From 302feb3955360cf25a0e173935a2e9cf5e0699cf Mon Sep 17 00:00:00 2001
From: Pengyu Lv <pengyu.lv@arm.com>
Date: Fri, 9 Dec 2022 14:27:08 +0800
Subject: [PATCH] add cases to test session resumption with different
 ticket_flags

This commit add test cases to test if the check of kex change mode
in SessionTicket works well.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
---
 programs/ssl/ssl_client2.c        |  3 ++
 programs/ssl/ssl_server2.c        | 16 +++++++-
 tests/opt-testcases/tls13-misc.sh | 63 +++++++++++++++++++++++++++++++
 3 files changed, 81 insertions(+), 1 deletion(-)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 4b3799f930..d64675d40a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1215,6 +1215,9 @@ usage:
                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
             } else if (strcmp(q, "all") == 0) {
                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
+            } else if (strcmp(q, "psk_or_ephemeral") == 0) {
+                opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK |
+                                      MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
             } else {
                 goto usage;
             }
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 90a13eba37..b3d9f5a5c7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1412,7 +1412,7 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
         return ret;
     }
 
-    switch (opt.dummy_ticket % 7) {
+    switch (opt.dummy_ticket % 11) {
         case 1:
             return MBEDTLS_ERR_SSL_INVALID_MAC;
         case 2:
@@ -1432,6 +1432,20 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
             session->ticket_age_add -= 1000;
 #endif
             break;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        case 7:
+            session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
+            break;
+        case 8:
+            session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+            break;
+        case 9:
+            session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+            break;
+        case 10:
+            session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
+            break;
+#endif
         default:
             break;
     }
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 3aaf3f330d..48d5e7817e 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -323,3 +323,66 @@ run_test    "TLS 1.3, ext PSK, early data" \
             -c "EncryptedExtensions: early_data(42) extension received." \
             -c "EncryptedExtensions: early_data(42) extension ( ignored )."
 
+get_resumption_with_ticket_flags_criteria()
+{
+    ticket_flags=$1
+    psk_modes=$2
+    if [ "$ticket_flags" = "none" ] || \
+       ( [ "$psk_modes" != "psk_all" ] && \
+         [ "$ticket_flags" != "psk_all" ] && \
+         [ "$psk_modes" != "$ticket_flags" ] );
+    then
+        # ticket_flags is incompatible with the psk_kex_modes
+        echo ' -c "Pre-configured PSK number = 1"' \
+             ' -S "sent selected_identity:"' \
+             ' -s "key exchange mode: ephemeral"' \
+             ' -S "key exchange mode: psk_ephemeral"' \
+             ' -S "key exchange mode: psk$"' \
+             ' -s "No suitable key exchange mode"' \
+             ' -s "No matched PSK or ticket"'
+    else
+        # ticket_flags is compatible with the psk_kex_modes
+        echo ' -c "Pre-configured PSK number = 1"' \
+             ' -S "No suitable key exchange mode"' \
+             ' -s "found matched identity"'
+    fi
+}
+
+run_tests_tls13_resumption_with_ticket_flags()
+{
+    # all tests in this sequence requires the same configuration.
+    SKIP_THIS_TESTS="$SKIP_NEXT"
+
+    DUMMY_TICKET_BASE=6
+    TLS13_KEX_MODES="ephemeral:psk_or_ephemeral:ephemeral_all:all"
+    PSK_KEX_MODES="none:psk:psk_ephemeral:psk_all"
+
+    for m in $(seq 4); do
+        kex_mode="$(echo "$TLS13_KEX_MODES" | cut -d ":" -f "$m")"
+        # ephemeral only mode doesn't support resumption
+        if [ "$kex_mode" = "ephemeral" ]; then continue; fi
+
+        for n in $(seq 4); do
+            supported_psk_modes="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$m")"
+            dummy_ticket_flags="$(echo "$PSK_KEX_MODES" | cut -d ":" -f "$n")"
+
+            eval "set -- $(get_resumption_with_ticket_flags_criteria "$dummy_ticket_flags" "$supported_psk_modes")"
+
+            SKIP_NEXT="$SKIP_THIS_TESTS"
+            run_test "TLS 1.3 m->m: Resumption with ticket flags, $supported_psk_modes->$dummy_ticket_flags." \
+                     "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=$((n + DUMMY_TICKET_BASE))" \
+                     "$P_CLI debug_level=4 force_version=tls13 tls13_kex_modes=$kex_mode reconnect=1" \
+                     0 \
+                     "$@"
+        done
+    done
+}
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_tests_tls13_resumption_with_ticket_flags
+