lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Add negative tests for opaque mixed-PSK (server)

Browse Source 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
2022-06-14 10:53:15 +02:00
committed by Manuel Pégourié-Gonnard
parent a49a00cc24
commit d80d8a40ee
3 changed files with 42 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
library/ssl_srv.c
View File

@ -4270,7 +4270,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Opaque PSKs are currently only supported for PSK-only. */
if( ssl_use_opaque_psk( ssl ) == 1 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "opaque PSK not supported with RSA-PSK" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
@ -4305,7 +4308,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Opaque PSKs are currently only supported for PSK-only. */
if( ssl_use_opaque_psk( ssl ) == 1 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "opaque PSK not supported with DHE-PSK" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
if( p != end )
@ -4342,7 +4348,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Opaque PSKs are currently only supported for PSK-only. */
if( ssl_use_opaque_psk( ssl ) == 1 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "opaque PSK not supported with ECDHE-PSK" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,

11
programs/ssl/ssl_server2.c
View File

@ -2162,17 +2162,6 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
{
/* Ensure that the chosen ciphersuite is PSK-only; we must know
* the ciphersuite in advance to set the correct policy for the
* PSK key slot. This limitation might go away in the future. */
if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
{
mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
ret = 2;
goto usage;
}
/* Determine KDF algorithm the opaque PSK will be used in. */
#if defined(MBEDTLS_SHA512_C)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )

33
tests/ssl-opt.sh
View File

@ -1734,6 +1734,39 @@ run_test "Opaque psk: client: RSA-PSK not supported" \
-s "error" \
-c "error"
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: ECDHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
1 \
-s "opaque PSK not supported with ECDHE-PSK" \
-s "error" \
-c "error"
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: DHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
1 \
-s "opaque PSK not supported with DHE-PSK" \
-s "error" \
-c "error"
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: RSA-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
1 \
-s "opaque PSK not supported with RSA-PSK" \
-s "error" \
-c "error"
# Test ciphersuites which we expect to be fully supported by PSA Crypto
# and check that we don't fall back to Mbed TLS' internal crypto primitives.
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM