p[8] = ( unsigned char )ticket_nonce_size;
+ if( ticket_nonce_size > 0 )
+ {
+ memcpy( p + 9, ticket_nonce, ticket_nonce_size );
+ }
+ p += 9 + ticket_nonce_size;
+
+ /* Write ticket */
+ MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
+ p += 2;
+ MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
+ p += ticket_len;
+
+ /* Ticket Extensions
+ *
+ * Note: We currently don't have any extensions.
+ * Set length to zero.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+ MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
+ p += 2;
+
+ *out_len = p - buf;
+ MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
+
+ return( 0 );
+}
+
+/*
+ * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ */
+static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
+
+ if( ret == SSL_NEW_SESSION_TICKET_WRITE )
+ {
+ unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
+ ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
+
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
+ MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
+
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
+ ssl, buf, buf + buf_len, &msg_len,
+ ticket_nonce, sizeof( ticket_nonce ) ) );
+
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len ) );
+
+ mbedtls_ssl_handshake_set_state( ssl,
+ MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
+ }
+ else
+ {
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+ }
+
+cleanup:
+
+ return( ret );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
* TLS 1.3 State Machine -- server side
*/
int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
@@ -2420,6 +2688,27 @@
}
break;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_SSL_NEW_SESSION_TICKET:
+ ret = ssl_tls13_write_new_session_ticket( ssl );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1,
+ "ssl_tls13_write_new_session_ticket ",
+ ret );
+ }
+ break;
+ case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
+ /* This state is necessary to do the flush of the New Session
+ * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
+ * as part of ssl_prepare_handshake_step.
+ */
+ ret = 0;
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+ break;
+
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 24f14e3..852ae52 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11991,6 +11991,52 @@
-s "parse ServerName extension" \
-s "HTTP/1.0 200 OK"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3, default suite, PSK" \
+ "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
+ "$P_CLI nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
+ 1 \
+ -c "=> write client hello" \
+ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
+ -c "client hello, adding psk_key_exchange_modes extension" \
+ -c "client hello, adding PSK binder list" \
+ -c "<= write client hello"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3, default suite, PSK - openssl" \
+ "$O_NEXT_SRV -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
+ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
+ 1 \
+ -c "=> write client hello" \
+ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
+ -c "client hello, adding psk_key_exchange_modes extension" \
+ -c "client hello, adding PSK binder list" \
+ -c "<= write client hello"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3, default suite, PSK - gnutls" \
+ "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+CIPHER-ALL:%NO_TICKETS --pskhint=0a0b0c" \
+ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
+ 1 \
+ -c "=> write client hello" \
+ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
+ -c "client hello, adding psk_key_exchange_modes extension" \
+ -c "client hello, adding PSK binder list" \
+ -s "Parsing extension 'PSK Key Exchange Modes/45'" \
+ -s "Parsing extension 'Pre Shared Key/41'" \
+ -c "<= write client hello"
+
for i in opt-testcases/*.sh
do
TEST_SUITE_NAME=${i##*/}
@@ -12625,7 +12671,7 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \
- "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --disable-client-cert" \
"$P_CLI debug_level=4" \
0 \
-c "Protocol is TLSv1.3" \
@@ -12633,6 +12679,50 @@
-c "got new session ticket." \
-c "HTTP/1.0 200 OK"
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test "TLS 1.3: NewSessionTicket: Basic check, O->m" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+ "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \
+ 0 \
+ -s "=> write NewSessionTicket msg" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "=> write NewSessionTicket msg" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \
+ -c "NEW SESSION TICKET (4) was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_DEBUG_C
+run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+ "$P_CLI debug_level=4" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -c "got new session ticket." \
+ -c "HTTP/1.0 200 OK" \
+ -s "=> write NewSessionTicket msg" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG
diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index b9ea3d6..bb06822 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -590,6 +590,7 @@
*/
test_files = &argv[ arg_index ];
testfile_count = argc - arg_index;
+ break;
}
arg_index++;