Merge pull request #5469 from Unity-Technologies/windows-arm64-workaround
Don't inline mbedtls_mpi_safe_cond_assign on MSVC/ARM64 to avoid a compiler bug
diff --git a/ChangeLog.d/tls13_f_export_keys.txt b/ChangeLog.d/tls13_f_export_keys.txt
new file mode 100644
index 0000000..31debc2
--- /dev/null
+++ b/ChangeLog.d/tls13_f_export_keys.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fixed swap of client and server random bytes when exporting them alongside
+ TLS 1.3 handshake and application traffic secret.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f9bbf0c..350ee2c 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -505,6 +505,7 @@
#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY 15
#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE 16
#define MBEDTLS_SSL_HS_FINISHED 20
+#define MBEDTLS_SSL_HS_MESSAGE_HASH 254
/*
* TLS extensions
@@ -643,6 +644,7 @@
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY,
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED,
+ MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
}
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 788fafd..ad358b3 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -591,6 +591,11 @@
int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_CLI_C)
+ /*!< Number of Hello Retry Request messages received from the server. */
+ int hello_retry_request_count;
+#endif /* MBEDTLS_SSL_CLI_C */
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
@@ -687,15 +692,19 @@
} buffering;
+#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
+ * for dtls / tls 1.3
+ * Srv: unused */
+ unsigned char verify_cookie_len; /*!< Cli: cookie length for
+ * dtls / tls 1.3
+ * Srv: flag for sending a cookie */
+#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
- unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
- Srv: unused */
- unsigned char verify_cookie_len; /*!< Cli: cookie length
- Srv: flag for sending a cookie */
-
uint32_t retransmit_timeout; /*!< Current value of timeout */
mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
@@ -1442,6 +1451,8 @@
void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
+void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
+ int partial );
/*
* Send pending alert
@@ -1721,6 +1732,8 @@
unsigned char const *msg,
size_t msg_len );
+int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@@ -1828,15 +1841,18 @@
const mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL )
return( ssl->handshake->sig_algs );
#endif
return( ssl->conf->sig_algs );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
((void) ssl);
return( NULL );
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5e8b60b..f261a6a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3400,8 +3400,8 @@
* If partial is non-zero, keep data in the input buffer and client ID.
* (Use when a DTLS client reconnects from the same port.)
*/
-static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
- int partial )
+void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
+ int partial )
{
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
@@ -3453,12 +3453,32 @@
mbedtls_ssl_dtls_replay_reset( ssl );
#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->transform )
{
mbedtls_ssl_transform_free( ssl->transform );
mbedtls_free( ssl->transform );
ssl->transform = NULL;
}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_transform_free( ssl->transform_application );
+ mbedtls_free( ssl->transform_application );
+ ssl->transform_application = NULL;
+
+ if( ssl->handshake != NULL )
+ {
+ mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata );
+ mbedtls_free( ssl->handshake->transform_earlydata );
+ ssl->handshake->transform_earlydata = NULL;
+
+ mbedtls_ssl_transform_free( ssl->handshake->transform_handshake );
+ mbedtls_free( ssl->handshake->transform_handshake );
+ ssl->handshake->transform_handshake = NULL;
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
}
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
@@ -3467,7 +3487,7 @@
ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
- ssl_session_reset_msg_layer( ssl, partial );
+ mbedtls_ssl_session_reset_msg_layer( ssl, partial );
/* Reset renegotiation state */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -5669,11 +5689,14 @@
mbedtls_pk_free( &handshake->peer_pubkey );
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
+#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_free( handshake->verify_cookie );
+#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_flight_free( handshake->flight );
mbedtls_ssl_buffering_free( ssl );
-#endif
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_ECDH_C) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -7384,6 +7407,7 @@
}
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
+
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index d046495..ca91d67 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -115,6 +115,28 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
+{
+ uint16_t group_id = ssl->handshake->offered_group_id;
+ if( group_id == 0 )
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+#if defined(MBEDTLS_ECDH_C)
+ if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
+ {
+ mbedtls_ecdh_free( &ssl->handshake->ecdh_ctx );
+ return( 0 );
+ }
+ else
+#endif /* MBEDTLS_ECDH_C */
+ if( 0 /* other KEMs? */ )
+ {
+ /* Do something */
+ }
+
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
/*
* Functions for writing key_share extension.
*/
@@ -372,6 +394,76 @@
#endif /* MBEDTLS_ECDH_C */
/*
+ * ssl_tls13_parse_hrr_key_share_ext()
+ * Parse key_share extension in Hello Retry Request
+ *
+ * struct {
+ * NamedGroup selected_group;
+ * } KeyShareHelloRetryRequest;
+ */
+static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ const mbedtls_ecp_curve_info *curve_info = NULL;
+ const unsigned char *p = buf;
+ int selected_group;
+ int found = 0;
+
+ const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
+ if( group_list == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
+
+ /* Read selected_group */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
+ selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
+
+ /* Upon receipt of this extension in a HelloRetryRequest, the client
+ * MUST first verify that the selected_group field corresponds to a
+ * group which was provided in the "supported_groups" extension in the
+ * original ClientHello.
+ * The supported_group was based on the info in ssl->conf->group_list.
+ *
+ * If the server provided a key share that was not sent in the ClientHello
+ * then the client MUST abort the handshake with an "illegal_parameter" alert.
+ */
+ for( ; *group_list != 0; group_list++ )
+ {
+ curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
+ if( curve_info == NULL || curve_info->tls_id != selected_group )
+ continue;
+
+ /* We found a match */
+ found = 1;
+ break;
+ }
+
+ /* Client MUST verify that the selected_group field does not
+ * correspond to a group which was provided in the "key_share"
+ * extension in the original ClientHello. If the server sent an
+ * HRR message with a key share already provided in the
+ * ClientHello then the client MUST abort the handshake with
+ * an "illegal_parameter" alert.
+ */
+ if( found == 0 || selected_group == ssl->handshake->offered_group_id )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ }
+
+ /* Remember server's preference for next ClientHello */
+ ssl->handshake->offered_group_id = selected_group;
+
+ return( 0 );
+}
+
+/*
* ssl_tls13_parse_key_share_ext()
* Parse key_share extension in Server Hello
*
@@ -434,6 +526,55 @@
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+/*
+ * ssl_tls13_parse_cookie_ext()
+ * Parse cookie extension in Hello Retry Request
+ *
+ * struct {
+ * opaque cookie<1..2^16-1>;
+ * } Cookie;
+ *
+ * When sending a HelloRetryRequest, the server MAY provide a "cookie"
+ * extension to the client (this is an exception to the usual rule that
+ * the only extensions that may be sent are those that appear in the
+ * ClientHello). When sending the new ClientHello, the client MUST copy
+ * the contents of the extension received in the HelloRetryRequest into
+ * a "cookie" extension in the new ClientHello. Clients MUST NOT use
+ * cookies in their initial ClientHello in subsequent connections.
+ */
+static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ size_t cookie_len;
+ const unsigned char *p = buf;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Retrieve length field of cookie */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
+ cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
+ MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
+
+ mbedtls_free( handshake->verify_cookie );
+ handshake->verify_cookie_len = 0;
+ handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
+ if( handshake->verify_cookie == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "alloc failed ( %" MBEDTLS_PRINTF_SIZET " bytes )",
+ cookie_len ) );
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ }
+
+ memcpy( handshake->verify_cookie, p, cookie_len );
+ handshake->verify_cookie_len = (unsigned char) cookie_len;
+
+ return( 0 );
+}
+
/* Write cipher_suites
* CipherSuite cipher_suites<2..2^16-2>;
*/
@@ -747,7 +888,8 @@
/* Returns a negative value on failure, and otherwise
* - SSL_SERVER_HELLO_COORDINATE_HELLO or
* - SSL_SERVER_HELLO_COORDINATE_HRR
- * to indicate which message is expected and to be parsed next. */
+ * to indicate which message is expected and to be parsed next.
+ */
#define SSL_SERVER_HELLO_COORDINATE_HELLO 0
#define SSL_SERVER_HELLO_COORDINATE_HRR 1
static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
@@ -796,20 +938,9 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_read_record( ssl, 0 ) );
-
- if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) ||
- ( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) );
-
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
- MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
- return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
- }
-
- *buf = ssl->in_msg + 4;
- *buf_len = ssl->in_hslen - 4;
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
+ MBEDTLS_SSL_HS_SERVER_HELLO,
+ buf, buf_len ) );
ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len );
switch( ret )
@@ -819,6 +950,36 @@
break;
case SSL_SERVER_HELLO_COORDINATE_HRR:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
+ /* If a client receives a second
+ * HelloRetryRequest in the same connection (i.e., where the ClientHello
+ * was itself in response to a HelloRetryRequest), it MUST abort the
+ * handshake with an "unexpected_message" alert.
+ */
+ if( ssl->handshake->hello_retry_request_count > 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
+ /*
+ * Clients must abort the handshake with an "illegal_parameter"
+ * alert if the HelloRetryRequest would not result in any change
+ * in the ClientHello.
+ * In a PSK only key exchange that what we expect.
+ */
+ if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "Unexpected HRR in pure PSK key exchange." ) );
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ }
+
+ ssl->handshake->hello_retry_request_count++;
+
break;
}
@@ -892,14 +1053,18 @@
*/
static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
const unsigned char *buf,
- const unsigned char *end )
+ const unsigned char *end,
+ int is_hrr )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *p = buf;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
size_t extensions_len;
const unsigned char *extensions_end;
uint16_t cipher_suite;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ int supported_versions_ext_found = 0;
+ int fatal_alert = 0;
/*
* Check there is space for minimal fields
@@ -927,7 +1092,8 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
- return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
+ ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ goto cleanup;
}
p += 2;
@@ -937,10 +1103,13 @@
* with Random defined as:
* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
*/
- memcpy( &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
- MBEDTLS_SERVER_HELLO_RANDOM_LEN );
- MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
- p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
+ if( !is_hrr )
+ {
+ memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN );
+ MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
+ p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
+ }
p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
/* ...
@@ -949,9 +1118,8 @@
*/
if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
{
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
- MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ goto cleanup;
}
/* ...
@@ -965,28 +1133,40 @@
p += 2;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
/*
* Check whether this ciphersuite is supported and offered.
* Via the force_ciphersuite version we may have instructed the client
* to use a different ciphersuite.
*/
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
if( ciphersuite_info == NULL ||
ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite(%04x) not found or not offered",
- cipher_suite ) );
-
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
- MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ }
+ /*
+ * If we received an HRR before and that the proposed selected
+ * ciphersuite in this server hello is not the same as the one
+ * proposed in the HRR, we abort the handshake and send an
+ * "illegal_parameter" alert.
+ */
+ else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
+ ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
+ {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
}
+ if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
+ cipher_suite ) );
+ goto cleanup;
+ }
/* Configure ciphersuites */
mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
- ssl->handshake->ciphersuite_info = ciphersuite_info;
+ handshake->ciphersuite_info = ciphersuite_info;
ssl->session_negotiate->ciphersuite = cipher_suite;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
@@ -1004,9 +1184,8 @@
if( p[0] != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
- MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ goto cleanup;
}
p++;
@@ -1032,6 +1211,7 @@
{
unsigned int extension_type;
size_t extension_data_len;
+ const unsigned char *extension_data_end;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -1039,39 +1219,69 @@
p += 4;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
+ extension_data_end = p + extension_data_len;
switch( extension_type )
{
+ case MBEDTLS_TLS_EXT_COOKIE:
+
+ if( !is_hrr )
+ {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
+ goto cleanup;
+ }
+
+ ret = ssl_tls13_parse_cookie_ext( ssl,
+ p, extension_data_end );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1,
+ "ssl_tls13_parse_cookie_ext",
+ ret );
+ goto cleanup;
+ }
+ break;
+
case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+ supported_versions_ext_found = 1;
MBEDTLS_SSL_DEBUG_MSG( 3,
( "found supported_versions extension" ) );
ret = ssl_tls13_parse_supported_versions_ext( ssl,
p,
- p + extension_data_len );
+ extension_data_end );
if( ret != 0 )
- return( ret );
+ goto cleanup;
break;
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
- MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
- return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
+ goto cleanup;
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
- if( ( ret = ssl_tls13_parse_key_share_ext( ssl,
- p, p + extension_data_len ) ) != 0 )
+ if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
+ {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
+ goto cleanup;
+ }
+
+ if( is_hrr )
+ ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
+ p, extension_data_end );
+ else
+ ret = ssl_tls13_parse_key_share_ext( ssl,
+ p, extension_data_end );
+ if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"ssl_tls13_parse_key_share_ext",
ret );
- return( ret );
+ goto cleanup;
}
break;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@@ -1082,19 +1292,38 @@
( "unknown extension found: %u ( ignoring )",
extension_type ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
- MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
- return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
+ goto cleanup;
}
p += extension_data_len;
}
- return( 0 );
+ if( !supported_versions_ext_found )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions not found" ) );
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ goto cleanup;
+ }
+
+cleanup:
+
+ if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
+ {
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
+ MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
+ ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ }
+ else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
+ {
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ return( ret );
}
-static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl )
+static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_key_set traffic_keys;
@@ -1208,6 +1437,40 @@
return( ret );
}
+static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* If not offering early data, the client sends a dummy CCS record
+ * immediately before its second flight. This may either be before
+ * its second ClientHello or before its encrypted handshake flight.
+ */
+ mbedtls_ssl_handshake_set_state( ssl,
+ MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
+#else
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+ mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
+
+ /*
+ * We are going to re-generate a shared secret corresponding to the group
+ * selected by the server, which is different from the group for which we
+ * generated a shared secret in the first client hello.
+ * Thus, reset the shared secret.
+ */
+ ret = ssl_tls13_reset_key_share( ssl );
+ if( ret != 0 )
+ return( ret );
+#else
+ ((void) ssl);
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+ return( 0 );
+}
+
/*
* Wait and parse ServerHello handshake message.
* Handler for MBEDTLS_SSL_SERVER_HELLO
@@ -1215,8 +1478,9 @@
static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *buf;
- size_t buf_len;
+ unsigned char *buf = NULL;
+ size_t buf_len = 0;
+ int is_hrr = 0;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
@@ -1229,31 +1493,29 @@
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len );
- /* Parsing step
- * We know what message to expect by now and call
- * the respective parsing function.
- */
- if( ret == SSL_SERVER_HELLO_COORDINATE_HELLO )
- {
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
- buf + buf_len ) );
+ if( ret < 0 )
+ goto cleanup;
+ else
+ is_hrr = ( ret == SSL_SERVER_HELLO_COORDINATE_HRR );
- mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
- MBEDTLS_SSL_HS_SERVER_HELLO,
- buf, buf_len );
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
+ buf + buf_len,
+ is_hrr ) );
+ if( is_hrr )
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) );
- }
- else if( ret == SSL_SERVER_HELLO_COORDINATE_HRR )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "HRR not supported" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ,
- MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
+ mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
+ MBEDTLS_SSL_HS_SERVER_HELLO,
+ buf, buf_len );
+
+ if( is_hrr )
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
+ else
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
cleanup:
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s", __func__ ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
+ is_hrr?"HelloRetryRequest":"ServerHello" ) );
return( ret );
}
@@ -1492,8 +1754,6 @@
if( ret != 0 )
return( ret );
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
-
return( 0 );
}
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
@@ -1604,6 +1864,7 @@
*/
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
+ case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
ret = ssl_tls13_write_change_cipher_spec( ssl );
break;
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a87af94..9aa2148 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1058,6 +1058,32 @@
*/
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl )
+{
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ {
+ switch( ssl->state )
+ {
+ case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
+ break;
+ case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+ break;
+ default:
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ }
+#else
+ ((void) ssl);
+#endif /* MBEDTLS_SSL_CLI_C */
+
+ return( 0 );
+}
+
static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1088,6 +1114,9 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+ /* Update state */
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_change_cipher_spec( ssl ) );
+
/* Dispatch message */
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) );
@@ -1099,6 +1128,80 @@
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+/* Reset SSL context and update hash for handling HRR.
+ *
+ * Replace Transcript-Hash(X) by
+ * Transcript-Hash( message_hash ||
+ * 00 00 Hash.length ||
+ * X )
+ * A few states of the handshake are preserved, including:
+ * - session ID
+ * - session ticket
+ * - negotiated ciphersuite
+ */
+int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
+ size_t hash_len;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
+
+ ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
+ hash_transcript + 4,
+ MBEDTLS_MD_MAX_SIZE,
+ &hash_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
+ return( ret );
+ }
+
+ hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
+ hash_transcript[1] = 0;
+ hash_transcript[2] = 0;
+ hash_transcript[3] = (unsigned char) hash_len;
+
+ hash_len += 4;
+
+ if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
+ {
+#if defined(MBEDTLS_SHA256_C)
+ MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
+ hash_transcript, hash_len );
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort( &ssl->handshake->fin_sha256_psa );
+ psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
+#else
+ mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
+#endif
+#endif /* MBEDTLS_SHA256_C */
+ }
+ else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+ {
+#if defined(MBEDTLS_SHA384_C)
+ MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
+ hash_transcript, hash_len );
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort( &ssl->handshake->fin_sha384_psa );
+ psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
+#else
+ mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SHA384_C */
+ }
+
+#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
+ ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
+#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
+ return( ret );
+}
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 99eb8a4..eb84be5 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -1010,16 +1010,16 @@
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
tls13_hs_secrets->client_handshake_traffic_secret,
md_size,
- handshake->randbytes + 32,
handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
ssl->f_export_keys( ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
tls13_hs_secrets->server_handshake_traffic_secret,
md_size,
- handshake->randbytes + 32,
handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
}
@@ -1215,16 +1215,16 @@
ssl->f_export_keys( ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
app_secrets->client_application_traffic_secret_N, md_size,
- handshake->randbytes + 32,
handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */ );
ssl->f_export_keys( ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
app_secrets->server_application_traffic_secret_N, md_size,
- handshake->randbytes + 32,
handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */ );
}
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 7a1436f..295b82e 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -9214,13 +9214,29 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
requires_openssl_tls1_3
-run_test "TLS 1.3: HelloRetryRequest check - openssl" \
+run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \
+ "$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+ "$P_CLI debug_level=4 force_version=tls13" \
+ 0 \
+ -c "received HelloRetryRequest message" \
+ -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
+ -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
+ -c "HTTP/1.0 200 ok"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+requires_openssl_tls1_3
+run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \
"$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
"$P_CLI debug_level=4 force_version=tls13" \
- 1 \
+ 0 \
-c "received HelloRetryRequest message" \
- -c "HRR not supported" \
- -c "Last error was: -0x6E00 - SSL - The handshake negotiation failed"
+ -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
+ -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
+ -c "HTTP/1.0 200 ok"
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
@@ -9229,14 +9245,30 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
-run_test "TLS 1.3: HelloRetryRequest check - gnutls" \
- "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \
+run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \
+ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
"$P_CLI debug_level=4 force_version=tls13" \
- 1 \
+ 0 \
-c "received HelloRetryRequest message" \
- -c "HRR not supported" \
- -c "Last error was: -0x6E00 - SSL - The handshake negotiation failed" \
- -s "HELLO RETRY REQUEST was queued"
+ -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
+ -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
+ -c "HTTP/1.0 200 OK"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \
+ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
+ "$P_CLI debug_level=4 force_version=tls13" \
+ 0 \
+ -c "received HelloRetryRequest message" \
+ -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
+ -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
+ -c "HTTP/1.0 200 OK"
for i in $(ls opt-testcases/*.sh)
do