From 2cffd284bcb84d5c85b3cc28093be32f29c92a3c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Jun 2022 15:51:23 +0200 Subject: [PATCH 1/7] ssl-opt.sh: Enable Non-blocking I/O tests for TLS 1.3 The other "Non-blocking I/O" tests are not relevant to TLS 1.3 yet: no ticket and session resumption support. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f507a3251b..896e47597a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5657,7 +5657,6 @@ run_test "SNI: DTLS, CA override with CRL" \ # Tests for non-blocking I/O: exercise a variety of handshake flows -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Non-blocking I/O: basic handshake" \ "$P_SRV nbio=2 tickets=0 auth_mode=none" \ "$P_CLI nbio=2 tickets=0" \ @@ -5666,7 +5665,6 @@ run_test "Non-blocking I/O: basic handshake" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Non-blocking I/O: client auth" \ "$P_SRV nbio=2 tickets=0 auth_mode=required" \ "$P_CLI nbio=2 tickets=0" \ From ba80d4d60bc94f0007748c70a74bce627a460897 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Jun 2022 16:03:02 +0200 Subject: [PATCH 2/7] ssl-opt.sh: Enable Event-driven I/O tests for TLS 1.3 The other "Event-driven I/O" tests are not relevant to TLS 1.3 yet: no ticket and session resumption support. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 896e47597a..48a73f0e65 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5720,7 +5720,6 @@ run_test "Non-blocking I/O: session-id resume" \ # Tests for event-driven I/O: exercise a variety of handshake flows -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Event-driven I/O: basic handshake" \ "$P_SRV event=1 tickets=0 auth_mode=none" \ "$P_CLI event=1 tickets=0" \ @@ -5729,7 +5728,6 @@ run_test "Event-driven I/O: basic handshake" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Event-driven I/O: client auth" \ "$P_SRV event=1 tickets=0 auth_mode=required" \ "$P_CLI event=1 tickets=0" \ From a4417c13a18461a1a00f1930d15abc1ac9866dcd Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Jun 2022 16:06:28 +0200 Subject: [PATCH 3/7] ssl-opt.sh: Add Small/Large packets TLS 1.3 tests Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 48a73f0e65..be66385aa0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -7358,6 +7358,20 @@ run_test "Small client packet TLS 1.2 AEAD shorter tag" \ 0 \ -s "Read from client: 1 bytes read" +run_test "Small client packet TLS 1.3 AEAD" \ + "$P_SRV force_version=tls13" \ + "$P_CLI request_size=1 \ + force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small client packet TLS 1.3 AEAD shorter tag" \ + "$P_SRV force_version=tls13" \ + "$P_CLI request_size=1 \ + force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ + 0 \ + -s "Read from client: 1 bytes read" + # Tests for small client packets in DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS @@ -7408,6 +7422,18 @@ run_test "Small server packet TLS 1.2 AEAD shorter tag" \ 0 \ -c "Read from server: 1 bytes read" +run_test "Small server packet TLS 1.3 AEAD" \ + "$P_SRV response_size=1 force_version=tls13" \ + "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.3 AEAD shorter tag" \ + "$P_SRV response_size=1 force_version=tls13" \ + "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ + 0 \ + -c "Read from server: 1 bytes read" + # Tests for small server packets in DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS @@ -7472,6 +7498,22 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" +run_test "Large client packet TLS 1.3 AEAD" \ + "$P_SRV force_version=tls13" \ + "$P_CLI request_size=16384 \ + force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ + 0 \ + -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ + -s "Read from client: $MAX_CONTENT_LEN bytes read" + +run_test "Large client packet TLS 1.3 AEAD shorter tag" \ + "$P_SRV force_version=tls13" \ + "$P_CLI request_size=16384 \ + force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ + 0 \ + -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ + -s "Read from client: $MAX_CONTENT_LEN bytes read" + # The tests below fail when the server's OUT_CONTENT_LEN is less than 16384. run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384 force_version=tls12" \ @@ -7511,6 +7553,18 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.3 AEAD" \ + "$P_SRV response_size=16384 force_version=tls13" \ + "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.3 AEAD shorter tag" \ + "$P_SRV response_size=16384 force_version=tls13" \ + "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ + 0 \ + -c "Read from server: 16384 bytes read" + # Tests for restartable ECC # Force the use of a curve that supports restartable ECC (secp256r1). From 1938588e80dd1fb958847ea55ac9e2d7b5af7a8a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 Jun 2022 16:26:13 +0200 Subject: [PATCH 4/7] tls13: Align some debug messages with TLS 1.2 ones Signed-off-by: Ronald Cron --- library/ssl_tls.c | 2 +- library/ssl_tls13_client.c | 10 ++++++---- library/ssl_tls13_generic.c | 2 +- library/ssl_tls13_server.c | 7 +++++++ tests/ssl-opt.sh | 2 +- 5 files changed, 16 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8332461412..ba6d47d3c0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6139,7 +6139,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) ); return( 0 ); } return( -1 ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b498fd4909..ead0db8355 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1532,9 +1532,12 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) && ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) ) { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) ); return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST ); } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) ); + return( SSL_CERTIFICATE_REQUEST_SKIP ); } @@ -1687,7 +1690,6 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ) } else if( ret == SSL_CERTIFICATE_REQUEST_SKIP ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) ); ret = 0; } else @@ -1697,9 +1699,6 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ) goto cleanup; } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", - ssl->handshake->client_auth ? "a" : "no" ) ); - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); cleanup: @@ -1803,7 +1802,10 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); } else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f508bcad36..acd227defd 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -567,7 +567,7 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) */ if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) ); #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 5be338d3ff..c85ecb5cf9 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1611,7 +1611,11 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl ) mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake ); } else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } return( 0 ); } @@ -1741,8 +1745,11 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); } else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } } break; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index be66385aa0..d3e8ddfdda 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4864,7 +4864,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -c "= write certificate$" \ -C "skip write certificate$" \ -S "x509_verify_cert() returned" \ - -s "client has no certificate" \ + -s "peer has no certificate" \ -s "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \ -s "No client certification received from the client, but required by the authentication mode" From c78511b59a506166d02cc3703483a7a11d5bd1b3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 Jun 2022 16:48:34 +0200 Subject: [PATCH 5/7] ssl-opt.sh: Enable some authentication tests for TLS 1.3 Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d3e8ddfdda..a96b8a4517 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4747,7 +4747,6 @@ run_test "DER format: with 9 trailing random bytes" \ # Tests for auth_mode, there are duplicated tests using ca callback for authentication # When updating these tests, modify the matching authentication tests accordingly -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -4781,7 +4780,6 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ @@ -4852,7 +4850,6 @@ run_test "Authentication: client SHA384, server required" \ -c "Supported Signature Algorithm found: 4," \ -c "Supported Signature Algorithm found: 5," -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client has no cert, server required (TLS)" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=none \ @@ -4866,10 +4863,8 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -S "x509_verify_cert() returned" \ -s "peer has no certificate" \ -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ -s "No client certification received from the client, but required by the authentication mode" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client badcert, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -4885,13 +4880,11 @@ run_test "Authentication: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client cert self-signed and trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/server5-selfsigned.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -4907,7 +4900,6 @@ run_test "Authentication: client cert self-signed and trusted, server require -S "! The certificate is not correctly signed" \ -S "X509 - Certificate verification failed" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -4925,7 +4917,6 @@ run_test "Authentication: client cert not trusted, server required" \ -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -4943,7 +4934,6 @@ run_test "Authentication: client badcert, server optional" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client badcert, server none" \ "$P_SRV debug_level=3 auth_mode=none" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -4961,7 +4951,6 @@ run_test "Authentication: client badcert, server none" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -5023,7 +5012,6 @@ MAX_IM_CA='8' # are in place so that the semantics are consistent with the test description. requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: server max_int chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ key_file=data_files/dir-maxpath/09.key" \ @@ -5033,7 +5021,6 @@ run_test "Authentication: server max_int chain, client default" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ key_file=data_files/dir-maxpath/10.key" \ @@ -5065,7 +5052,6 @@ run_test "Authentication: server max_int+1 chain, client none" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client max_int+1 chain, server default" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5075,7 +5061,6 @@ run_test "Authentication: client max_int+1 chain, server default" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client max_int+1 chain, server optional" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5085,7 +5070,6 @@ run_test "Authentication: client max_int+1 chain, server optional" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client max_int+1 chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5095,7 +5079,6 @@ run_test "Authentication: client max_int+1 chain, server required" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client max_int chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \ From 21a1b2d37486406aaf2dec91ed6975bdcc46a8af Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 Jun 2022 17:11:35 +0200 Subject: [PATCH 6/7] Enable "Sending app data" SSL unit tests for TLS 1.3 Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ad29f6cb7b..9be1bff82b 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4829,7 +4829,7 @@ void handshake_cipher( char* cipher, int pk_alg, int dtls ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void app_data( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments, int dtls ) @@ -4843,6 +4843,9 @@ void app_data( int mfl, int cli_msg_len, int srv_msg_len, options.expected_cli_fragments = expected_cli_fragments; options.expected_srv_fragments = expected_srv_fragments; options.dtls = dtls; +#if ! defined(MBEDTLS_SSL_PROTO_TLS1_2) + options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_3; +#endif perform_handshake( &options ); /* The goto below is used to avoid an "unused label" warning.*/ @@ -4850,7 +4853,7 @@ void app_data( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) From a8d79b9eb669cc060fe1266e397c2efbf666e96f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Jun 2022 09:05:35 +0200 Subject: [PATCH 7/7] ssl-opt.sh: Remove one pattern check In "Authentication: client cert not trusted, server required" ssl-opt.sh test, depending on client and server execution speed, the handshake on the client side may complete successfully: the TLS connection is aborted by the server because it is not able to authenticate the client but at that time the client may have completed the handshake on its side. Thus, do not check that the client handshake failed. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a96b8a4517..79ea4c937f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4914,7 +4914,6 @@ run_test "Authentication: client cert not trusted, server required" \ -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" run_test "Authentication: client badcert, server optional" \