From 5b8dcd209739ed0af04219e3071fa79bbf00809d Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 17 Nov 2022 15:11:39 +0800 Subject: [PATCH 01/23] Add debug helper to print ticket_flags status Signed-off-by: Pengyu Lv --- include/mbedtls/debug.h | 13 +++++++++++++ library/debug.c | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 2b0d00e4c4..3ca8840834 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -68,6 +68,11 @@ mbedtls_debug_printf_ecdh(ssl, level, __FILE__, __LINE__, ecdh, attr) #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) \ + mbedtls_debug_print_ticket_flags(ssl, level, __FILE__, __LINE__, flag) +#endif + #else /* MBEDTLS_DEBUG_C */ #define MBEDTLS_SSL_DEBUG_MSG(level, args) do { } while (0) @@ -77,6 +82,7 @@ #define MBEDTLS_SSL_DEBUG_ECP(level, text, X) do { } while (0) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) do { } while (0) #define MBEDTLS_SSL_DEBUG_ECDH(level, ecdh, attr) do { } while (0) +#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) do { } while (0) #endif /* MBEDTLS_DEBUG_C */ @@ -305,6 +311,13 @@ void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, mbedtls_debug_ecdh_attr attr); #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +void mbedtls_debug_print_ticket_flags( + const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + mbedtls_ssl_tls13_ticket_flags flag); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + #ifdef __cplusplus } #endif diff --git a/library/debug.c b/library/debug.c index 12559afe34..4cc67b4988 100644 --- a/library/debug.c +++ b/library/debug.c @@ -386,4 +386,41 @@ void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, } #endif /* MBEDTLS_ECDH_C */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define BITS_OF(var) (sizeof(var) * 8) +#define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a))) + +static const char *ticket_flag_name_table[BITS_OF(mbedtls_ssl_tls13_ticket_flags)] = +{ + [0] = "ALLOW_PSK_RESUMPTION", + [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", + [3] = "ALLOW_EARLY_DATA", +}; + +void mbedtls_debug_print_ticket_flags( + const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + mbedtls_ssl_tls13_ticket_flags flag) +{ + size_t i; + + if (NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + level > debug_threshold) { + return; + } + + mbedtls_debug_print_msg(ssl, level, file, line, + "print ticket_flags (0x%02x)", flag); + + for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { + if ((flag & (1 << i)) & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK) { + mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", + ticket_flag_name_table[i]); + } + } +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + #endif /* MBEDTLS_DEBUG_C */ From b7d50acb37deb632856d4e30efbbdeec9836064b Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 17 Nov 2022 15:14:12 +0800 Subject: [PATCH 02/23] tls13: add helpers to manipulate ticket_flags Add helper functions to get/set/clear ticket_flags. Signed-off-by: Pengyu Lv --- library/ssl_misc.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 16eccfc9eb..25844d3cf7 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2719,4 +2719,25 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, const char *hostname); #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +static inline uint8_t mbedtls_ssl_tls13_session_get_ticket_flags( + mbedtls_ssl_session *session, uint8_t flags) +{ + return session->ticket_flags & + (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); +} + +static inline void mbedtls_ssl_tls13_session_set_ticket_flags( + mbedtls_ssl_session *session, uint8_t flags) +{ + session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); +} + +static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( + mbedtls_ssl_session *session, uint8_t flags) +{ + session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); +} +#endif + #endif /* ssl_misc.h */ From 9f92695c8d0c53ba1cb78f94c7ad684d6971e678 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 17 Nov 2022 15:22:33 +0800 Subject: [PATCH 03/23] tls13: set key exchange mode in ticket_flags on client/server Set the ticket_flags when: - server: preparing NST (new session ticket) message - client: postprocessing NST message Clear the ticket_flags when: - server: preparing NST message - client: parsing NST message Signed-off-by: Pengyu Lv --- library/ssl_tls13_client.c | 9 +++++++++ library/ssl_tls13_server.c | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 291a4cff65..e824a5431a 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2618,6 +2618,10 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl, session->ticket = ticket; session->ticket_len = ticket_len; + /* Clear all flags in ticket_flags */ + mbedtls_ssl_tls13_session_clear_ticket_flags(session, + MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); + MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); p += 2; @@ -2701,6 +2705,11 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl, session->resumption_key, session->resumption_key_len); + /* Set ticket_flags depends on the selected key exchange modes */ + mbedtls_ssl_tls13_session_set_ticket_flags(session, + ssl->conf->tls13_kex_modes); + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); + return 0; } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 980c2255b0..f951813de5 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2604,6 +2604,13 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, session->start = mbedtls_time(NULL); #endif + /* Set ticket_flags depends on the advertised psk key exchange mode */ + mbedtls_ssl_tls13_session_clear_ticket_flags(session, + MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); + mbedtls_ssl_tls13_session_set_ticket_flags(session, + ssl->handshake->tls13_kex_modes); + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); + /* Generate ticket_age_add */ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, (unsigned char *) &session->ticket_age_add, From c55eeb682dfee25e870088dde92a14cea9c2da85 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 17 Nov 2022 15:26:20 +0800 Subject: [PATCH 04/23] tls13: check if the session ticket is compatible with key exchange modes The server check if the ticket_flags is compatible with the advertised key exchange modes in Pre-Shared Key Exchange Modes extension. The incompatible ticket should be mark as not matched. Signed-off-by: Pengyu Lv --- library/ssl_tls13_server.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index f951813de5..5f09c2fde3 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -249,6 +249,24 @@ static int ssl_tls13_offered_psks_check_identity_match( if (ssl_tls13_offered_psks_check_identity_match_ticket( ssl, identity, identity_len, obfuscated_ticket_age, session) == SSL_TLS1_3_OFFERED_PSK_MATCH) { + /* RFC 8446 section 4.2.9 + * + * Servers SHOULD NOT send NewSessionTicket with tickets that are not + * compatible with the advertised modes; however, if a server does so, + * the impact will just be that the client's attempts at resumption fail. + * + * We regard the ticket with incompatible key exchange modes as not match. + */ + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, + session->ticket_flags); + if (mbedtls_ssl_tls13_check_kex_modes(ssl, + mbedtls_ssl_tls13_session_get_ticket_flags(session, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) + { + MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); + return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + } + ssl->handshake->resume = 1; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; mbedtls_ssl_set_hs_psk(ssl, From c7af2c4f8c34b608136cc74d80b09566ed858a44 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 1 Dec 2022 16:33:00 +0800 Subject: [PATCH 05/23] tls13: send new session ticket only when client supports psk Signed-off-by: Pengyu Lv --- library/ssl_tls13_server.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 5f09c2fde3..2d2ad610b4 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2568,10 +2568,14 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) mbedtls_ssl_tls13_handshake_wrapup(ssl); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); -#else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + /* Sent NewSessionTicket message only when client supports PSK */ + if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); + } else #endif + { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + } return 0; } From 3eb49be6a86bc401e96715919c59e1e9563c960d Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 5 Dec 2022 16:35:12 +0800 Subject: [PATCH 06/23] move kex mode check in ticket_flags to psks_check_identity_match_ticket Move the kex mode check in ticket_flags to ssl_tls13_offered_psks_check_identity_match_ticket and add new error 'MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE' to indicate the check failure. Signed-off-by: Pengyu Lv --- include/mbedtls/ssl.h | 3 ++- library/ssl_tls13_server.c | 37 +++++++++++++++++++------------------ 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 661b23ce7b..9b34e4fccb 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -96,7 +96,8 @@ /* Error space gap */ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 -/* Error space gap */ +/** The kex mode allowed by ticket is not supported by client */ +#define MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE -0x7A80 /** * Received NewSessionTicket Post Handshake Message. * This error code is experimental and may be changed or removed without notice. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2d2ad610b4..4ebd679aea 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -161,6 +161,25 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( goto exit; } + /* RFC 8446 section 4.2.9 + * + * Servers SHOULD NOT send NewSessionTicket with tickets that are not + * compatible with the advertised modes; however, if a server does so, + * the impact will just be that the client's attempts at resumption fail. + * + * We regard the ticket with incompatible key exchange modes as not match. + */ + ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, + session->ticket_flags); + if (mbedtls_ssl_tls13_check_kex_modes(ssl, + mbedtls_ssl_tls13_session_get_ticket_flags(session, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) + { + MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); + goto exit; + } + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; #if defined(MBEDTLS_HAVE_TIME) now = mbedtls_time(NULL); @@ -249,24 +268,6 @@ static int ssl_tls13_offered_psks_check_identity_match( if (ssl_tls13_offered_psks_check_identity_match_ticket( ssl, identity, identity_len, obfuscated_ticket_age, session) == SSL_TLS1_3_OFFERED_PSK_MATCH) { - /* RFC 8446 section 4.2.9 - * - * Servers SHOULD NOT send NewSessionTicket with tickets that are not - * compatible with the advertised modes; however, if a server does so, - * the impact will just be that the client's attempts at resumption fail. - * - * We regard the ticket with incompatible key exchange modes as not match. - */ - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, - session->ticket_flags); - if (mbedtls_ssl_tls13_check_kex_modes(ssl, - mbedtls_ssl_tls13_session_get_ticket_flags(session, - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); - return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; - } - ssl->handshake->resume = 1; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; mbedtls_ssl_set_hs_psk(ssl, From e6487fe3c25a20a1ae87ea6211f4118a86684cdd Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 6 Dec 2022 09:30:29 +0800 Subject: [PATCH 07/23] guard tls13_kex_modes related function calls with macro Handshake parameter field, tls13_kex_mode is only valid when MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED is set. So, any functions / calls should be guarded by this macros. Signed-off-by: Pengyu Lv --- library/ssl_tls13_server.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 4ebd679aea..fc89a44a43 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2569,14 +2569,16 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) mbedtls_ssl_tls13_handshake_wrapup(ssl); #if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* Sent NewSessionTicket message only when client supports PSK */ - if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); + if (!mbedtls_ssl_tls13_some_psk_enabled(ssl)) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); } else #endif - { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); - } + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); +#else + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); +#endif return 0; } @@ -2630,8 +2632,10 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, /* Set ticket_flags depends on the advertised psk key exchange mode */ mbedtls_ssl_tls13_session_clear_ticket_flags(session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) mbedtls_ssl_tls13_session_set_ticket_flags(session, ssl->handshake->tls13_kex_modes); +#endif MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); /* Generate ticket_age_add */ From 93566780479215d389b17b523c7797ca01676ef3 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 7 Dec 2022 12:10:05 +0800 Subject: [PATCH 08/23] filter the tickets with tls13_kex_mode on client side. Signed-off-by: Pengyu Lv --- library/ssl_tls13_client.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index e824a5431a..d5a41ce5ec 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -672,11 +672,22 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) } #if defined(MBEDTLS_SSL_SESSION_TICKETS) +static int ssl_tls13_has_compat_ticket_flags(mbedtls_ssl_context *ssl) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + return session != NULL && + mbedtls_ssl_conf_tls13_check_kex_modes(ssl, + mbedtls_ssl_tls13_session_get_ticket_flags( + session, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL)); +} + static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) { mbedtls_ssl_session *session = ssl->session_negotiate; return ssl->handshake->resume && - session != NULL && session->ticket != NULL; + session != NULL && session->ticket != NULL && + ssl_tls13_has_compat_ticket_flags(ssl); } #if defined(MBEDTLS_SSL_EARLY_DATA) From 302feb3955360cf25a0e173935a2e9cf5e0699cf Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Fri, 9 Dec 2022 14:27:08 +0800 Subject: [PATCH 09/23] add cases to test session resumption with different ticket_flags This commit add test cases to test if the check of kex change mode in SessionTicket works well. Signed-off-by: Pengyu Lv --- programs/ssl/ssl_client2.c | 3 ++ programs/ssl/ssl_server2.c | 16 +++++++- tests/opt-testcases/tls13-misc.sh | 63 +++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 4b3799f930..d64675d40a 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1215,6 +1215,9 @@ usage: opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; } else if (strcmp(q, "all") == 0) { opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; + } else if (strcmp(q, "psk_or_ephemeral") == 0) { + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK | + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; } else { goto usage; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 90a13eba37..b3d9f5a5c7 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1412,7 +1412,7 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, return ret; } - switch (opt.dummy_ticket % 7) { + switch (opt.dummy_ticket % 11) { case 1: return MBEDTLS_ERR_SSL_INVALID_MAC; case 2: @@ -1432,6 +1432,20 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, session->ticket_age_add -= 1000; #endif break; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case 7: + session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; + break; + case 8: + session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + break; + case 9: + session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + break; + case 10: + session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; + break; +#endif default: break; } diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 3aaf3f330d..48d5e7817e 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -323,3 +323,66 @@ run_test "TLS 1.3, ext PSK, early data" \ -c "EncryptedExtensions: early_data(42) extension received." \ -c "EncryptedExtensions: early_data(42) extension ( ignored )." +get_resumption_with_ticket_flags_criteria() +{ + ticket_flags=$1 + psk_modes=$2 + if [ "$ticket_flags" = "none" ] || \ + ( [ "$psk_modes" != "psk_all" ] && \ + [ "$ticket_flags" != "psk_all" ] && \ + [ "$psk_modes" != "$ticket_flags" ] ); + then + # ticket_flags is incompatible with the psk_kex_modes + echo ' -c "Pre-configured PSK number = 1"' \ + ' -S "sent selected_identity:"' \ + ' -s "key exchange mode: ephemeral"' \ + ' -S "key exchange mode: psk_ephemeral"' \ + ' -S "key exchange mode: psk$"' \ + ' -s "No suitable key exchange mode"' \ + ' -s "No matched PSK or ticket"' + else + # ticket_flags is compatible with the psk_kex_modes + echo ' -c "Pre-configured PSK number = 1"' \ + ' -S "No suitable key exchange mode"' \ + ' -s "found matched identity"' + fi +} + +run_tests_tls13_resumption_with_ticket_flags() +{ + # all tests in this sequence requires the same configuration. + SKIP_THIS_TESTS="$SKIP_NEXT" + + DUMMY_TICKET_BASE=6 + TLS13_KEX_MODES="ephemeral:psk_or_ephemeral:ephemeral_all:all" + PSK_KEX_MODES="none:psk:psk_ephemeral:psk_all" + + for m in $(seq 4); do + kex_mode="$(echo "$TLS13_KEX_MODES" | cut -d ":" -f "$m")" + # ephemeral only mode doesn't support resumption + if [ "$kex_mode" = "ephemeral" ]; then continue; fi + + for n in $(seq 4); do + supported_psk_modes="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$m")" + dummy_ticket_flags="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$n")" + + eval "set -- $(get_resumption_with_ticket_flags_criteria "$dummy_ticket_flags" "$supported_psk_modes")" + + SKIP_NEXT="$SKIP_THIS_TESTS" + run_test "TLS 1.3 m->m: Resumption with ticket flags, $supported_psk_modes->$dummy_ticket_flags." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=$((n + DUMMY_TICKET_BASE))" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=$kex_mode reconnect=1" \ + 0 \ + "$@" + done + done +} + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_tests_tls13_resumption_with_ticket_flags + From 9eacb44a5e3b4b8e4a91496d1b7d8450a2aefb60 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Fri, 9 Dec 2022 14:39:19 +0800 Subject: [PATCH 10/23] improve code format and readability Signed-off-by: Pengyu Lv --- library/ssl_tls13_client.c | 8 ++++---- library/ssl_tls13_server.c | 16 +++++++--------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index d5a41ce5ec..097505a215 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2630,8 +2630,8 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl, session->ticket_len = ticket_len; /* Clear all flags in ticket_flags */ - mbedtls_ssl_tls13_session_clear_ticket_flags(session, - MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); + mbedtls_ssl_tls13_session_clear_ticket_flags( + session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); @@ -2717,8 +2717,8 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl, session->resumption_key_len); /* Set ticket_flags depends on the selected key exchange modes */ - mbedtls_ssl_tls13_session_set_ticket_flags(session, - ssl->conf->tls13_kex_modes); + mbedtls_ssl_tls13_session_set_ticket_flags( + session, ssl->conf->tls13_kex_modes); MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); return 0; diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index fc89a44a43..49b4c2de28 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -170,12 +170,10 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( * We regard the ticket with incompatible key exchange modes as not match. */ ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, - session->ticket_flags); + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); if (mbedtls_ssl_tls13_check_kex_modes(ssl, - mbedtls_ssl_tls13_session_get_ticket_flags(session, - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) - { + mbedtls_ssl_tls13_session_get_ticket_flags( + session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) { MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); goto exit; } @@ -2630,11 +2628,11 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, #endif /* Set ticket_flags depends on the advertised psk key exchange mode */ - mbedtls_ssl_tls13_session_clear_ticket_flags(session, - MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); + mbedtls_ssl_tls13_session_clear_ticket_flags( + session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) - mbedtls_ssl_tls13_session_set_ticket_flags(session, - ssl->handshake->tls13_kex_modes); + mbedtls_ssl_tls13_session_set_ticket_flags( + session, ssl->handshake->tls13_kex_modes); #endif MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); From 1735ba30ea3d1f353a7bb8f3cdfe655f778d5b63 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 12 Dec 2022 09:54:30 +0800 Subject: [PATCH 11/23] fix review comments Signed-off-by: Pengyu Lv --- library/debug.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/debug.c b/library/debug.c index 4cc67b4988..76ed7521da 100644 --- a/library/debug.c +++ b/library/debug.c @@ -387,10 +387,9 @@ void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, #endif /* MBEDTLS_ECDH_C */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define BITS_OF(var) (sizeof(var) * 8) #define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a))) -static const char *ticket_flag_name_table[BITS_OF(mbedtls_ssl_tls13_ticket_flags)] = +static const char *ticket_flag_name_table[] = { [0] = "ALLOW_PSK_RESUMPTION", [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", From 06cf66d2ab9a7347b1805432764f029cc59dda92 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 12 Dec 2022 10:43:55 +0800 Subject: [PATCH 12/23] unroll test cases to improve coverage of check_test_cases in all.sh Signed-off-by: Pengyu Lv --- tests/opt-testcases/tls13-misc.sh | 235 +++++++++++++++++++++++------- 1 file changed, 180 insertions(+), 55 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 48d5e7817e..76ae7ce927 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -323,60 +323,23 @@ run_test "TLS 1.3, ext PSK, early data" \ -c "EncryptedExtensions: early_data(42) extension received." \ -c "EncryptedExtensions: early_data(42) extension ( ignored )." -get_resumption_with_ticket_flags_criteria() -{ - ticket_flags=$1 - psk_modes=$2 - if [ "$ticket_flags" = "none" ] || \ - ( [ "$psk_modes" != "psk_all" ] && \ - [ "$ticket_flags" != "psk_all" ] && \ - [ "$psk_modes" != "$ticket_flags" ] ); - then - # ticket_flags is incompatible with the psk_kex_modes - echo ' -c "Pre-configured PSK number = 1"' \ - ' -S "sent selected_identity:"' \ - ' -s "key exchange mode: ephemeral"' \ - ' -S "key exchange mode: psk_ephemeral"' \ - ' -S "key exchange mode: psk$"' \ - ' -s "No suitable key exchange mode"' \ - ' -s "No matched PSK or ticket"' - else - # ticket_flags is compatible with the psk_kex_modes - echo ' -c "Pre-configured PSK number = 1"' \ - ' -S "No suitable key exchange mode"' \ - ' -s "found matched identity"' - fi -} - -run_tests_tls13_resumption_with_ticket_flags() -{ - # all tests in this sequence requires the same configuration. - SKIP_THIS_TESTS="$SKIP_NEXT" - - DUMMY_TICKET_BASE=6 - TLS13_KEX_MODES="ephemeral:psk_or_ephemeral:ephemeral_all:all" - PSK_KEX_MODES="none:psk:psk_ephemeral:psk_all" - - for m in $(seq 4); do - kex_mode="$(echo "$TLS13_KEX_MODES" | cut -d ":" -f "$m")" - # ephemeral only mode doesn't support resumption - if [ "$kex_mode" = "ephemeral" ]; then continue; fi - - for n in $(seq 4); do - supported_psk_modes="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$m")" - dummy_ticket_flags="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$n")" - - eval "set -- $(get_resumption_with_ticket_flags_criteria "$dummy_ticket_flags" "$supported_psk_modes")" - - SKIP_NEXT="$SKIP_THIS_TESTS" - run_test "TLS 1.3 m->m: Resumption with ticket flags, $supported_psk_modes->$dummy_ticket_flags." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=$((n + DUMMY_TICKET_BASE))" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=$kex_mode reconnect=1" \ - 0 \ - "$@" - done - done -} +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -s "No suitable key exchange mode" \ + -s "No matched PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C @@ -384,5 +347,167 @@ requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHAN MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_tests_tls13_resumption_with_ticket_flags +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -s "No suitable key exchange mode" \ + -s "No matched PSK or ticket" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -s "No suitable key exchange mode" \ + -s "No matched PSK or ticket" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -s "No suitable key exchange mode" \ + -s "No matched PSK or ticket" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -s "No suitable key exchange mode" \ + -s "No matched PSK or ticket" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ + "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "No suitable key exchange mode" \ + -s "found matched identity" From a1aa31b8b1f1f2aae2d90fd6747beb2b3877051d Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 13 Dec 2022 13:49:59 +0800 Subject: [PATCH 13/23] fix review comments Signed-off-by: Pengyu Lv --- include/mbedtls/debug.h | 2 ++ include/mbedtls/ssl.h | 2 +- library/ssl_misc.h | 2 +- library/ssl_tls13_server.c | 4 ++++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 3ca8840834..7f813a3cf8 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -82,7 +82,9 @@ #define MBEDTLS_SSL_DEBUG_ECP(level, text, X) do { } while (0) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) do { } while (0) #define MBEDTLS_SSL_DEBUG_ECDH(level, ecdh, attr) do { } while (0) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) #define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) do { } while (0) +#endif #endif /* MBEDTLS_DEBUG_C */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 9b34e4fccb..db2e758c2c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -96,7 +96,7 @@ /* Error space gap */ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 -/** The kex mode allowed by ticket is not supported by client */ +/** No suitable key exchange mode for ticket */ #define MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE -0x7A80 /** * Received NewSessionTicket Post Handshake Message. diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 25844d3cf7..57b1d6d528 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2738,6 +2738,6 @@ static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( { session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } -#endif +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ #endif /* ssl_misc.h */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 49b4c2de28..d5dbf82c6f 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2567,6 +2567,10 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) mbedtls_ssl_tls13_handshake_wrapup(ssl); #if defined(MBEDTLS_SSL_SESSION_TICKETS) +/* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires + * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is + * expected to be resolved with issue#6395. + */ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* Sent NewSessionTicket message only when client supports PSK */ if (!mbedtls_ssl_tls13_some_psk_enabled(ssl)) { From 80270b215193a90a0bbb7db37142788c4dd9963e Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 12 Jan 2023 11:54:04 +0800 Subject: [PATCH 14/23] rename ticket_flags helper functions to generic ones Ticket flags is quite generic and may make sense in the future versions of TLS or even in TLS 1.2 with new extensions. This change remane the ticket_flags helper functions with more generic `mbedtls_ssl_session` prefix instead of `mbedtls_ssl_tls13_session`. Signed-off-by: Pengyu Lv --- library/ssl_misc.h | 6 +++--- library/ssl_tls13_client.c | 8 ++++---- library/ssl_tls13_server.c | 12 +++++++----- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 57b1d6d528..b3d91125ad 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2720,20 +2720,20 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -static inline uint8_t mbedtls_ssl_tls13_session_get_ticket_flags( +static inline unsigned int mbedtls_ssl_session_get_ticket_flags( mbedtls_ssl_session *session, uint8_t flags) { return session->ticket_flags & (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } -static inline void mbedtls_ssl_tls13_session_set_ticket_flags( +static inline void mbedtls_ssl_session_set_ticket_flags( mbedtls_ssl_session *session, uint8_t flags) { session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } -static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( +static inline void mbedtls_ssl_session_clear_ticket_flags( mbedtls_ssl_session *session, uint8_t flags) { session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 097505a215..a6b3c54147 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -677,9 +677,9 @@ static int ssl_tls13_has_compat_ticket_flags(mbedtls_ssl_context *ssl) mbedtls_ssl_session *session = ssl->session_negotiate; return session != NULL && mbedtls_ssl_conf_tls13_check_kex_modes(ssl, - mbedtls_ssl_tls13_session_get_ticket_flags( + mbedtls_ssl_session_get_ticket_flags( session, - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL)); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL)); } static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) @@ -2630,7 +2630,7 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl, session->ticket_len = ticket_len; /* Clear all flags in ticket_flags */ - mbedtls_ssl_tls13_session_clear_ticket_flags( + mbedtls_ssl_session_clear_ticket_flags( session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); @@ -2717,7 +2717,7 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl, session->resumption_key_len); /* Set ticket_flags depends on the selected key exchange modes */ - mbedtls_ssl_tls13_session_set_ticket_flags( + mbedtls_ssl_session_set_ticket_flags( session, ssl->conf->tls13_kex_modes); MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d5dbf82c6f..654a7da317 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -170,10 +170,12 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( * We regard the ticket with incompatible key exchange modes as not match. */ ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); + MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, + session->ticket_flags); if (mbedtls_ssl_tls13_check_kex_modes(ssl, - mbedtls_ssl_tls13_session_get_ticket_flags( - session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL))) { + mbedtls_ssl_session_get_ticket_flags( + session, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) { MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); goto exit; } @@ -2632,10 +2634,10 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, #endif /* Set ticket_flags depends on the advertised psk key exchange mode */ - mbedtls_ssl_tls13_session_clear_ticket_flags( + mbedtls_ssl_session_clear_ticket_flags( session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) - mbedtls_ssl_tls13_session_set_ticket_flags( + mbedtls_ssl_session_set_ticket_flags( session, ssl->handshake->tls13_kex_modes); #endif MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); From 189465306db2f33170b1184cfe267c20f81f37ec Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 12 Jan 2023 12:28:09 +0800 Subject: [PATCH 15/23] remove MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE error Return MBEDTLS_ERR_ERROR_GENERIC_ERROR when ticket_flags are not compatible with advertised key exchange mode. Signed-off-by: Pengyu Lv --- include/mbedtls/ssl.h | 3 +-- library/ssl_tls13_server.c | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index db2e758c2c..661b23ce7b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -96,8 +96,7 @@ /* Error space gap */ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 -/** No suitable key exchange mode for ticket */ -#define MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE -0x7A80 +/* Error space gap */ /** * Received NewSessionTicket Post Handshake Message. * This error code is experimental and may be changed or removed without notice. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 654a7da317..16317c0764 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -169,7 +169,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( * * We regard the ticket with incompatible key exchange modes as not match. */ - ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; + ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); if (mbedtls_ssl_tls13_check_kex_modes(ssl, From ee455c01ced4b55846e02746307b8fea1d023791 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 12 Jan 2023 14:37:24 +0800 Subject: [PATCH 16/23] move ticket_flags debug helpers The debug helpers printing ticket_flags status are moved to ssl_tls.c and ssl_debug_helpers.h. Signed-off-by: Pengyu Lv --- include/mbedtls/debug.h | 15 --------------- library/debug.c | 36 ------------------------------------ library/ssl_debug_helpers.h | 16 ++++++++++++++++ library/ssl_tls.c | 29 +++++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 51 deletions(-) diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 7f813a3cf8..2b0d00e4c4 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -68,11 +68,6 @@ mbedtls_debug_printf_ecdh(ssl, level, __FILE__, __LINE__, ecdh, attr) #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) \ - mbedtls_debug_print_ticket_flags(ssl, level, __FILE__, __LINE__, flag) -#endif - #else /* MBEDTLS_DEBUG_C */ #define MBEDTLS_SSL_DEBUG_MSG(level, args) do { } while (0) @@ -82,9 +77,6 @@ #define MBEDTLS_SSL_DEBUG_ECP(level, text, X) do { } while (0) #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt) do { } while (0) #define MBEDTLS_SSL_DEBUG_ECDH(level, ecdh, attr) do { } while (0) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) do { } while (0) -#endif #endif /* MBEDTLS_DEBUG_C */ @@ -313,13 +305,6 @@ void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, mbedtls_debug_ecdh_attr attr); #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -void mbedtls_debug_print_ticket_flags( - const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - mbedtls_ssl_tls13_ticket_flags flag); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ - #ifdef __cplusplus } #endif diff --git a/library/debug.c b/library/debug.c index 76ed7521da..12559afe34 100644 --- a/library/debug.c +++ b/library/debug.c @@ -386,40 +386,4 @@ void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, } #endif /* MBEDTLS_ECDH_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a))) - -static const char *ticket_flag_name_table[] = -{ - [0] = "ALLOW_PSK_RESUMPTION", - [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", - [3] = "ALLOW_EARLY_DATA", -}; - -void mbedtls_debug_print_ticket_flags( - const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - mbedtls_ssl_tls13_ticket_flags flag) -{ - size_t i; - - if (NULL == ssl || - NULL == ssl->conf || - NULL == ssl->conf->f_dbg || - level > debug_threshold) { - return; - } - - mbedtls_debug_print_msg(ssl, level, file, line, - "print ticket_flags (0x%02x)", flag); - - for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { - if ((flag & (1 << i)) & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK) { - mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", - ticket_flag_name_table[i]); - } - } -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ - #endif /* MBEDTLS_DEBUG_C */ diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 4d2a170ed9..880ff69671 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -55,6 +55,12 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, int hs_msg_type, unsigned int extension_type, const char *extra_msg0, const char *extra_msg1); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +void mbedtls_debug_print_ticket_flags(const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + mbedtls_ssl_tls13_ticket_flags flag); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \ mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \ hs_msg_type, extensions_mask, NULL) @@ -63,12 +69,22 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, mbedtls_ssl_print_extension(ssl, level, __FILE__, __LINE__, \ hs_msg_type, extension_type, \ extra, NULL) + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) \ + mbedtls_debug_print_ticket_flags(ssl, level, __FILE__, __LINE__, flag) +#endif + #else #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extension_mask) #define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) +#endif + #endif /* MBEDTLS_DEBUG_C */ #endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bd8fd8cf78..375233d571 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -735,6 +735,35 @@ void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl, } } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a))) + +static const char *ticket_flag_name_table[] = +{ + [0] = "ALLOW_PSK_RESUMPTION", + [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", + [3] = "ALLOW_EARLY_DATA", +}; + +void mbedtls_debug_print_ticket_flags( + const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + mbedtls_ssl_tls13_ticket_flags flag) +{ + size_t i; + + mbedtls_debug_print_msg(ssl, level, file, line, + "print ticket_flags (0x%02x)", flag); + + for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { + if ((flag & (1 << i)) & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK) { + mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", + ticket_flag_name_table[i]); + } + } +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + #endif /* MBEDTLS_DEBUG_C */ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, From c1334d934c81ca0de0f2160fae9152bf61c62f07 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 12 Jan 2023 16:18:08 +0800 Subject: [PATCH 17/23] correct test case dependencies Now the config dependencies used for ticket_flags test cases are TLS 1.2 specified. Correct them to MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_* Signed-off-by: Pengyu Lv --- tests/opt-testcases/tls13-misc.sh | 100 ++++++++++++------------------ 1 file changed, 40 insertions(+), 60 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 76ae7ce927..ef7580a020 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -324,11 +324,9 @@ run_test "TLS 1.3, ext PSK, early data" \ -c "EncryptedExtensions: early_data(42) extension ( ignored )." requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -342,11 +340,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ -s "No matched PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -356,11 +352,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -374,11 +368,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ -s "No matched PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -388,11 +380,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -406,11 +396,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ -s "No matched PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -424,11 +412,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ -s "No matched PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -438,11 +424,9 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemera -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -452,11 +436,10 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ @@ -470,11 +453,10 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ -s "No matched PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ @@ -484,11 +466,10 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ @@ -498,11 +479,10 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ From 3643fdbab98a2bd38cc9154e3285b9e23f46b404 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 12 Jan 2023 16:46:28 +0800 Subject: [PATCH 18/23] refine the state setting in tls13_handshake_wrapup Signed-off-by: Pengyu Lv --- library/ssl_tls13_server.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 16317c0764..aaf2be336b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2568,21 +2568,20 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) mbedtls_ssl_tls13_handshake_wrapup(ssl); -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is * expected to be resolved with issue#6395. */ -#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* Sent NewSessionTicket message only when client supports PSK */ - if (!mbedtls_ssl_tls13_some_psk_enabled(ssl)) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); } else #endif - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); -#else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); -#endif + { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + } return 0; } From acecf9c95bb13d11e441f3557cff1733f3622fe3 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 16 Jan 2023 11:23:24 +0800 Subject: [PATCH 19/23] make ticket_flags param types consistent When ticket_flags used as parameter, use unsigned int, instead of uint8_t or mbedtls_ssl_tls13_ticket_flags.Also remove the definition of mbedtls_ssl_tls13_ticket_flags. Signed-off-by: Pengyu Lv --- include/mbedtls/ssl.h | 2 -- library/ssl_debug_helpers.h | 2 +- library/ssl_misc.h | 6 +++--- library/ssl_tls.c | 3 +-- 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 661b23ce7b..dbc37e831c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -809,8 +809,6 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -typedef uint8_t mbedtls_ssl_tls13_ticket_flags; - #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 880ff69671..84432a3d53 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -58,7 +58,7 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) void mbedtls_debug_print_ticket_flags(const mbedtls_ssl_context *ssl, int level, const char *file, int line, - mbedtls_ssl_tls13_ticket_flags flag); + unsigned int flag); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index b3d91125ad..146dae0fb2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2721,20 +2721,20 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) static inline unsigned int mbedtls_ssl_session_get_ticket_flags( - mbedtls_ssl_session *session, uint8_t flags) + mbedtls_ssl_session *session, unsigned int flags) { return session->ticket_flags & (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } static inline void mbedtls_ssl_session_set_ticket_flags( - mbedtls_ssl_session *session, uint8_t flags) + mbedtls_ssl_session *session, unsigned int flags) { session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } static inline void mbedtls_ssl_session_clear_ticket_flags( - mbedtls_ssl_session *session, uint8_t flags) + mbedtls_ssl_session *session, unsigned int flags) { session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 375233d571..fdec4904ef 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -747,8 +747,7 @@ static const char *ticket_flag_name_table[] = void mbedtls_debug_print_ticket_flags( const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - mbedtls_ssl_tls13_ticket_flags flag) + const char *file, int line, unsigned int flag) { size_t i; From 4938a566bf457fe07927918fa46bdd66e9604f33 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 16 Jan 2023 11:28:49 +0800 Subject: [PATCH 20/23] refine ticket_flags printing helper Signed-off-by: Pengyu Lv --- library/ssl_debug_helpers.h | 12 ++++++------ library/ssl_tls.c | 12 +++++++----- library/ssl_tls13_client.c | 2 +- library/ssl_tls13_server.c | 4 ++-- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 84432a3d53..5c22ed221d 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -56,9 +56,9 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, const char *extra_msg0, const char *extra_msg1); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -void mbedtls_debug_print_ticket_flags(const mbedtls_ssl_context *ssl, - int level, const char *file, int line, - unsigned int flag); +void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + unsigned int flags); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \ @@ -71,8 +71,8 @@ void mbedtls_debug_print_ticket_flags(const mbedtls_ssl_context *ssl, extra, NULL) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) \ - mbedtls_debug_print_ticket_flags(ssl, level, __FILE__, __LINE__, flag) +#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags) \ + mbedtls_ssl_print_ticket_flags(ssl, level, __FILE__, __LINE__, flags) #endif #else @@ -82,7 +82,7 @@ void mbedtls_debug_print_ticket_flags(const mbedtls_ssl_context *ssl, #define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define MBEDTLS_SSL_DEBUG_TICKET_FLAGS(level, flag) +#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags) #endif #endif /* MBEDTLS_DEBUG_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fdec4904ef..86f5c0b555 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -745,17 +745,19 @@ static const char *ticket_flag_name_table[] = [3] = "ALLOW_EARLY_DATA", }; -void mbedtls_debug_print_ticket_flags( - const mbedtls_ssl_context *ssl, int level, - const char *file, int line, unsigned int flag) +void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + unsigned int flags) { size_t i; mbedtls_debug_print_msg(ssl, level, file, line, - "print ticket_flags (0x%02x)", flag); + "print ticket_flags (0x%02x)", flags); + + flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK; for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { - if ((flag & (1 << i)) & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK) { + if ((flags & (1 << i))) { mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", ticket_flag_name_table[i]); } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index a6b3c54147..cda1a51508 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2719,7 +2719,7 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl, /* Set ticket_flags depends on the selected key exchange modes */ mbedtls_ssl_session_set_ticket_flags( session, ssl->conf->tls13_kex_modes); - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); + MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); return 0; } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index aaf2be336b..acb1523b48 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -170,7 +170,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( * We regard the ticket with incompatible key exchange modes as not match. */ ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, + MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); if (mbedtls_ssl_tls13_check_kex_modes(ssl, mbedtls_ssl_session_get_ticket_flags( @@ -2639,7 +2639,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, mbedtls_ssl_session_set_ticket_flags( session, ssl->handshake->tls13_kex_modes); #endif - MBEDTLS_SSL_DEBUG_TICKET_FLAGS(4, session->ticket_flags); + MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); /* Generate ticket_age_add */ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, From e2f1dbf5ae1d2bad7b6428d364dc027771752d43 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 16 Jan 2023 12:28:27 +0800 Subject: [PATCH 21/23] update docs of ssl_client2 and improve code format Signed-off-by: Pengyu Lv --- library/ssl_tls13_server.c | 9 +++++---- programs/ssl/ssl_client2.c | 3 ++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index acb1523b48..ef90f69a2c 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -172,10 +172,11 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); - if (mbedtls_ssl_tls13_check_kex_modes(ssl, - mbedtls_ssl_session_get_ticket_flags( - session, - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) { + if (mbedtls_ssl_tls13_check_kex_modes( + ssl, + mbedtls_ssl_session_get_ticket_flags( + session, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) { MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); goto exit; } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d64675d40a..b12406595a 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -371,7 +371,8 @@ int main(void) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define USAGE_TLS1_3_KEY_EXCHANGE_MODES \ " tls13_kex_modes=%%s default: all\n" \ - " options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n" + " options: psk, psk_ephemeral, psk_all, ephemeral,\n" \ + " ephemeral_all, all, psk_or_ephemeral\n" #else #define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ From 2bfd7162930e15ede8c814f234138b5f644a2ec5 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 16 Jan 2023 13:44:10 +0800 Subject: [PATCH 22/23] simplify test case dependencies and test commands Signed-off-by: Pengyu Lv --- tests/opt-testcases/tls13-misc.sh | 48 +++++++++++++++---------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index ef7580a020..821a37bf37 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -323,13 +323,13 @@ run_test "TLS 1.3, ext PSK, early data" \ -c "EncryptedExtensions: early_data(42) extension received." \ -c "EncryptedExtensions: early_data(42) extension ( ignored )." -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "sent selected_identity:" \ @@ -339,25 +339,25 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ -s "No suitable key exchange mode" \ -s "No matched PSK or ticket" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ -s "found matched identity" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "sent selected_identity:" \ @@ -367,25 +367,25 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ -s "No suitable key exchange mode" \ -s "No matched PSK or ticket" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ -s "found matched identity" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "sent selected_identity:" \ @@ -395,13 +395,13 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ -s "No suitable key exchange mode" \ -s "No matched PSK or ticket" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "sent selected_identity:" \ @@ -411,38 +411,38 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ -s "No suitable key exchange mode" \ -s "No matched PSK or ticket" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ -s "found matched identity" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral_all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ -s "found matched identity" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "sent selected_identity:" \ @@ -452,40 +452,40 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ -s "No suitable key exchange mode" \ -s "No matched PSK or ticket" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ -s "found matched identity" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ -s "found matched identity" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \ +requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ - "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=all reconnect=1" \ + "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ -S "No suitable key exchange mode" \ From 9b84ea75de516cbce33d662b7c0a6d19027a1c76 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 16 Jan 2023 14:08:23 +0800 Subject: [PATCH 23/23] remove ssl_tls13_has_compat_ticket_flags This content of the function is moved to ssl_tls13_has_configured_ticket. Signed-off-by: Pengyu Lv --- library/ssl_tls13_client.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index cda1a51508..4aea61ca74 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -672,22 +672,14 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) } #if defined(MBEDTLS_SSL_SESSION_TICKETS) -static int ssl_tls13_has_compat_ticket_flags(mbedtls_ssl_context *ssl) -{ - mbedtls_ssl_session *session = ssl->session_negotiate; - return session != NULL && - mbedtls_ssl_conf_tls13_check_kex_modes(ssl, - mbedtls_ssl_session_get_ticket_flags( - session, - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL)); -} - static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) { mbedtls_ssl_session *session = ssl->session_negotiate; return ssl->handshake->resume && session != NULL && session->ticket != NULL && - ssl_tls13_has_compat_ticket_flags(ssl); + mbedtls_ssl_conf_tls13_check_kex_modes( + ssl, mbedtls_ssl_session_get_ticket_flags( + session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL)); } #if defined(MBEDTLS_SSL_EARLY_DATA)