TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 11:11:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure

Browse Source 
Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure
This commit is contained in:
Ronald Cron
2026-03-17 10:36:38 +00:00
committed by GitHub
parent d7f2a4cdc6 937c70ac90
commit cb0b594a9d
8 changed files with 182 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.d/verify-result-default-value.txt Normal file
View File

@@ -0,0 +1,5 @@
Changes
* Harden mbedtls_ssl_get_verify_result() against misuse.
If the handshake has not yet been attempted, return -1u to indicate
that the result is not available. Previously the result of verification
was zero-initialized so the function would return 0 (indicating success).

7
library/ssl_tls.c
View File

@@ -962,6 +962,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
void mbedtls_ssl_session_init(mbedtls_ssl_session *session) void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
{ {
memset(session, 0, sizeof(mbedtls_ssl_session)); memset(session, 0, sizeof(mbedtls_ssl_session));
/* Set verify_result to -1u to indicate 'result not available'. */
session->verify_result = 0xFFFFFFFF;
} }
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
@@ -4570,6 +4572,9 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
#endif #endif
mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
/* Set verify_result to -1u to indicate 'result not available'. */
session->verify_result = 0xFFFFFFFF;
} }
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
@@ -6977,6 +6982,7 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
return SSL_CERTIFICATE_SKIP; return SSL_CERTIFICATE_SKIP;
} }
@@ -8692,6 +8698,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
void *rs_ctx) void *rs_ctx)
{ {
if (authmode == MBEDTLS_SSL_VERIFY_NONE) { if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
return 0; return 0;
} }

3
library/ssl_tls13_client.c
View File

@@ -2264,6 +2264,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
/* Since we're not using a certificate, set verify_result to skipped */
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
} else { } else {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
} }

3
library/ssl_tls13_server.c
View File

@@ -2616,6 +2616,9 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
/* Since we're not using a certificate, set verify_result to skipped */
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
} else { } else {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
} }

149
tests/opt-testcases/tls13-kex-modes.sh
View File

@@ -482,7 +482,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -503,7 +504,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good, key id mismatch,
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -546,7 +548,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -567,7 +570,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -611,7 +615,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -634,7 +639,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -656,7 +662,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -701,7 +708,8 @@ run_test "TLS 1.3: G->m: all/all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -723,7 +731,8 @@ run_test "TLS 1.3: G->m: all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -768,7 +777,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -813,7 +823,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -835,7 +846,8 @@ run_test "TLS 1.3: G->m: all/psk_or_ephemeral, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -878,7 +890,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1319,7 +1332,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1339,7 +1353,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good, key id mismatch,
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1380,7 +1395,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1400,7 +1416,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1442,7 +1459,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1463,7 +1481,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1506,7 +1525,8 @@ run_test "TLS 1.3: O->m: all/all, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \ -s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral" -S "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1527,7 +1547,8 @@ run_test "TLS 1.3: O->m: all/all, good, key id mismatch, dhe." \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1570,7 +1591,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \
-s "No usable PSK or ticket" \ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1591,7 +1613,8 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, good" \
-S "No usable PSK or ticket" \ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \ -S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral" -s "key exchange mode: ephemeral" \
-s "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1880,7 +1903,9 @@ run_test "TLS 1.3: m->m: psk/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk$" \ -c "Selected key exchange mode: psk$" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1995,7 +2020,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2083,7 +2110,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2215,7 +2244,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_ephemeral, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2274,7 +2305,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2319,7 +2352,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2366,7 +2401,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2515,7 +2552,9 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2605,7 +2644,9 @@ run_test "TLS 1.3: m->m: psk_all/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2652,7 +2693,9 @@ run_test "TLS 1.3: m->m: all/psk, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk$" \ -c "Selected key exchange mode: psk$" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2699,7 +2742,9 @@ run_test "TLS 1.3: m->m: all/psk_ephemeral, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2762,7 +2807,9 @@ run_test "TLS 1.3: m->m: all/ephemeral_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2810,7 +2857,9 @@ run_test "TLS 1.3: m->m: all/psk_all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2857,7 +2906,9 @@ run_test "TLS 1.3: m->m: all/all, good" \
-c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped" \
-s "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -3038,7 +3089,8 @@ run_test "TLS 1.3: m->O: ephemeral_all/all, good" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "HTTP/1.0 200 ok" -c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3056,7 +3108,8 @@ run_test "TLS 1.3: m->O: ephemeral_all/ephemeral_all, good" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "HTTP/1.0 200 ok" -c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
#OPENSSL-SERVER all mode #OPENSSL-SERVER all mode
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
@@ -3076,7 +3129,8 @@ run_test "TLS 1.3: m->O: all/all, good" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "HTTP/1.0 200 ok" -c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3095,7 +3149,8 @@ run_test "TLS 1.3: m->O: all/ephemeral_all, good" \
-c "client hello, adding PSK binder list" \ -c "client hello, adding PSK binder list" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "HTTP/1.0 200 ok" -c "HTTP/1.0 200 ok" \
-c "! Certificate verification was skipped"
#GNUTLS-SERVER psk mode #GNUTLS-SERVER psk mode
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3259,7 +3314,8 @@ run_test "TLS 1.3: m->G: ephemeral_all/all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \ -s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_gnutls_tls1_3 requires_gnutls_tls1_3
@@ -3279,7 +3335,8 @@ run_test "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \ -s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"
#GNUTLS-SERVER all mode #GNUTLS-SERVER all mode
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3301,7 +3358,8 @@ run_test "TLS 1.3: m->G: all/all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \ -s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_gnutls_tls1_3 requires_gnutls_tls1_3
@@ -3322,4 +3380,5 @@ run_test "TLS 1.3: m->G: all/ephemeral_all, good" \
-s "Parsing extension 'Pre Shared Key/41'" \ -s "Parsing extension 'Pre Shared Key/41'" \
-c "<= write client hello" \ -c "<= write client hello" \
-c "Selected key exchange mode: psk_ephemeral" \ -c "Selected key exchange mode: psk_ephemeral" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-c "! Certificate verification was skipped"

14
tests/ssl-opt.sh
View File

@@ -5772,6 +5772,7 @@ run_test "Authentication: server badcert, client none" \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
"$P_CLI debug_level=3 auth_mode=none" \ "$P_CLI debug_level=3 auth_mode=none" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \ -C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
@@ -5783,12 +5784,14 @@ run_test "Authentication: server badcert, client none (1.2)" \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \ -C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-C "send alert level=2 message=48" \ -C "send alert level=2 message=48" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
run_test "Authentication: server goodcert, client required, no trusted CA" \ run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@@ -5837,6 +5840,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \ "$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \ -C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \
-C "! Certificate verification flags"\ -C "! Certificate verification flags"\
@@ -5844,11 +5848,13 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \
-C "X509 - Certificate verification failed" \ -C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate" -C "SSL - No CA Chain is set, but required to operate"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" \ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "x509_verify_cert() returned" \ -C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \
-C "! Certificate verification flags"\ -C "! Certificate verification flags"\
@@ -5856,6 +5862,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)"
-C "X509 - Certificate verification failed" \ -C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate" -C "SSL - No CA Chain is set, but required to operate"
# The next few tests check what happens if the server has a valid certificate # The next few tests check what happens if the server has a valid certificate
# that does not match its name (impersonation). # that does not match its name (impersonation).
@@ -5939,12 +5946,14 @@ run_test "Authentication: hostname mismatch, client none" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \ "$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "does not match with the expected CN" \ -C "does not match with the expected CN" \
-C "Certificate verification without having set hostname" \ -C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \ -C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client required" \ run_test "Authentication: hostname null, client required" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \ "$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \
@@ -5970,12 +5979,14 @@ run_test "Authentication: hostname null, client none" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \ "$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "does not match with the expected CN" \ -C "does not match with the expected CN" \
-C "Certificate verification without having set hostname" \ -C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \ -C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \ -C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client required" \ run_test "Authentication: hostname unset, client required" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI auth_mode=required set_hostname=no debug_level=2" \ "$P_CLI auth_mode=required set_hostname=no debug_level=2" \
@@ -6015,6 +6026,7 @@ run_test "Authentication: hostname unset, client none" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI auth_mode=none set_hostname=no debug_level=2" \ "$P_CLI auth_mode=none set_hostname=no debug_level=2" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "does not match with the expected CN" \ -C "does not match with the expected CN" \
-C "Certificate verification without having set hostname" \ -C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \ -C "Certificate verification without CN verification" \
@@ -6173,6 +6185,7 @@ run_test "Authentication: client badcert, server none" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \ key_file=$DATA_FILES_PATH/server5.key" \
0 \ 0 \
-s "! Certificate verification was skipped" \
-s "skip write certificate request" \ -s "skip write certificate request" \
-C "skip parse certificate request" \ -C "skip parse certificate request" \
-c "got no certificate request" \ -c "got no certificate request" \
@@ -6280,6 +6293,7 @@ run_test "Authentication: server max_int+1 chain, client none" \
"$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \ "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
auth_mode=none" \ auth_mode=none" \
0 \ 0 \
-c "! Certificate verification was skipped" \
-C "X509 - A fatal error occurred" -C "X509 - A fatal error occurred"
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA

3
tests/suites/test_suite_ssl.data
View File

@@ -3527,3 +3527,6 @@ ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTI
TLS fatal alert getter TLS fatal alert getter
ssl_get_alert_after_fatal ssl_get_alert_after_fatal
Default verify_result before doing a handshake
verify_result_without_handshake

43
tests/suites/test_suite_ssl.function
View File

@@ -6040,3 +6040,46 @@ exit:
USE_PSA_DONE(); USE_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
void verify_result_without_handshake(void)
{
/* Test the result of verification before we perform a handshake. */
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
PSA_INIT();
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT), 0);
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ca_chain(&conf, NULL, NULL);
TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl);
TEST_EQUAL(verify_result, 0xFFFFFFFF);
/* Set the verify result manually and check that session_free resets it. */
/* Set the verify result to 0. */
ssl.session_negotiate->verify_result = 0;
mbedtls_ssl_session_free(ssl.session_negotiate);
verify_result = mbedtls_ssl_get_verify_result(&ssl);
TEST_EQUAL(verify_result, 0xFFFFFFFF);
exit:
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
PSA_DONE();
}
/* END_CASE */