TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 11:11:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure

Browse Source 
Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure
This commit is contained in:
Ronald Cron
2026-03-17 10:36:38 +00:00
committed by GitHub
parent d7f2a4cdc6 937c70ac90
commit cb0b594a9d
8 changed files with 182 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
tests/opt-testcases/tls13-kex-modes.sh
View File

@@ -482,7 +482,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -503,7 +504,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good, key id mismatch,
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -546,7 +548,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -567,7 +570,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -611,7 +615,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -634,7 +639,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -656,7 +662,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -701,7 +708,8 @@ run_test "TLS 1.3: G->m: all/all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -723,7 +731,8 @@ run_test "TLS 1.3: G->m: all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -768,7 +777,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -813,7 +823,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -835,7 +846,8 @@ run_test "TLS 1.3: G->m: all/psk_or_ephemeral, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -878,7 +890,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1319,7 +1332,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1339,7 +1353,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good, key id mismatch,
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1380,7 +1395,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1400,7 +1416,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1442,7 +1459,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1463,7 +1481,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1506,7 +1525,8 @@ run_test "TLS 1.3: O->m: all/all, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
-S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1527,7 +1547,8 @@ run_test "TLS 1.3: O->m: all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1570,7 +1591,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \
-s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1591,7 +1613,8 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, good" \
-S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
-s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1880,7 +1903,9 @@ run_test "TLS 1.3: m->m: psk/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk$" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1995,7 +2020,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2083,7 +2110,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2215,7 +2244,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_ephemeral, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2274,7 +2305,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2319,7 +2352,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2366,7 +2401,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2515,7 +2552,9 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2605,7 +2644,9 @@ run_test "TLS 1.3: m->m: psk_all/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2652,7 +2693,9 @@ run_test "TLS 1.3: m->m: all/psk, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk$" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2699,7 +2742,9 @@ run_test "TLS 1.3: m->m: all/psk_ephemeral, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2762,7 +2807,9 @@ run_test "TLS 1.3: m->m: all/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2810,7 +2857,9 @@ run_test "TLS 1.3: m->m: all/psk_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2857,7 +2906,9 @@ run_test "TLS 1.3: m->m: all/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -3038,7 +3089,8 @@ run_test "TLS 1.3: m->O: ephemeral_all/all, good" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \
-c "HTTP/1.0 200 ok"
-c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3056,7 +3108,8 @@ run_test "TLS 1.3: m->O: ephemeral_all/ephemeral_all, good" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \
-c "HTTP/1.0 200 ok"
-c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
#OPENSSL-SERVER all mode
requires_openssl_tls1_3_with_compatible_ephemeral
@@ -3076,7 +3129,8 @@ run_test "TLS 1.3: m->O: all/all, good" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \
-c "HTTP/1.0 200 ok"
-c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3095,7 +3149,8 @@ run_test "TLS 1.3: m->O: all/ephemeral_all, good" \
-c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \
-c "HTTP/1.0 200 ok"
-c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
#GNUTLS-SERVER psk mode
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3259,7 +3314,8 @@ run_test "TLS 1.3: m->G: ephemeral_all/all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_gnutls_tls1_3
@@ -3279,7 +3335,8 @@ run_test "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"
#GNUTLS-SERVER all mode
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3301,7 +3358,8 @@ run_test "TLS 1.3: m->G: all/all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_gnutls_tls1_3
@@ -3322,4 +3380,5 @@ run_test "TLS 1.3: m->G: all/ephemeral_all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"

14
tests/ssl-opt.sh
View File

@@ -5772,6 +5772,7 @@ run_test "Authentication: server badcert, client none" \
key_file=$DATA_FILES_PATH/server5.key" \
"$P_CLI debug_level=3 auth_mode=none" \
0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
@@ -5783,12 +5784,14 @@ run_test "Authentication: server badcert, client none (1.2)" \
key_file=$DATA_FILES_PATH/server5.key" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \
0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "send alert level=2 message=48" \
-C "X509 - Certificate verification failed"
run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@@ -5837,6 +5840,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \
0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! Certificate verification flags"\
@@ -5844,11 +5848,13 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \
-C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" \
"$P_SRV" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \
0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! Certificate verification flags"\
@@ -5856,6 +5862,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)"
-C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
# The next few tests check what happens if the server has a valid certificate
# that does not match its name (impersonation).
@@ -5939,12 +5946,14 @@ run_test "Authentication: hostname mismatch, client none" \
"$P_SRV" \
"$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \
0 \
-c "! Certificate verification was skipped" \
-C "does not match with the expected CN" \
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client required" \
"$P_SRV" \
"$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \
@@ -5970,12 +5979,14 @@ run_test "Authentication: hostname null, client none" \
"$P_SRV" \
"$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \
0 \
-c "! Certificate verification was skipped" \
-C "does not match with the expected CN" \
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client required" \
"$P_SRV" \
"$P_CLI auth_mode=required set_hostname=no debug_level=2" \
@@ -6015,6 +6026,7 @@ run_test "Authentication: hostname unset, client none" \
"$P_SRV" \
"$P_CLI auth_mode=none set_hostname=no debug_level=2" \
0 \
-c "! Certificate verification was skipped" \
-C "does not match with the expected CN" \
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
@@ -6173,6 +6185,7 @@ run_test "Authentication: client badcert, server none" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
0 \
-s "! Certificate verification was skipped" \
-s "skip write certificate request" \
-C "skip parse certificate request" \
-c "got no certificate request" \
@@ -6280,6 +6293,7 @@ run_test "Authentication: server max_int+1 chain, client none" \
"$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
auth_mode=none" \
0 \
-c "! Certificate verification was skipped" \
-C "X509 - A fatal error occurred"
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA

3
tests/suites/test_suite_ssl.data
View File

@@ -3527,3 +3527,6 @@ ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTI
TLS fatal alert getter
ssl_get_alert_after_fatal
Default verify_result before doing a handshake
verify_result_without_handshake

43
tests/suites/test_suite_ssl.function
View File

@@ -6040,3 +6040,46 @@ exit:
USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
void verify_result_without_handshake(void)
{
/* Test the result of verification before we perform a handshake. */
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
PSA_INIT();
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT), 0);
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ca_chain(&conf, NULL, NULL);
TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl);
TEST_EQUAL(verify_result, 0xFFFFFFFF);
/* Set the verify result manually and check that session_free resets it. */
/* Set the verify result to 0. */
ssl.session_negotiate->verify_result = 0;
mbedtls_ssl_session_free(ssl.session_negotiate);
verify_result = mbedtls_ssl_get_verify_result(&ssl);
TEST_EQUAL(verify_result, 0xFFFFFFFF);
exit:
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
PSA_DONE();
}
/* END_CASE */