ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-21 16:05:46 +08:00
Code Issues Releases Wiki Activity

Merge pull request #6616 from lpy4105/6551-tls13-SessionTicket-kex-change-check

Browse Source 
This PR needs some change logs but there is a follow-up PR (issue #6935) that would change the change logs we would had here thus we will do them all while working on #6935.
This commit is contained in:
Ronald Cron 2023-01-17 16:48:27 +00:00 committed by GitHub
commit 340d4c80af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 310 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/mbedtls/ssl.h
View File

@ -809,8 +809,6 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */
#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \

16
library/ssl_debug_helpers.h
View File

@ -55,6 +55,12 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
int hs_msg_type, unsigned int extension_type, int hs_msg_type, unsigned int extension_type,
const char *extra_msg0, const char *extra_msg1); const char *extra_msg0, const char *extra_msg1);
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
int level, const char *file, int line,
unsigned int flags);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
#define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \ #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \
mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \ mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \
hs_msg_type, extensions_mask, NULL) hs_msg_type, extensions_mask, NULL)
@ -63,12 +69,22 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
mbedtls_ssl_print_extension(ssl, level, __FILE__, __LINE__, \ mbedtls_ssl_print_extension(ssl, level, __FILE__, __LINE__, \
hs_msg_type, extension_type, \ hs_msg_type, extension_type, \
extra, NULL) extra, NULL)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags) \
mbedtls_ssl_print_ticket_flags(ssl, level, __FILE__, __LINE__, flags)
#endif
#else #else
#define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extension_mask) #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extension_mask)
#define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra) #define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags)
#endif
#endif /* MBEDTLS_DEBUG_C */ #endif /* MBEDTLS_DEBUG_C */
#endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */ #endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */

21
library/ssl_misc.h
View File

@ -2719,4 +2719,25 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
const char *hostname); const char *hostname);
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
return session->ticket_flags &
(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
}
static inline void mbedtls_ssl_session_set_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
}
static inline void mbedtls_ssl_session_clear_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
#endif /* ssl_misc.h */ #endif /* ssl_misc.h */

30
library/ssl_tls.c
View File

@ -735,6 +735,36 @@ void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
} }
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
#define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a)))
static const char *ticket_flag_name_table[] =
{
[0] = "ALLOW_PSK_RESUMPTION",
[2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
[3] = "ALLOW_EARLY_DATA",
};
void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
int level, const char *file, int line,
unsigned int flags)
{
size_t i;
mbedtls_debug_print_msg(ssl, level, file, line,
"print ticket_flags (0x%02x)", flags);
flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
if ((flags & (1 << i))) {
mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
ticket_flag_name_table[i]);
}
}
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
#endif /* MBEDTLS_DEBUG_C */ #endif /* MBEDTLS_DEBUG_C */
void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,

14
library/ssl_tls13_client.c
View File

@ -676,7 +676,10 @@ static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
{ {
mbedtls_ssl_session *session = ssl->session_negotiate; mbedtls_ssl_session *session = ssl->session_negotiate;
return ssl->handshake->resume && return ssl->handshake->resume &&
session != NULL && session->ticket != NULL; session != NULL && session->ticket != NULL &&
mbedtls_ssl_conf_tls13_check_kex_modes(
ssl, mbedtls_ssl_session_get_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
} }
#if defined(MBEDTLS_SSL_EARLY_DATA) #if defined(MBEDTLS_SSL_EARLY_DATA)
@ -2618,6 +2621,10 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
session->ticket = ticket; session->ticket = ticket;
session->ticket_len = ticket_len; session->ticket_len = ticket_len;
/* Clear all flags in ticket_flags */
mbedtls_ssl_session_clear_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
p += 2; p += 2;
@ -2701,6 +2708,11 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
session->resumption_key, session->resumption_key,
session->resumption_key_len); session->resumption_key_len);
/* Set ticket_flags depends on the selected key exchange modes */
mbedtls_ssl_session_set_ticket_flags(
session, ssl->conf->tls13_kex_modes);
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
return 0; return 0;
} }

44
library/ssl_tls13_server.c
View File

@ -161,6 +161,26 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
goto exit; goto exit;
} }
/* RFC 8446 section 4.2.9
*
* Servers SHOULD NOT send NewSessionTicket with tickets that are not
* compatible with the advertised modes; however, if a server does so,
* the impact will just be that the client's attempts at resumption fail.
*
* We regard the ticket with incompatible key exchange modes as not match.
*/
ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
session->ticket_flags);
if (mbedtls_ssl_tls13_check_kex_modes(
ssl,
mbedtls_ssl_session_get_ticket_flags(
session,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
goto exit;
}
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
#if defined(MBEDTLS_HAVE_TIME) #if defined(MBEDTLS_HAVE_TIME)
now = mbedtls_time(NULL); now = mbedtls_time(NULL);
@ -2549,11 +2569,20 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
mbedtls_ssl_tls13_handshake_wrapup(ssl); mbedtls_ssl_tls13_handshake_wrapup(ssl);
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
/* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires
* SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is
* expected to be resolved with issue#6395.
*/
/* Sent NewSessionTicket message only when client supports PSK */
if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
#else } else
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
#endif #endif
{
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
}
return 0; return 0;
} }
@ -2604,6 +2633,15 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
session->start = mbedtls_time(NULL); session->start = mbedtls_time(NULL);
#endif #endif
/* Set ticket_flags depends on the advertised psk key exchange mode */
mbedtls_ssl_session_clear_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
mbedtls_ssl_session_set_ticket_flags(
session, ssl->handshake->tls13_kex_modes);
#endif
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
/* Generate ticket_age_add */ /* Generate ticket_age_add */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
(unsigned char *) &session->ticket_age_add, (unsigned char *) &session->ticket_age_add,

6
programs/ssl/ssl_client2.c
View File

@ -371,7 +371,8 @@ int main(void)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#define USAGE_TLS1_3_KEY_EXCHANGE_MODES \ #define USAGE_TLS1_3_KEY_EXCHANGE_MODES \
" tls13_kex_modes=%%s default: all\n" \ " tls13_kex_modes=%%s default: all\n" \
" options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n" " options: psk, psk_ephemeral, psk_all, ephemeral,\n" \
" ephemeral_all, all, psk_or_ephemeral\n"
#else #else
#define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #define USAGE_TLS1_3_KEY_EXCHANGE_MODES ""
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@ -1215,6 +1216,9 @@ usage:
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
} else if (strcmp(q, "all") == 0) { } else if (strcmp(q, "all") == 0) {
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
} else if (strcmp(q, "psk_or_ephemeral") == 0) {
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK |
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
} else { } else {
goto usage; goto usage;
} }

16
programs/ssl/ssl_server2.c
View File

@ -1412,7 +1412,7 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
return ret; return ret;
} }
switch (opt.dummy_ticket % 7) { switch (opt.dummy_ticket % 11) {
case 1: case 1:
return MBEDTLS_ERR_SSL_INVALID_MAC; return MBEDTLS_ERR_SSL_INVALID_MAC;
case 2: case 2:
@ -1432,6 +1432,20 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
session->ticket_age_add -= 1000; session->ticket_age_add -= 1000;
#endif #endif
break; break;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
case 7:
session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
break;
case 8:
session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
break;
case 9:
session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
break;
case 10:
session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
break;
#endif
default: default:
break; break;
} }

168
tests/opt-testcases/tls13-misc.sh
View File

@ -323,3 +323,171 @@ run_test "TLS 1.3, ext PSK, early data" \
-c "EncryptedExtensions: early_data(42) extension received." \ -c "EncryptedExtensions: early_data(42) extension received." \
-c "EncryptedExtensions: early_data(42) extension ( ignored )." -c "EncryptedExtensions: early_data(42) extension ( ignored )."
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \
"$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "sent selected_identity:" \
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
-s "No suitable key exchange mode" \
-s "No matched PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \
"$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \
"$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "sent selected_identity:" \
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
-s "No suitable key exchange mode" \
-s "No matched PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \
"$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \
"$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "sent selected_identity:" \
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
-s "No suitable key exchange mode" \
-s "No matched PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \
"$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "sent selected_identity:" \
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
-s "No suitable key exchange mode" \
-s "No matched PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \
"$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \
"$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "sent selected_identity:" \
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
-s "No suitable key exchange mode" \
-s "No matched PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
-S "No suitable key exchange mode" \
-s "found matched identity"