Merge pull request #10120 from gilles-peskine-arm/test_suite_ssl-fix-ret-20250408
Fix uncaught failure conditions in test_suite_ssl
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index c203112..15f44aa 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,6 +7,12 @@
---
+**WARNING:** if the bug you are reporting has or may have security implications,
+we ask that you report it privately to
+<mbed-tls-security@lists.trustedfirmware.org>
+so that we can prepare and release a fix before publishing the details.
+See [SECURITY.md](https://github.com/Mbed-TLS/mbedtls/blob/development/SECURITY.md).
+
### Summary
@@ -25,6 +31,10 @@
### Actual behavior
+**WARNING:* if the actual behaviour suggests memory corruption (like a crash or an error
+from a memory checker), then the bug should be assumed to have security
+implications (until proven otherwise), and we ask what you report it privately,
+see the note at the top of this template.
### Steps to reproduce
diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt
new file mode 100644
index 0000000..1aea653
--- /dev/null
+++ b/ChangeLog.d/add-tls-exporter.txt
@@ -0,0 +1,6 @@
+Features
+ * Add the function mbedtls_ssl_export_keying_material() which allows the
+ client and server to extract additional shared symmetric keys from an SSL
+ session, according to the TLS-Exporter specification in RFC 8446 and 5705.
+ This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
+ mbedtls_config.h.
diff --git a/ChangeLog.d/removal-of-rng.txt b/ChangeLog.d/removal-of-rng.txt
new file mode 100644
index 0000000..a8a19f4
--- /dev/null
+++ b/ChangeLog.d/removal-of-rng.txt
@@ -0,0 +1,5 @@
+API changes
+ * All API functions now use the PSA random generator psa_get_random()
+ internally. As a consequence, functions no longer take RNG parameters.
+ Please refer to the migration guide at :
+ tf-psa-crypto/docs/4.0-migration-guide.md.
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 2dc475b..d5a4883 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -738,6 +738,20 @@
//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
/**
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Comment this macro to disable mbedtls_ssl_export_keying_material().
+ */
+#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+
+/**
* \def MBEDTLS_SSL_RENEGOTIATION
*
* Enable support for TLS renegotiation.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index e724aa2..c77cec8 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -709,6 +709,14 @@
/* Length in number of bytes of the TLS sequence number */
#define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8
+/* Helper to state that client_random and server_random need to be stored
+ * after the handshake is complete. This is required for context serialization
+ * and for the keying material exporter in TLS 1.2. */
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || \
+ (defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) && defined(MBEDTLS_SSL_PROTO_TLS1_2))
+#define MBEDTLS_SSL_KEEP_RANDBYTES
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -5453,6 +5461,41 @@
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen);
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+/* Maximum value for key_len in mbedtls_ssl_export_keying material. Depending on the TLS
+ * version and the negotiated ciphersuite, larger keys could in principle be exported,
+ * but for simplicity, we define one limit that works in all cases. TLS 1.3 with SHA256
+ * has the strictest limit: 255 blocks of SHA256 output, or 8160 bytes. */
+#define MBEDTLS_SSL_EXPORT_MAX_KEY_LEN 8160
+
+/**
+ * \brief TLS-Exporter to derive shared symmetric keys between server and client.
+ *
+ * \param ssl SSL context from which to export keys. Must have finished the handshake.
+ * \param out Output buffer of length at least key_len bytes.
+ * \param key_len Length of the key to generate in bytes, must be at most
+ * MBEDTLS_SSL_EXPORT_MAX_KEY_LEN (8160).
+ * \param label Label for which to generate the key of length label_len.
+ * \param label_len Length of label in bytes. Must be at most 249 in TLS 1.3.
+ * \param context Context of the key. Can be NULL if context_len or use_context is 0.
+ * \param context_len Length of context. Must be < 2^16 in TLS 1.2.
+ * \param use_context Indicates if a context should be used in deriving the key.
+ *
+ * \note TLS 1.2 makes a distinction between a 0-length context and no context.
+ * This is why the use_context argument exists. TLS 1.3 does not make
+ * this distinction. If use_context is 0 and TLS 1.3 is used, context and
+ * context_len are ignored and a 0-length context is used.
+ *
+ * \return 0 on success.
+ * \return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed.
+ * \return An SSL-specific error on failure.
+ */
+int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
+ uint8_t *out, const size_t key_len,
+ const char *label, const size_t label_len,
+ const unsigned char *context, const size_t context_len,
+ const int use_context);
+#endif
#ifdef __cplusplus
}
#endif
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index de8e0da..9228a3b 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -16,6 +16,9 @@
#include "mbedtls/error.h"
#include "mbedtls/ssl.h"
+#include "mbedtls/debug.h"
+#include "debug_internal.h"
+
#include "mbedtls/cipher.h"
#include "psa/crypto.h"
@@ -1134,14 +1137,15 @@
unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
/* We need the Hello random bytes in order to re-derive keys from the
- * Master Secret and other session info,
- * see ssl_tls12_populate_transform() */
+ * Master Secret and other session info and for the keying material
+ * exporter in TLS 1.2.
+ * See ssl_tls12_populate_transform() */
unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
/*!< ServerHello.random+ClientHello.random */
-#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+#endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
};
/*
@@ -1304,12 +1308,30 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_DEBUG_C)
+/* Declared in "ssl_debug_helpers.h". We can't include this file from
+ * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
+ * type definitions. TODO: split the type definitions and the helper
+ * functions into different headers.
+ */
+const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
+#endif
+
static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
mbedtls_ssl_states state)
{
+ MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
+ ssl->state, mbedtls_ssl_states_str(ssl->state),
+ (int) state, mbedtls_ssl_states_str(state)));
ssl->state = (int) state;
}
+static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
+}
+
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index be0dc92..dba8d74 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3699,6 +3699,7 @@
rec->buf_len = rec->data_offset + rec->data_len;
if (rec->data_len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("rejecting empty record"));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
@@ -5044,7 +5045,7 @@
ssl->out_msglen = 1;
ssl->out_msg[0] = 1;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -5106,7 +5107,7 @@
mbedtls_ssl_update_in_pointers(ssl);
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5a668a4..f95f3c7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -18,6 +18,7 @@
#include "mbedtls/ssl.h"
#include "ssl_client.h"
#include "ssl_debug_helpers.h"
+#include "ssl_tls13_keys.h"
#include "debug_internal.h"
#include "mbedtls/error.h"
@@ -1409,7 +1410,7 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
ssl->flags &= MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION;
ssl->tls_version = ssl->conf->max_tls_version;
@@ -4235,7 +4236,7 @@
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
ret = 0;
break;
@@ -4386,7 +4387,7 @@
}
#endif
- ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
@@ -5144,7 +5145,7 @@
* Most of them already set to the correct value by mbedtls_ssl_init() and
* mbedtls_ssl_reset(), so we only need to set the remaining ones.
*/
- ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
/* Adjust pointers for header fields of outgoing records to
@@ -6214,7 +6215,7 @@
MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_generic(mbedtls_md_type_t md_type,
const unsigned char *secret, size_t slen,
- const char *label,
+ const char *label, size_t label_len,
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen)
{
@@ -6254,7 +6255,7 @@
NULL, 0,
random, rlen,
(unsigned char const *) label,
- (size_t) strlen(label),
+ label_len,
NULL, 0,
dlen);
if (status != PSA_SUCCESS) {
@@ -6295,7 +6296,7 @@
unsigned char *dstbuf, size_t dlen)
{
return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
- label, random, rlen, dstbuf, dlen);
+ label, strlen(label), random, rlen, dstbuf, dlen);
}
#endif /* PSA_WANT_ALG_SHA_256*/
@@ -6307,7 +6308,7 @@
unsigned char *dstbuf, size_t dlen)
{
return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
- label, random, rlen, dstbuf, dlen);
+ label, strlen(label), random, rlen, dstbuf, dlen);
}
#endif /* PSA_WANT_ALG_SHA_384*/
@@ -6726,7 +6727,7 @@
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -6743,7 +6744,7 @@
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -6766,7 +6767,7 @@
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -6774,7 +6775,7 @@
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
if (ssl->handshake->client_auth == 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
}
@@ -6828,7 +6829,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -7282,7 +7283,7 @@
exit:
if (ret == 0) {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
}
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
@@ -7460,7 +7461,7 @@
#endif
mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
- ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
}
@@ -7504,16 +7505,16 @@
if (ssl->handshake->resume != 0) {
#if defined(MBEDTLS_SSL_CLI_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
}
#endif
} else {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
}
/*
@@ -7639,16 +7640,16 @@
if (ssl->handshake->resume != 0) {
#if defined(MBEDTLS_SSL_CLI_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
}
#endif
} else {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -7770,7 +7771,7 @@
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
transform->tls_version = tls_version;
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
#endif
@@ -8979,4 +8980,134 @@
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
+ const mbedtls_md_type_t hash_alg,
+ uint8_t *out,
+ const size_t key_len,
+ const char *label,
+ const size_t label_len,
+ const unsigned char *context,
+ const size_t context_len,
+ const int use_context)
+{
+ int ret = 0;
+ unsigned char *prf_input = NULL;
+
+ /* The input to the PRF is client_random, then server_random.
+ * If a context is provided, this is then followed by the context length
+ * as a 16-bit big-endian integer, and then the context itself. */
+ const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN;
+ size_t prf_input_len = randbytes_len;
+ if (use_context) {
+ if (context_len > UINT16_MAX) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* This does not overflow a 32-bit size_t because the current value of
+ * prf_input_len is 64 (length of client_random + server_random) and
+ * context_len fits into two bytes (checked above). */
+ prf_input_len += sizeof(uint16_t) + context_len;
+ }
+
+ prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char));
+ if (prf_input == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(prf_input,
+ ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN,
+ MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+ memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ ssl->transform->randbytes,
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ if (use_context) {
+ MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len);
+ memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len);
+ }
+ ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master),
+ label, label_len,
+ prf_input, prf_input_len,
+ out, key_len);
+ mbedtls_free(prf_input);
+ return ret;
+}
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
+ const mbedtls_md_type_t hash_alg,
+ uint8_t *out,
+ const size_t key_len,
+ const char *label,
+ const size_t label_len,
+ const unsigned char *context,
+ const size_t context_len)
+{
+ const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg);
+ const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
+ const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
+
+ /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
+ * struct as defined in RFC 8446, Section 7.1.
+ *
+ * The length of the context is unlimited even though the context field in the
+ * struct can only hold up to 255 bytes. This is because we place a *hash* of
+ * the context in the field. */
+ if (label_len > 249) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len,
+ (const unsigned char *) label, label_len,
+ context, context_len, out, key_len);
+}
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
+
+int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
+ uint8_t *out, const size_t key_len,
+ const char *label, const size_t label_len,
+ const unsigned char *context, const size_t context_len,
+ const int use_context)
+{
+ if (!mbedtls_ssl_is_handshake_over(ssl)) {
+ /* TODO: Change this to a more appropriate error code when one is available. */
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
+ const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
+ const mbedtls_md_type_t hash_alg = ciphersuite->mac;
+
+ switch (mbedtls_ssl_get_version_number(ssl)) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ case MBEDTLS_SSL_VERSION_TLS1_2:
+ return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len,
+ label, label_len,
+ context, context_len, use_context);
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ case MBEDTLS_SSL_VERSION_TLS1_3:
+ return mbedtls_ssl_tls13_export_keying_material(ssl,
+ hash_alg,
+ out,
+ key_len,
+ label,
+ label_len,
+ use_context ? context : NULL,
+ use_context ? context_len : 0);
+#endif
+ default:
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+}
+
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index e0743e1..df7dfbf 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1118,7 +1118,7 @@
ssl->handshake->cookie_len = cookie_len;
/* Start over at ClientHello */
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
ret = mbedtls_ssl_reset_checksum(ssl);
if (0 != ret) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
@@ -1327,7 +1327,7 @@
ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->id_len != n ||
memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->resume = 0;
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@@ -1336,7 +1336,7 @@
ssl->session_negotiate->id_len = n;
memcpy(ssl->session_negotiate->id, buf + 35, n);
} else {
- ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
}
MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
@@ -1839,7 +1839,7 @@
}
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
((void) p);
@@ -2147,7 +2147,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
exit:
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
@@ -2165,7 +2165,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2192,7 +2192,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2210,7 +2210,7 @@
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->client_auth =
(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
@@ -2381,7 +2381,7 @@
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@@ -2683,7 +2683,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -2712,7 +2712,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2754,14 +2754,14 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
if (ssl->handshake->client_auth == 0 ||
mbedtls_ssl_own_cert(ssl) == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2843,7 +2843,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -2917,7 +2917,7 @@
/* We're not waiting for a NewSessionTicket message any more */
ssl->handshake->new_session_ticket = 0;
- ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
/*
* Zero-length ticket means the server changed his mind and doesn't want
@@ -2978,13 +2978,13 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
ssl->handshake->new_session_ticket != 0) {
- ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_NEW_SESSION_TICKET);
}
#endif
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@@ -3069,7 +3069,7 @@
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index e178550..2b2b49f 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1597,7 +1597,7 @@
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->handshake->ciphersuite_info = ciphersuite_info;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@@ -2015,7 +2015,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
- ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -2183,7 +2183,7 @@
* New session, create a new session id,
* unless we're about to issue a session ticket
*/
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@@ -2207,7 +2207,7 @@
* Resuming a session
*/
n = ssl->session_negotiate->id_len;
- ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
@@ -2333,7 +2333,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -2356,7 +2356,7 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
@@ -3080,7 +3080,7 @@
/* Key exchanges not involving ephemeral keys don't use
* ServerKeyExchange, so end here. */
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
@@ -3134,7 +3134,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@@ -3156,7 +3156,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@@ -3461,7 +3461,7 @@
return ret;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
@@ -3479,7 +3479,7 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@@ -3505,20 +3505,20 @@
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
if (ssl->session_negotiate->peer_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert_digest == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@@ -3530,7 +3530,7 @@
return ret;
}
- ssl->state++;
+ mbedtls_ssl_handshake_increment_state(ssl);
/* Process the message contents */
if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
@@ -3714,7 +3714,7 @@
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
- ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@@ -3803,7 +3803,7 @@
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
- ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index a421a06..dbc703a 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -56,15 +56,16 @@
* };
*
* Parameters:
- * - desired_length: Length of expanded key material
- * Even though the standard allows expansion to up to
- * 2**16 Bytes, TLS 1.3 never uses expansion to more than
- * 255 Bytes, so we require `desired_length` to be at most
- * 255. This allows us to save a few Bytes of code by
- * hardcoding the writing of the high bytes.
+ * - desired_length: Length of expanded key material.
+ * The length field can hold numbers up to 2**16, but HKDF
+ * can only generate outputs of up to 255 * HASH_LEN bytes.
+ * It is the caller's responsibility to ensure that this
+ * limit is not exceeded. In TLS 1.3, SHA256 is the hash
+ * function with the smallest block size, so a length
+ * <= 255 * 32 = 8160 is always safe.
* - (label, label_len): label + label length, without "tls13 " prefix
* The label length MUST be less than or equal to
- * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
+ * MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN.
* It is the caller's responsibility to ensure this.
* All (label, label length) pairs used in TLS 1.3
* can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
@@ -91,7 +92,7 @@
#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
sizeof(tls13_label_prefix) + \
- MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
+ MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN, \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN)
static void ssl_tls13_hkdf_encode_label(
@@ -107,15 +108,13 @@
unsigned char *p = dst;
- /* Add the size of the expanded key material.
- * We're hardcoding the high byte to 0 here assuming that we never use
- * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
-#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
-#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
- value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
+ /* Add the size of the expanded key material. */
+#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX
+#error "The desired key length must fit into an uint16 but \
+ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX"
#endif
- *p++ = 0;
+ *p++ = MBEDTLS_BYTE_1(desired_length);
*p++ = MBEDTLS_BYTE_0(desired_length);
/* Add label incl. prefix */
@@ -149,7 +148,7 @@
psa_key_derivation_operation_t operation =
PSA_KEY_DERIVATION_OPERATION_INIT;
- if (label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN) {
+ if (label_len > MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN) {
/* Should never happen since this is an internal
* function, and we know statically which labels
* are allowed. */
@@ -1824,4 +1823,37 @@
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
+ const unsigned char *secret, const size_t secret_len,
+ const unsigned char *label, const size_t label_len,
+ const unsigned char *context_value, const size_t context_len,
+ unsigned char *out, const size_t out_len)
+{
+ size_t hash_len = PSA_HASH_LENGTH(hash_alg);
+ unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ int ret = 0;
+
+ ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret,
+ hash_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
+ hkdf_secret,
+ hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter),
+ context_value,
+ context_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+ out,
+ out_len);
+
+exit:
+ mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret));
+ return ret;
+}
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index d3a4c6c..14f6e48 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -60,8 +60,9 @@
mbedtls_ssl_tls13_labels.LABEL, \
MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL)
-#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
- sizeof(union mbedtls_ssl_tls13_labels_union)
+/* Maximum length of the label field in the HkdfLabel struct defined in
+ * RFC 8446, Section 7.1, excluding the "tls13 " prefix. */
+#define MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN 249
/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
* Since contexts are always hashes of message transcripts, this can
@@ -70,13 +71,11 @@
PSA_HASH_MAX_SIZE
/* Maximum desired length for expanded key material generated
- * by HKDF-Expand-Label.
- *
- * Warning: If this ever needs to be increased, the implementation
- * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
- * adjusted since it currently assumes that HKDF key expansion
- * is never used with more than 255 Bytes of output. */
-#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
+ * by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size
+ * bytes of key material where hash_size is the output size of the
+ * underlying hash function. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \
+ (255 * MBEDTLS_TLS1_3_MD_MAX_SIZE)
/**
* \brief The \c HKDF-Expand-Label function from
@@ -646,6 +645,23 @@
size_t *psk_len);
#endif
+/**
+ * \brief Calculate TLS-Exporter function as defined in RFC 8446, Section 7.5.
+ *
+ * \param[in] hash_alg The hash algorithm.
+ * \param[in] secret The secret to use. (Should be the exporter master secret.)
+ * \param[in] secret_len Length of secret.
+ * \param[in] label The label of the exported key.
+ * \param[in] label_len The length of label.
+ * \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes.
+ * \param[in] out_len Length of the key to generate.
+ */
+int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
+ const unsigned char *secret, const size_t secret_len,
+ const unsigned char *label, const size_t label_len,
+ const unsigned char *context_value, const size_t context_len,
+ uint8_t *out, const size_t out_len);
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 1f58651..bb67c40 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -103,6 +103,8 @@
#define DFL_NSS_KEYLOG 0
#define DFL_NSS_KEYLOG_FILE NULL
#define DFL_SKIP_CLOSE_NOTIFY 0
+#define DFL_EXP_LABEL NULL
+#define DFL_EXP_LEN 20
#define DFL_QUERY_CONFIG_MODE 0
#define DFL_USE_SRTP 0
#define DFL_SRTP_FORCE_PROFILE 0
@@ -365,6 +367,16 @@
#define USAGE_TLS1_3_KEY_EXCHANGE_MODES ""
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#define USAGE_EXPORT \
+ " exp_label=%%s Label to input into TLS-Exporter\n" \
+ " default: None (don't try to export a key)\n" \
+ " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
+ " default: 20\n"
+#else
+#define USAGE_EXPORT ""
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+
/* USAGE is arbitrarily split to stay under the portable string literal
* length limit: 4095 bytes in C99. */
#define USAGE1 \
@@ -454,6 +466,7 @@
" otherwise. The expansion of the macro\n" \
" is printed if it is defined\n" \
USAGE_SERIALIZATION \
+ USAGE_EXPORT \
"\n"
/*
@@ -540,6 +553,8 @@
* after renegotiation */
int reproducible; /* make communication reproducible */
int skip_close_notify; /* skip sending the close_notify alert */
+ const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */
+ int exp_len; /* Length of key to export using mbedtls_ssl_export_keying_material() */
#if defined(MBEDTLS_SSL_EARLY_DATA)
int early_data; /* early data enablement flag */
#endif
@@ -983,6 +998,8 @@
opt.nss_keylog = DFL_NSS_KEYLOG;
opt.nss_keylog_file = DFL_NSS_KEYLOG_FILE;
opt.skip_close_notify = DFL_SKIP_CLOSE_NOTIFY;
+ opt.exp_label = DFL_EXP_LABEL;
+ opt.exp_len = DFL_EXP_LEN;
opt.query_config_mode = DFL_QUERY_CONFIG_MODE;
opt.use_srtp = DFL_USE_SRTP;
opt.force_srtp_profile = DFL_SRTP_FORCE_PROFILE;
@@ -1429,6 +1446,10 @@
if (opt.skip_close_notify < 0 || opt.skip_close_notify > 1) {
goto usage;
}
+ } else if (strcmp(p, "exp_label") == 0) {
+ opt.exp_label = q;
+ } else if (strcmp(p, "exp_len") == 0) {
+ opt.exp_len = atoi(q);
} else if (strcmp(p, "use_srtp") == 0) {
opt.use_srtp = atoi(q);
} else if (strcmp(p, "srtp_force_profile") == 0) {
@@ -2516,6 +2537,33 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+ if (opt.exp_label != NULL && opt.exp_len > 0) {
+ unsigned char *exported_key = mbedtls_calloc((size_t) opt.exp_len, sizeof(unsigned char));
+ if (exported_key == NULL) {
+ mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len);
+ ret = 3;
+ goto exit;
+ }
+ ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t) opt.exp_len,
+ opt.exp_label, strlen(opt.exp_label),
+ NULL, 0, 0);
+ if (ret != 0) {
+ mbedtls_free(exported_key);
+ goto exit;
+ }
+ mbedtls_printf("Exporting key of length %d with label \"%s\": 0x",
+ opt.exp_len,
+ opt.exp_label);
+ for (i = 0; i < opt.exp_len; i++) {
+ mbedtls_printf("%02X", exported_key[i]);
+ }
+ mbedtls_printf("\n\n");
+ fflush(stdout);
+ mbedtls_free(exported_key);
+ }
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+
/*
* 6. Write the GET request
*/
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 6338222..3c9fb7e 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -70,6 +70,8 @@
#define DFL_NBIO 0
#define DFL_EVENT 0
#define DFL_READ_TIMEOUT 0
+#define DFL_EXP_LABEL NULL
+#define DFL_EXP_LEN 20
#define DFL_CA_FILE ""
#define DFL_CA_PATH ""
#define DFL_CRT_FILE ""
@@ -474,6 +476,16 @@
#define USAGE_SERIALIZATION ""
#endif
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#define USAGE_EXPORT \
+ " exp_label=%%s Label to input into TLS-Exporter\n" \
+ " default: None (don't try to export a key)\n" \
+ " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
+ " default: 20\n"
+#else
+#define USAGE_EXPORT ""
+#endif
+
#define USAGE_KEY_OPAQUE_ALGS \
" key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \
" comma-separated pair of values among the following:\n" \
@@ -581,6 +593,7 @@
" otherwise. The expansion of the macro\n" \
" is printed if it is defined\n" \
USAGE_SERIALIZATION \
+ USAGE_EXPORT \
"\n"
#define PUT_UINT64_BE(out_be, in_le, i) \
@@ -608,6 +621,8 @@
int nbio; /* should I/O be blocking? */
int event; /* loop or event-driven IO? level or edge triggered? */
uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
+ const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */
+ int exp_len; /* Length of key to export using mbedtls_ssl_export_keying_material() */
int response_size; /* pad response with header to requested size */
uint16_t buffer_size; /* IO buffer size */
const char *ca_file; /* the file with the CA certificate(s) */
@@ -1704,6 +1719,8 @@
opt.cid_val = DFL_CID_VALUE;
opt.cid_val_renego = DFL_CID_VALUE_RENEGO;
opt.read_timeout = DFL_READ_TIMEOUT;
+ opt.exp_label = DFL_EXP_LABEL;
+ opt.exp_len = DFL_EXP_LEN;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
@@ -1883,6 +1900,10 @@
}
} else if (strcmp(p, "read_timeout") == 0) {
opt.read_timeout = atoi(q);
+ } else if (strcmp(p, "exp_label") == 0) {
+ opt.exp_label = q;
+ } else if (strcmp(p, "exp_len") == 0) {
+ opt.exp_len = atoi(q);
} else if (strcmp(p, "buffer_size") == 0) {
opt.buffer_size = atoi(q);
if (opt.buffer_size < 1) {
@@ -3605,6 +3626,33 @@
mbedtls_printf("\n");
}
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+ if (opt.exp_label != NULL && opt.exp_len > 0) {
+ unsigned char *exported_key = mbedtls_calloc((size_t) opt.exp_len, sizeof(unsigned char));
+ if (exported_key == NULL) {
+ mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len);
+ ret = 3;
+ goto exit;
+ }
+ ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t) opt.exp_len,
+ opt.exp_label, strlen(opt.exp_label),
+ NULL, 0, 0);
+ if (ret != 0) {
+ mbedtls_free(exported_key);
+ goto exit;
+ }
+ mbedtls_printf("Exporting key of length %d with label \"%s\": 0x",
+ opt.exp_len,
+ opt.exp_label);
+ for (i = 0; i < opt.exp_len; i++) {
+ mbedtls_printf("%02X", exported_key[i]);
+ }
+ mbedtls_printf("\n\n");
+ fflush(stdout);
+ mbedtls_free(exported_key);
+ }
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+
#if defined(MBEDTLS_SSL_DTLS_SRTP)
else if (opt.use_srtp != 0) {
size_t j = 0;
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 3ba314f..95bfdb6 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -476,6 +476,18 @@
* /p second_ssl is used as second endpoint and their sockets have to be
* connected before calling this function.
*
+ * For example, to perform a full handshake:
+ * ```
+ * mbedtls_test_move_handshake_to_state(
+ * &server.ssl, &client.ssl,
+ * MBEDTLS_SSL_HANDSHAKE_OVER);
+ * mbedtls_test_move_handshake_to_state(
+ * &client.ssl, &server.ssl,
+ * MBEDTLS_SSL_HANDSHAKE_OVER);
+ * ```
+ * Note that you need both calls to reach the handshake-over state on
+ * both sides.
+ *
* \retval 0 on success, otherwise error code.
*/
int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl,
@@ -590,6 +602,14 @@
int msg_len_2, const int expected_fragments_2);
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+int mbedtls_test_ssl_do_handshake_with_endpoints(
+ mbedtls_test_ssl_endpoint *server_ep,
+ mbedtls_test_ssl_endpoint *client_ep,
+ mbedtls_test_handshake_test_options *options,
+ mbedtls_ssl_protocol_version proto);
+#endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
void mbedtls_test_ssl_perform_handshake(
mbedtls_test_handshake_test_options *options);
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 445f2eb..1eed8ab 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -2047,6 +2047,63 @@
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+int mbedtls_test_ssl_do_handshake_with_endpoints(
+ mbedtls_test_ssl_endpoint *server_ep,
+ mbedtls_test_ssl_endpoint *client_ep,
+ mbedtls_test_handshake_test_options *options,
+ mbedtls_ssl_protocol_version proto)
+{
+ enum { BUFFSIZE = 1024 };
+
+ int ret = -1;
+
+ mbedtls_platform_zeroize(server_ep, sizeof(mbedtls_test_ssl_endpoint));
+ mbedtls_platform_zeroize(client_ep, sizeof(mbedtls_test_ssl_endpoint));
+
+ mbedtls_test_init_handshake_options(options);
+ options->server_min_version = proto;
+ options->client_min_version = proto;
+ options->server_max_version = proto;
+ options->client_max_version = proto;
+
+ ret = mbedtls_test_ssl_endpoint_init(client_ep, MBEDTLS_SSL_IS_CLIENT, options,
+ NULL, NULL, NULL);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = mbedtls_test_ssl_endpoint_init(server_ep, MBEDTLS_SSL_IS_SERVER, options,
+ NULL, NULL, NULL);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_test_mock_socket_connect(&client_ep->socket, &server_ep->socket, BUFFSIZE);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_test_move_handshake_to_state(&server_ep->ssl,
+ &client_ep->ssl,
+ MBEDTLS_SSL_HANDSHAKE_OVER);
+ if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+ return ret;
+ }
+ ret = mbedtls_test_move_handshake_to_state(&client_ep->ssl,
+ &server_ep->ssl,
+ MBEDTLS_SSL_HANDSHAKE_OVER);
+ if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+ return ret;
+ }
+ if (!mbedtls_ssl_is_handshake_over(&client_ep->ssl) ||
+ !mbedtls_ssl_is_handshake_over(&server_ep->ssl)) {
+ return -1;
+ }
+
+ return 0;
+}
+#endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
void mbedtls_test_ssl_perform_handshake(
mbedtls_test_handshake_test_options *options)
{
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index ac9b3bb..cd1cae0 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1196,6 +1196,26 @@
fi
}
+# Extract the exported key from the output.
+get_exported_key() {
+ OUTPUT="$1"
+ EXPORTED_KEY1=$(sed -n '/Exporting key of length 20 with label ".*": /s/.*: //p' $OUTPUT)
+}
+
+# Check that the exported key from the output matches the one obtained in get_exported_key().
+check_exported_key() {
+ OUTPUT="$1"
+ EXPORTED_KEY2=$(sed -n '/Exporting key of length 20 with label ".*": /s/.*: //p' $OUTPUT)
+ test "$EXPORTED_KEY1" = "$EXPORTED_KEY2"
+}
+
+# Check that the exported key from the output matches the one obtained in get_exported_key().
+check_exported_key_openssl() {
+ OUTPUT="$1"
+ EXPORTED_KEY2=0x$(sed -n '/Keying material: /s/.*: //p' $OUTPUT)
+ test "$EXPORTED_KEY1" = "$EXPORTED_KEY2"
+}
+
# Get handshake memory usage from server or client output and put it into the variable specified by the first argument
handshake_memory_get() {
OUTPUT_VARIABLE="$1"
@@ -1938,6 +1958,46 @@
run_test_memory_after_handshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
}
+run_test_export_keying_material() {
+ unset EXPORTED_KEY1
+ unset EXPORTED_KEY2
+ TLS_VERSION="$1"
+
+ case $TLS_VERSION in
+ tls12) TLS_VERSION_PRINT="TLS 1.2";;
+ tls13) TLS_VERSION_PRINT="TLS 1.3";;
+ esac
+
+ run_test "$TLS_VERSION_PRINT: Export keying material" \
+ "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \
+ "$P_CLI debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \
+ 0 \
+ -s "Exporting key of length 20 with label \".*\": 0x" \
+ -c "Exporting key of length 20 with label \".*\": 0x" \
+ -f get_exported_key \
+ -F check_exported_key
+}
+
+run_test_export_keying_material_openssl_compat() {
+ unset EXPORTED_KEY1
+ unset EXPORTED_KEY2
+ TLS_VERSION="$1"
+
+ case $TLS_VERSION in
+ tls12) TLS_VERSION_PRINT="TLS 1.2"; OPENSSL_CLIENT="$O_CLI";;
+ tls13) TLS_VERSION_PRINT="TLS 1.3"; OPENSSL_CLIENT="$O_NEXT_CLI";;
+ esac
+
+ run_test "$TLS_VERSION_PRINT: Export keying material (OpenSSL compatibility)" \
+ "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \
+ "$OPENSSL_CLIENT -keymatexport test-label" \
+ 0 \
+ -s "Exporting key of length 20 with label \".*\": 0x" \
+ -c "Keying material exporter:" \
+ -F get_exported_key \
+ -f check_exported_key_openssl
+}
+
cleanup() {
rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
rm -f context_srv.txt
@@ -2957,6 +3017,24 @@
0 \
-s "Save serialized context to a file... ok" \
-c "Save serialized context to a file... ok"
+
+requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+requires_protocol_version tls12
+run_test_export_keying_material tls12
+
+requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+requires_protocol_version tls12
+run_test_export_keying_material_openssl_compat tls12
+
+requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+requires_protocol_version tls13
+run_test_export_keying_material tls13
+
+requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_openssl_tls1_3_with_compatible_ephemeral
+run_test_export_keying_material_openssl_compat tls13
+
rm -f context_srv.txt
rm -f context_cli.txt
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 565588b..378c533 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -2791,6 +2791,21 @@
depends_on:PSA_WANT_ALG_SHA_256
ssl_tls13_derive_secret:PSA_ALG_SHA_256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls13_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406"
+SSL TLS 1.3 Exporter
+# Based on the "exp master" key from RFC 8448, expected result calculated with a HMAC-SHA256 calculator.
+depends_on:PSA_WANT_ALG_SHA_256
+ssl_tls13_exporter:PSA_ALG_SHA_256:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4":"test":"context value":32:"83d0fac39f87c1b4fbcd261369f31149c535391a9199bd4c5daf89fe259c2e94"
+
+SSL TLS 1.3 Exporter, 0-byte label and context
+# Expected output taken from OpenSSL.
+depends_on:PSA_WANT_ALG_SHA_384
+ssl_tls13_exporter:PSA_ALG_SHA_384:"9f355772f34017927ecc81d16e653c7408f945e7f62dc632d3f59e6310ef49401e62a2e3be886e3f930d4bf6300ce30a":"":"":20:"18268580D7C6769194794A84B7A3EE35317DB88A"
+
+SSL TLS 1.3 Exporter, 249-byte label and 0-byte context
+# Expected output taken from OpenSSL.
+depends_on:PSA_WANT_ALG_SHA_384
+ssl_tls13_exporter:PSA_ALG_SHA_384:"c453aeae318ebae00617c430a0066cf586593a4b0150219107420798933cf9e6e4434337cccc2cae5429dc4f77401e39":"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345678":"":20:"259531766AAA10FBAB6BF2D11D23264B321743D9"
+
SSL TLS 1.3 Key schedule: Early secrets derivation helper
# Vector from RFC 8448
depends_on:PSA_WANT_ALG_SHA_256
@@ -3329,3 +3344,67 @@
TLS 1.3 srv, max early data size, HRR, 98, wsz=49
tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0
+
+TLS 1.2 Keying Material Exporter: Consistent results, no context
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:0
+
+TLS 1.2 Keying Material Exporter: Consistent results, with context
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1
+
+TLS 1.2 Keying Material Exporter: Consistent results, large keys
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:255 * 32:0
+
+TLS 1.2 Keying Material Exporter: Uses label
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_2
+
+TLS 1.2 Keying Material Exporter: Uses context
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_2
+
+TLS 1.2 Keying Material Exporter: Context too long
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_2:24:251:UINT16_MAX + 1
+
+TLS 1.2 Keying Material Exporter: Handshake not done
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_2:1:MBEDTLS_SSL_SERVER_CERTIFICATE
+
+TLS 1.3 Keying Material Exporter: Consistent results, no context
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:0
+
+TLS 1.3 Keying Material Exporter: Consistent results, with context
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1
+
+TLS 1.3 Keying Material Exporter: Consistent results, large keys
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32:0
+
+TLS 1.3 Keying Material Exporter: Uses label
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_3
+
+TLS 1.3 Keying Material Exporter: Uses context
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_3
+
+TLS 1.3 Keying Material Exporter: Uses length
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls13_exporter_uses_length
+
+TLS 1.3 Keying Material Exporter: Exported key too long
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32 + 1:20:20
+
+TLS 1.3 Keying Material Exporter: Label too long
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:250:10
+
+TLS 1.3 Keying Material Exporter: Handshake not done
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTIFICATE
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 743b53c..4567dbd 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -106,6 +106,315 @@
#define TEST_GCM_OR_CHACHAPOLY_ENABLED
#endif
+typedef enum {
+ RECOMBINE_NOMINAL, /* param: ignored */
+ RECOMBINE_SPLIT_FIRST, /* param: offset of split (<=0 means from end) */
+ RECOMBINE_TRUNCATE_FIRST, /* param: offset of truncation (<=0 means from end) */
+ RECOMBINE_INSERT_EMPTY, /* param: offset (<0 means from end) */
+ RECOMBINE_INSERT_RECORD, /* param: record type */
+ RECOMBINE_COALESCE, /* param: number of records (INT_MAX=all) */
+ RECOMBINE_COALESCE_SPLIT_ONCE, /* param: offset of split (<=0 means from end) */
+ RECOMBINE_COALESCE_SPLIT_BOTH_ENDS, /* param: offset, must be >0 */
+} recombine_records_instruction_t;
+
+/* Keep this in sync with the recombine_server_first_flight()
+ * See comment there. */
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
+ defined(PSA_WANT_ALG_SHA_256) && \
+ defined(PSA_WANT_ECC_SECP_R1_256) && \
+ defined(PSA_WANT_ECC_SECP_R1_384) && \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
+ defined(PSA_WANT_ALG_ECDSA_ANY)
+
+/* Split the first record into two pieces of lengths offset and
+ * record_length-offset. If offset is zero or negative, count from the end of
+ * the record. */
+static int recombine_split_first_record(mbedtls_test_ssl_buffer *buf,
+ int offset)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+
+ if (offset > 0) {
+ TEST_LE_S(offset, record_length);
+ } else {
+ TEST_LE_S(-offset, record_length);
+ offset = record_length + offset;
+ }
+
+ /* Check that we have room to insert a record header */
+ TEST_LE_U(buf->content_length + header_length, buf->capacity);
+
+ /* Make room for a record header */
+ size_t new_record_start = header_length + offset;
+ size_t new_content_start = new_record_start + header_length;
+ memmove(buf->buffer + new_content_start,
+ buf->buffer + new_record_start,
+ buf->content_length - new_record_start);
+ buf->content_length += header_length;
+
+ /* Construct a header for the new record based on the existing one */
+ memcpy(buf->buffer + new_record_start, buf->buffer, header_length);
+ MBEDTLS_PUT_UINT16_BE(record_length - offset,
+ buf->buffer, new_content_start - 2);
+
+ /* Adjust the length of the first record */
+ MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);
+
+ return 0;
+
+exit:
+ return -1;
+}
+
+/* Truncate the first record, keeping only the first offset bytes.
+ * If offset is zero or negative, count from the end of the record.
+ * Remove the subsequent records.
+ */
+static int recombine_truncate_first_record(mbedtls_test_ssl_buffer *buf,
+ int offset)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+
+ if (offset > 0) {
+ TEST_LE_S(offset, record_length);
+ } else {
+ TEST_LE_S(-offset, record_length);
+ offset = record_length + offset;
+ }
+
+ /* Adjust the length of the first record */
+ MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);
+
+ /* Wipe the rest */
+ size_t truncated_end = header_length + offset;
+ memset(buf->buffer + truncated_end, '!',
+ buf->content_length - truncated_end);
+ buf->content_length = truncated_end;
+
+ return 0;
+
+exit:
+ return -1;
+}
+
+/* Insert a (dummy) record at the given offset. If offset is negative,
+ * count from the end of the first record. */
+static int recombine_insert_record(mbedtls_test_ssl_buffer *buf,
+ int offset,
+ uint8_t inserted_record_type)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+
+ if (offset >= 0) {
+ TEST_LE_S(offset, record_length);
+ } else {
+ TEST_LE_S(-offset, record_length);
+ offset = record_length + offset;
+ }
+
+ uint8_t inserted_content[42] = { 0 };
+ size_t inserted_content_length = 0;
+ switch (inserted_record_type) {
+ case MBEDTLS_SSL_MSG_ALERT:
+ inserted_content[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
+ inserted_content[1] = MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION;
+ inserted_content_length = 2;
+ break;
+ case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+ inserted_content[0] = 0x01;
+ inserted_content_length = 1;
+ break;
+ case MBEDTLS_SSL_MSG_APPLICATION_DATA:
+ inserted_content_length = sizeof(inserted_content);
+ break;
+ default:
+ /* Leave the content empty */
+ break;
+ }
+
+ /* Check that we have room to insert two record headers plus the new
+ * content. */
+ TEST_LE_U(buf->content_length + 2 * header_length + inserted_content_length,
+ buf->capacity);
+
+ /* Make room for the inserted record and a record header for the fragment */
+ size_t inserted_record_start = header_length + offset;
+ size_t inserted_content_start = inserted_record_start + header_length;
+ size_t tail_record_start = inserted_content_start + inserted_content_length;
+ size_t tail_content_start = tail_record_start + header_length;
+ memmove(buf->buffer + tail_content_start,
+ buf->buffer + inserted_record_start,
+ buf->content_length - inserted_record_start);
+ buf->content_length += 2 * header_length;
+
+ /* Construct the inserted record based on the existing one */
+ memcpy(buf->buffer + inserted_record_start, buf->buffer, header_length);
+ buf->buffer[inserted_record_start] = inserted_record_type;
+ MBEDTLS_PUT_UINT16_BE(inserted_content_length,
+ buf->buffer, inserted_content_start - 2);
+ memcpy(buf->buffer + inserted_content_start,
+ inserted_content, inserted_content_length);
+
+ /* Construct header for the last fragment based on the existing one */
+ memcpy(buf->buffer + tail_record_start, buf->buffer, header_length);
+ MBEDTLS_PUT_UINT16_BE(record_length - offset,
+ buf->buffer, tail_content_start - 2);
+
+ /* Adjust the length of the first record */
+ MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);
+
+ return 0;
+
+exit:
+ return -1;
+}
+
+/* Coalesce TLS handshake records.
+ * DTLS is not supported.
+ * Encrypted or authenticated handshake records are not supported.
+ * Assume the buffer content is a valid sequence of records.
+ *
+ * Coalesce only the first max records, or all the records if there are
+ * fewer than max.
+ * Return the number of coalesced records, or -1 on error.
+ */
+static int recombine_coalesce_handshake_records(mbedtls_test_ssl_buffer *buf,
+ int max)
+{
+ const size_t header_length = 5;
+ TEST_LE_U(header_length, buf->content_length);
+ if (buf->buffer[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ return 0;
+ }
+
+ size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
+ TEST_LE_U(header_length + record_length, buf->content_length);
+
+ int count;
+ for (count = 1; count < max; count++) {
+ size_t next_start = header_length + record_length;
+ if (next_start >= buf->content_length) {
+ /* We've already reached the last record. */
+ break;
+ }
+
+ TEST_LE_U(next_start + header_length, buf->content_length);
+ if (buf->buffer[next_start] != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ /* There's another record, but it isn't a handshake record. */
+ break;
+ }
+ size_t next_length =
+ MBEDTLS_GET_UINT16_BE(buf->buffer, next_start + header_length - 2);
+ TEST_LE_U(next_start + header_length + next_length, buf->content_length);
+
+ /* Erase the next record header */
+ memmove(buf->buffer + next_start,
+ buf->buffer + next_start + header_length,
+ buf->content_length - next_start);
+ buf->content_length -= header_length;
+ /* Update the first record length */
+ record_length += next_length;
+ TEST_LE_U(record_length, 0xffff);
+ MBEDTLS_PUT_UINT16_BE(record_length, buf->buffer, header_length - 2);
+ }
+
+ return count;
+
+exit:
+ return -1;
+}
+
+static int recombine_records(mbedtls_test_ssl_endpoint *server,
+ recombine_records_instruction_t instruction,
+ int param)
+{
+ mbedtls_test_ssl_buffer *buf = server->socket.output;
+ int ret;
+
+ /* buf is a circular buffer. For simplicity, this code assumes that
+ * the data is located at the beginning. This should be ok since
+ * this function is only meant to be used on the first flight
+ * emitted by a server. */
+ TEST_EQUAL(buf->start, 0);
+
+ switch (instruction) {
+ case RECOMBINE_NOMINAL:
+ break;
+
+ case RECOMBINE_SPLIT_FIRST:
+ ret = recombine_split_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_TRUNCATE_FIRST:
+ ret = recombine_truncate_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_INSERT_EMPTY:
+ /* Insert an empty handshake record. */
+ ret = recombine_insert_record(buf, param, MBEDTLS_SSL_MSG_HANDSHAKE);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_INSERT_RECORD:
+ /* Insert an extra record at a position where splitting
+ * would be ok. */
+ ret = recombine_insert_record(buf, 5, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_COALESCE:
+ ret = recombine_coalesce_handshake_records(buf, param);
+ /* If param != INT_MAX, enforce that there were that many
+ * records to coalesce. In particular, 1 < param < INT_MAX
+ * ensures that library will see some coalesced records. */
+ if (param == INT_MAX) {
+ TEST_LE_S(1, ret);
+ } else {
+ TEST_EQUAL(ret, param);
+ }
+ break;
+
+ case RECOMBINE_COALESCE_SPLIT_ONCE:
+ ret = recombine_coalesce_handshake_records(buf, INT_MAX);
+ /* Require at least two coalesced records, otherwise this
+ * doesn't lead to a meaningful test (use
+ * RECOMBINE_SPLIT_FIRST instead). */
+ TEST_LE_S(2, ret);
+ ret = recombine_split_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ case RECOMBINE_COALESCE_SPLIT_BOTH_ENDS:
+ ret = recombine_coalesce_handshake_records(buf, INT_MAX);
+ /* Accept a single record, which will be split at both ends */
+ TEST_LE_S(1, ret);
+ TEST_LE_S(1, param);
+ ret = recombine_split_first_record(buf, -param);
+ TEST_LE_S(0, ret);
+ ret = recombine_split_first_record(buf, param);
+ TEST_LE_S(0, ret);
+ break;
+
+ default:
+ TEST_FAIL("Instructions not understood");
+ }
+
+ return 1;
+
+exit:
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED etc */
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -1695,6 +2004,37 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
+void ssl_tls13_exporter(int hash_alg,
+ data_t *secret,
+ char *label,
+ char *context_value,
+ int desired_length,
+ data_t *expected)
+{
+ unsigned char dst[100];
+
+ /* Check sanity of test parameters. */
+ TEST_ASSERT((size_t) desired_length <= sizeof(dst));
+ TEST_ASSERT((size_t) desired_length == expected->len);
+
+ PSA_INIT();
+
+ TEST_ASSERT(mbedtls_ssl_tls13_exporter(
+ (psa_algorithm_t) hash_alg,
+ secret->x, secret->len,
+ (unsigned char *) label, strlen(label),
+ (unsigned char *) context_value, strlen(context_value),
+ dst, desired_length) == 0);
+
+ TEST_MEMORY_COMPARE(dst, desired_length,
+ expected->x, desired_length);
+
+exit:
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_early_secrets(int hash_alg,
data_t *secret,
@@ -2840,6 +3180,165 @@
}
/* END_CASE */
+/* This test case doesn't actually depend on certificates,
+ * but our helper code for mbedtls_test_ssl_endpoint does.
+ * Also, it needs specific hashes, algs and curves for the
+ * hardcoded test certificates. In principle both RSA and ECDSA
+ * can be used, but we hardcode ECDSA in order to avoid having
+ * to express dependencies like "RSA or ECDSA with those curves". */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ALG_ECDSA_ANY */
+void recombine_server_first_flight(int version,
+ int instruction, int param,
+ char *client_log, char *server_log,
+ int goal_state, int expected_ret)
+{
+ /* Make sure we have a buffer that's large enough for the longest
+ * data that the library might ever send, plus a bit extra so that
+ * we can inject more content. The library won't ever send more than
+ * 2^14 bytes of handshake messages, so we round that up. In practice
+ * we could surely get away with a much smaller buffer. The main
+ * variable part is the server certificate. */
+ enum { BUFFSIZE = 17000 };
+ mbedtls_test_ssl_endpoint client;
+ memset(&client, 0, sizeof(client));
+ mbedtls_test_ssl_endpoint server;
+ memset(&server, 0, sizeof(server));
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_test_init_handshake_options(&server_options);
+#if defined(MBEDTLS_DEBUG_C)
+ mbedtls_test_ssl_log_pattern cli_pattern = { .pattern = client_log };
+ mbedtls_test_ssl_log_pattern srv_pattern = { .pattern = server_log };
+#else
+ (void) client_log;
+ (void) server_log;
+#endif
+ int ret = 0;
+
+ MD_OR_USE_PSA_INIT();
+#if defined(MBEDTLS_DEBUG_C)
+ mbedtls_debug_set_threshold(3);
+#endif
+
+ // Does't really matter but we want to know to declare dependencies.
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+
+ client_options.client_min_version = version;
+ client_options.client_max_version = version;
+#if defined(MBEDTLS_DEBUG_C)
+ client_options.cli_log_obj = &cli_pattern;
+ client_options.cli_log_fun = mbedtls_test_ssl_log_analyzer;
+#endif
+ TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL,
+ NULL), 0);
+
+ server_options.server_min_version = version;
+ server_options.server_max_version = version;
+#if defined(MBEDTLS_DEBUG_C)
+ server_options.srv_log_obj = &srv_pattern;
+ server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+#endif
+ TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL,
+ NULL), 0);
+
+ TEST_EQUAL(mbedtls_test_mock_socket_connect(&client.socket,
+ &server.socket,
+ BUFFSIZE), 0);
+
+ /* Client: emit the first flight from the client */
+ while (ret == 0) {
+ mbedtls_test_set_step(client.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&client.ssl);
+ }
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+ ret = 0;
+ TEST_EQUAL(client.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+
+ /* Server: parse the first flight from the client
+ * and emit the first flight from the server */
+ while (ret == 0) {
+ mbedtls_test_set_step(1000 + server.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&server.ssl);
+ }
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+ ret = 0;
+ TEST_EQUAL(server.ssl.state, MBEDTLS_SSL_SERVER_HELLO_DONE + 1);
+
+ /* Recombine the first flight from the server */
+ TEST_ASSERT(recombine_records(&server, instruction, param));
+
+ /* Client: parse the first flight from the server
+ * and emit the second flight from the client */
+ while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) {
+ mbedtls_test_set_step(client.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&client.ssl);
+ if (client.ssl.state == goal_state && ret != 0) {
+ TEST_EQUAL(ret, expected_ret);
+ goto goal_reached;
+ }
+ }
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* A default TLS 1.3 handshake has only 1 flight from the server,
+ * while the default (non-resumption) 1.2 handshake has two. */
+ if (version >= MBEDTLS_SSL_VERSION_TLS1_3 &&
+ goal_state >= MBEDTLS_SSL_HANDSHAKE_OVER) {
+ TEST_EQUAL(ret, 0);
+ } else
+#endif
+ {
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+ }
+ ret = 0;
+
+ /* Server: parse the first flight from the client
+ * and emit the second flight from the server */
+ if (instruction == RECOMBINE_TRUNCATE_FIRST) {
+ /* Close without a notification. The case of closing with a
+ * notification is tested via RECOMBINE_INSERT_RECORD to insert
+ * an alert record (which we reject, making the client SSL
+ * context become invalid). */
+ mbedtls_test_mock_socket_close(&server.socket);
+ goto goal_reached;
+ }
+ while (ret == 0 && !mbedtls_ssl_is_handshake_over(&server.ssl)) {
+ mbedtls_test_set_step(1000 + server.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&server.ssl);
+ }
+ TEST_EQUAL(ret, 0);
+
+ /* Client: parse the second flight from the server */
+ while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) {
+ mbedtls_test_set_step(client.ssl.state);
+ ret = mbedtls_ssl_handshake_step(&client.ssl);
+ }
+ if (client.ssl.state == goal_state) {
+ TEST_EQUAL(ret, expected_ret);
+ } else {
+ TEST_EQUAL(ret, 0);
+ }
+
+goal_reached:
+#if defined(MBEDTLS_DEBUG_C)
+ TEST_ASSERT(cli_pattern.counter >= 1);
+ TEST_ASSERT(srv_pattern.counter >= 1);
+#endif
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client, NULL);
+ mbedtls_test_ssl_endpoint_free(&server, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ MD_OR_USE_PSA_DONE();
+#if defined(MBEDTLS_DEBUG_C)
+ mbedtls_debug_set_threshold(0);
+#endif
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
void renegotiation(int legacy_renegotiation)
{
@@ -5200,3 +5699,262 @@
PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
+void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context)
+{
+ /* Test that the client and server generate the same key. */
+
+ int ret = -1;
+ uint8_t *key_buffer_server = NULL;
+ uint8_t *key_buffer_client = NULL;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options options;
+
+ MD_OR_USE_PSA_INIT();
+
+ ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto);
+ TEST_ASSERT(ret == 0);
+
+ TEST_ASSERT(exported_key_length > 0);
+ TEST_CALLOC(key_buffer_server, exported_key_length);
+ TEST_CALLOC(key_buffer_client, exported_key_length);
+
+ memset(key_buffer_server, 0, exported_key_length);
+ memset(key_buffer_client, 0, exported_key_length);
+
+ char label[] = "test-label";
+ unsigned char context[128] = { 0 };
+ ret = mbedtls_ssl_export_keying_material(&server_ep.ssl,
+ key_buffer_server, (size_t) exported_key_length,
+ label, sizeof(label),
+ context, sizeof(context), use_context);
+ TEST_ASSERT(ret == 0);
+ ret = mbedtls_ssl_export_keying_material(&client_ep.ssl,
+ key_buffer_client, (size_t) exported_key_length,
+ label, sizeof(label),
+ context, sizeof(context), use_context);
+ TEST_ASSERT(ret == 0);
+ TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t) exported_key_length) == 0);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_free_handshake_options(&options);
+ mbedtls_free(key_buffer_server);
+ mbedtls_free(key_buffer_client);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
+void ssl_tls_exporter_uses_label(int proto)
+{
+ /* Test that the client and server export different keys when using different labels. */
+
+ int ret = -1;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options options;
+
+ MD_OR_USE_PSA_INIT();
+
+ ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto);
+ TEST_ASSERT(ret == 0);
+
+ char label_server[] = "test-label-server";
+ char label_client[] = "test-label-client";
+ uint8_t key_buffer_server[24] = { 0 };
+ uint8_t key_buffer_client[24] = { 0 };
+ unsigned char context[128] = { 0 };
+ ret = mbedtls_ssl_export_keying_material(&server_ep.ssl,
+ key_buffer_server, sizeof(key_buffer_server),
+ label_server, sizeof(label_server),
+ context, sizeof(context), 1);
+ TEST_ASSERT(ret == 0);
+ ret = mbedtls_ssl_export_keying_material(&client_ep.ssl,
+ key_buffer_client, sizeof(key_buffer_client),
+ label_client, sizeof(label_client),
+ context, sizeof(context), 1);
+ TEST_ASSERT(ret == 0);
+ TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_free_handshake_options(&options);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
+void ssl_tls_exporter_uses_context(int proto)
+{
+ /* Test that the client and server export different keys when using different contexts. */
+
+ int ret = -1;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options options;
+
+ MD_OR_USE_PSA_INIT();
+
+ ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto);
+ TEST_ASSERT(ret == 0);
+
+ char label[] = "test-label";
+ uint8_t key_buffer_server[24] = { 0 };
+ uint8_t key_buffer_client[24] = { 0 };
+ unsigned char context_server[128] = { 0 };
+ unsigned char context_client[128] = { 23 };
+ ret = mbedtls_ssl_export_keying_material(&server_ep.ssl,
+ key_buffer_server, sizeof(key_buffer_server),
+ label, sizeof(label),
+ context_server, sizeof(context_server), 1);
+ TEST_ASSERT(ret == 0);
+ ret = mbedtls_ssl_export_keying_material(&client_ep.ssl,
+ key_buffer_client, sizeof(key_buffer_client),
+ label, sizeof(label),
+ context_client, sizeof(context_client), 1);
+ TEST_ASSERT(ret == 0);
+ TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_free_handshake_options(&options);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
+void ssl_tls13_exporter_uses_length(void)
+{
+ /* In TLS 1.3, when two keys are exported with the same parameters except one is shorter,
+ * the shorter key should NOT be a prefix of the longer one. */
+
+ int ret = -1;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options options;
+
+ MD_OR_USE_PSA_INIT();
+
+ ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep,
+ &client_ep,
+ &options,
+ MBEDTLS_SSL_VERSION_TLS1_3);
+ TEST_ASSERT(ret == 0);
+
+ char label[] = "test-label";
+ uint8_t key_buffer_server[16] = { 0 };
+ uint8_t key_buffer_client[24] = { 0 };
+ unsigned char context[128] = { 0 };
+ ret = mbedtls_ssl_export_keying_material(&server_ep.ssl,
+ key_buffer_server, sizeof(key_buffer_server),
+ label, sizeof(label),
+ context, sizeof(context), 1);
+ TEST_ASSERT(ret == 0);
+ ret = mbedtls_ssl_export_keying_material(&client_ep.ssl,
+ key_buffer_client, sizeof(key_buffer_client),
+ label, sizeof(label),
+ context, sizeof(context), 1);
+ TEST_ASSERT(ret == 0);
+ TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_free_handshake_options(&options);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
+void ssl_tls_exporter_rejects_bad_parameters(
+ int proto, int exported_key_length, int label_length, int context_length)
+{
+ int ret = -1;
+ uint8_t *key_buffer = NULL;
+ char *label = NULL;
+ uint8_t *context = NULL;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options options;
+
+ TEST_ASSERT(exported_key_length > 0);
+ TEST_ASSERT(label_length > 0);
+ TEST_ASSERT(context_length > 0);
+ TEST_CALLOC(key_buffer, exported_key_length);
+ TEST_CALLOC(label, label_length);
+ TEST_CALLOC(context, context_length);
+
+ MD_OR_USE_PSA_INIT();
+
+ ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto);
+ TEST_ASSERT(ret == 0);
+
+ ret = mbedtls_ssl_export_keying_material(&client_ep.ssl,
+ key_buffer, exported_key_length,
+ label, label_length,
+ context, context_length, 1);
+ TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_free_handshake_options(&options);
+ mbedtls_free(key_buffer);
+ mbedtls_free(label);
+ mbedtls_free(context);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
+void ssl_tls_exporter_too_early(int proto, int check_server, int state)
+{
+ enum { BUFFSIZE = 1024 };
+
+ int ret = -1;
+ mbedtls_test_ssl_endpoint server_ep, client_ep;
+
+ mbedtls_test_handshake_test_options options;
+ mbedtls_test_init_handshake_options(&options);
+ options.server_min_version = proto;
+ options.client_min_version = proto;
+ options.server_max_version = proto;
+ options.client_max_version = proto;
+
+ MD_OR_USE_PSA_INIT();
+
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &options,
+ NULL, NULL, NULL);
+ TEST_ASSERT(ret == 0);
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &options,
+ NULL, NULL, NULL);
+ TEST_ASSERT(ret == 0);
+
+ ret = mbedtls_test_mock_socket_connect(&client_ep.socket, &server_ep.socket, BUFFSIZE);
+ TEST_ASSERT(ret == 0);
+
+ if (check_server) {
+ ret = mbedtls_test_move_handshake_to_state(&server_ep.ssl, &client_ep.ssl, state);
+ } else {
+ ret = mbedtls_test_move_handshake_to_state(&client_ep.ssl, &server_ep.ssl, state);
+ }
+ TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_WANT_READ || MBEDTLS_ERR_SSL_WANT_WRITE);
+
+ char label[] = "test-label";
+ uint8_t key_buffer[24] = { 0 };
+ ret = mbedtls_ssl_export_keying_material(check_server ? &server_ep.ssl : &client_ep.ssl,
+ key_buffer, sizeof(key_buffer),
+ label, sizeof(label),
+ NULL, 0, 0);
+
+ /* FIXME: A more appropriate error code should be created for this case. */
+ TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_free_handshake_options(&options);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_ssl.records.data b/tests/suites/test_suite_ssl.records.data
new file mode 100644
index 0000000..8220cb0
--- /dev/null
+++ b/tests/suites/test_suite_ssl.records.data
@@ -0,0 +1,162 @@
+Recombine server flight 1: TLS 1.2, nominal
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_NOMINAL:0:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.3, nominal
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_NOMINAL:0:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce 2
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE:2:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce 3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE:3:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce all
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE:INT_MAX:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+# TLS 1.3 has a single non-encrypted handshake record, so this doesn't
+# actually perform any coalescing. Run the test case anyway, but this does
+# very little beyond exercising the test code itself a little.
+Recombine server flight 1: TLS 1.3, coalesce all
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_COALESCE:INT_MAX:"<= handshake wrapup":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, split first at 4
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.3, split first at 4
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, split first at end-1
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:-1:"subsequent handshake fragment\: 1,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.3, split first at end-1
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:-1:"subsequent handshake fragment\: 1,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+# The library doesn't support an initial handshake fragment that doesn't
+# contain the full 4-byte handshake header.
+Recombine server flight 1: TLS 1.2, split first at 3 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:3:"handshake message too short\: 3":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, split first at 3 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:3:"handshake message too short\: 3":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, split first at 2 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:2:"handshake message too short\: 2":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, split first at 2 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:2:"handshake message too short\: 2":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, split first at 1 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:1:"handshake message too short\: 1":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, split first at 1 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:1:"handshake message too short\: 1":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, truncate at 4 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_TRUNCATE_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_WANT_READ
+
+Recombine server flight 1: TLS 1.3, truncate at 4 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_TRUNCATE_FIRST:4:"initial handshake fragment\: 4, 0..4 of":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_WANT_READ
+
+Recombine server flight 1: TLS 1.2, insert empty record after first (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_SPLIT_FIRST:0:"rejecting empty record":"":MBEDTLS_SSL_SERVER_CERTIFICATE:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert empty record after first (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_SPLIT_FIRST:0:"rejecting empty record":"":MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert empty record at start (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_EMPTY:0:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert empty record at start (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_EMPTY:0:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert empty record at 42 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_EMPTY:42:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert empty record at 42 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_EMPTY:42:"rejecting empty record":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert ChangeCipherSpec record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.3, insert ChangeCipherSpec record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.2, insert alert record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_ALERT:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.3, insert alert record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_ALERT:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.2, insert data record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_APPLICATION_DATA:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.3, insert data record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_APPLICATION_DATA:"non-handshake message in the middle of a fragmented handshake message":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+
+Recombine server flight 1: TLS 1.2, insert CID record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CID:"unknown record type":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert CID record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:MBEDTLS_SSL_MSG_CID:"unknown record type":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.2, insert unknown record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_INSERT_RECORD:255:"unknown record type 255":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+Recombine server flight 1: TLS 1.3, insert unknown record at 5 (bad)
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_3:RECOMBINE_INSERT_RECORD:255:"unknown record type 255":"":MBEDTLS_SSL_SERVER_HELLO:MBEDTLS_ERR_SSL_INVALID_RECORD
+
+# Since there is a single unencrypted handshake message in the first flight
+# from the server, and the test code that recombines handshake records can only
+# handle plaintext records, we can't have TLS 1.3 tests with coalesced
+# handshake messages. Hence most coalesce-and-split test cases are 1.2-only.
+
+Recombine server flight 1: TLS 1.2, coalesce and split at 4
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE_SPLIT_ONCE:4:"initial handshake fragment\: 4, 0..4 of":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+# The last message of the first flight from the server is ServerHelloDone,
+# which is an empty handshake message, i.e. of length 4. The library doesn't
+# support fragmentation of a handshake header, so the last place where we
+# can split the flight is 4+1 = 5 bytes before it ends, with 1 byte in the
+# previous handshake message and 4 bytes of ServerHelloDone including header.
+Recombine server flight 1: TLS 1.2, coalesce and split at end-5
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE_SPLIT_ONCE:-5:"subsequent handshake fragment\: 5,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0
+
+Recombine server flight 1: TLS 1.2, coalesce and split at both ends
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+recombine_server_first_flight:MBEDTLS_SSL_VERSION_TLS1_2:RECOMBINE_COALESCE_SPLIT_BOTH_ENDS:5:"subsequent handshake fragment\: 5,":"<= handshake wrapup":MBEDTLS_SSL_HANDSHAKE_OVER:0