Merge remote-tracking branch 'mbedtls-restricted/development-restricted' into mbedtls-3.2.0rc0-pr
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 6144c2f..458fe8f 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2253,6 +2253,7 @@
scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
+ scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_FS_IO
@@ -2904,6 +2905,18 @@
if_build_succeeded tests/ssl-opt.sh
}
+component_test_tls13_only_with_hooks () {
+ msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 and MBEDTLS_TEST_HOOKS, without MBEDTLS_SSL_PROTO_TLS1_2"
+ scripts/config.py set MBEDTLS_TEST_HOOKS
+ make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
+
+ msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without MBEDTLS_SSL_PROTO_TLS1_2"
+ if_build_succeeded make test
+
+ msg "ssl-opt.sh (TLS 1.3)"
+ if_build_succeeded tests/ssl-opt.sh
+}
+
component_test_tls13 () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6df879c..80b7806 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -6211,7 +6211,6 @@
0 \
-c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
-
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
"$P_SRV key_file=data_files/server2.key \
@@ -6346,6 +6345,78 @@
-c "Ciphersuite is TLS-" \
-c "! Usage does not match the keyUsage extension"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
+ -cert data_files/server2.ku-ds_ke.crt" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
+ -cert data_files/server2.ku-ke.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
+ -cert data_files/server2.ku-ka.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.ku-ds.crt" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.ku-ke.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.ku-ka.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
# Tests for keyUsage in leaf certificates, part 3:
# server-side checking of client cert
@@ -6355,6 +6426,7 @@
"$O_CLI -key data_files/server2.key \
-cert data_files/server2.ku-ds.crt" \
0 \
+ -s "Verifying peer X.509 certificate... ok" \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
@@ -6382,6 +6454,7 @@
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.ku-ds.crt" \
0 \
+ -s "Verifying peer X.509 certificate... ok" \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
@@ -6394,6 +6467,52 @@
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
+ -cert data_files/server2.ku-ds.crt" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok" \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
+ -cert data_files/server2.ku-ke.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.ku-ds.crt" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok" \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.ku-ka.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -6466,6 +6585,54 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: serverAuth -> OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-srv.crt" \
+ "$P_CLI debug_level=1" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-srv_cli.crt" \
+ "$P_CLI debug_level=1" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-cs_any.crt" \
+ "$P_CLI debug_level=1" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: codeSign -> fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
# Tests for extendedKeyUsage, part 3: server-side checking of client cert
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -6513,6 +6680,50 @@
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: clientAuth -> OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-cli.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: serverAuth,clientAuth -> OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-srv_cli.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-cs_any.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
# Tests for DHM parameters loading
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 02a11c8..056310a 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -67,12 +67,18 @@
Test mpi_read_write_string #9 (Empty MPI hex -> dec)
mpi_read_write_string:16:"":10:"0":4:0:0
+Test mpi_read_write_string #9 (Empty MPI hex -> base 2)
+mpi_read_write_string:16:"":2:"0":4:0:0
+
Test mpi_read_write_string #8 (Empty MPI dec -> hex)
mpi_read_write_string:10:"":16:"":4:0:0
Test mpi_read_write_string #9 (Empty MPI dec -> dec)
mpi_read_write_string:10:"":10:"0":4:0:0
+Test mpi_read_write_string #9 (Empty MPI dec -> base 2)
+mpi_read_write_string:16:"":2:"0":4:0:0
+
Test mpi_write_string #10 (Negative hex with odd number of digits)
mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
@@ -1216,9 +1222,15 @@
Test mbedtls_mpi_mod_int: 0 (null) % 1
mbedtls_mpi_mod_int:16:"":1:0:0
+Test mbedtls_mpi_mod_int: 0 (null) % 2
+mbedtls_mpi_mod_int:16:"":2:0:0
+
Test mbedtls_mpi_mod_int: 0 (null) % -1
mbedtls_mpi_mod_int:16:"":-1:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+Test mbedtls_mpi_mod_int: 0 (null) % -2
+mbedtls_mpi_mod_int:16:"":-2:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
Base test mbedtls_mpi_exp_mod #1
mbedtls_mpi_exp_mod:10:"23":10:"13":10:"29":10:"24":0
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index a851d5c..19a1ae6 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3429,3 +3429,24 @@
Force a bad session id length
force_bad_session_id_len
+
+Cookie parsing: nominal run
+cookie_parsing:"16fefd0000000000000000002F010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d00200000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_SSL_INTERNAL_ERROR
+
+Cookie parsing: cookie_len overflow
+cookie_parsing:"16fefd000000000000000000ea010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727db97b7373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737db963":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: non-zero fragment offset
+cookie_parsing:"16fefd00000000000000000032010000de000072000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d01730143":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: sid_len overflow
+cookie_parsing:"16fefd00000000000000000032010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727dFF730143":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: record too short
+cookie_parsing:"16fefd0000000000000000002f010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727dFF":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: one byte overread
+cookie_parsing:"16fefd0000000000000000002F010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d0001":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+TLS 1.3 srv Certificate msg - wrong vector lengths
+tls13_server_certificate_msg_invalid_vector_len
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index c65b565..a84f743 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -139,6 +139,23 @@
(void) opts;
#endif
}
+
+#if defined(MBEDTLS_TEST_HOOKS)
+static void set_chk_buf_ptr_args(
+ mbedtls_ssl_chk_buf_ptr_args *args,
+ unsigned char *cur, unsigned char *end, size_t need )
+{
+ args->cur = cur;
+ args->end = end;
+ args->need = need;
+}
+
+static void reset_chk_buf_ptr_args( mbedtls_ssl_chk_buf_ptr_args *args )
+{
+ memset( args, 0, sizeof( *args ) );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
/*
* Buffer structure for custom I/O callbacks.
*/
@@ -2383,6 +2400,119 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_TEST_HOOKS)
+/*
+ * Tweak vector lengths in a TLS 1.3 Certificate message
+ *
+ * \param[in] buf Buffer containing the Certificate message to tweak
+ * \param[in]]out] end End of the buffer to parse
+ * \param tweak Tweak identifier (from 1 to the number of tweaks).
+ * \param[out] expected_result Error code expected from the parsing function
+ * \param[out] args Arguments of the MBEDTLS_SSL_CHK_BUF_READ_PTR call that
+ * is expected to fail. All zeroes if no
+ * MBEDTLS_SSL_CHK_BUF_READ_PTR failure is expected.
+ */
+int tweak_tls13_certificate_msg_vector_len(
+ unsigned char *buf, unsigned char **end, int tweak,
+ int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args )
+{
+/*
+ * The definition of the tweaks assume that the certificate list contains only
+ * one certificate.
+ */
+
+/*
+ * struct {
+ * opaque cert_data<1..2^24-1>;
+ * Extension extensions<0..2^16-1>;
+ * } CertificateEntry;
+ *
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * CertificateEntry certificate_list<0..2^24-1>;
+ * } Certificate;
+ */
+ unsigned char *p_certificate_request_context_len = buf;
+ size_t certificate_request_context_len = buf[0];
+
+ unsigned char *p_certificate_list_len = buf + 1 + certificate_request_context_len;
+ unsigned char *certificate_list = p_certificate_list_len + 3;
+ size_t certificate_list_len = MBEDTLS_GET_UINT24_BE( p_certificate_list_len, 0 );
+
+ unsigned char *p_cert_data_len = certificate_list;
+ unsigned char *cert_data = p_cert_data_len + 3;
+ size_t cert_data_len = MBEDTLS_GET_UINT24_BE( p_cert_data_len, 0 );
+
+ unsigned char *p_extensions_len = cert_data + cert_data_len;
+ unsigned char *extensions = p_extensions_len + 2;
+ size_t extensions_len = MBEDTLS_GET_UINT16_BE( p_extensions_len, 0 );
+
+ *expected_result = MBEDTLS_ERR_SSL_DECODE_ERROR;
+
+ switch( tweak )
+ {
+ case 1:
+ /* Failure when checking if the certificate request context length and
+ * certificate list length can be read
+ */
+ *end = buf + 3;
+ set_chk_buf_ptr_args( args, buf, *end, 4 );
+ break;
+
+ case 2:
+ /* Invalid certificate request context length.
+ */
+ *p_certificate_request_context_len =
+ certificate_request_context_len + 1;
+ reset_chk_buf_ptr_args( args );
+ break;
+
+ case 3:
+ /* Failure when checking if certificate_list data can be read. */
+ MBEDTLS_PUT_UINT24_BE( certificate_list_len + 1,
+ p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, certificate_list, *end,
+ certificate_list_len + 1 );
+ break;
+
+ case 4:
+ /* Failure when checking if the cert_data length can be read. */
+ MBEDTLS_PUT_UINT24_BE( 2, p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, p_cert_data_len, certificate_list + 2, 3 );
+ break;
+
+ case 5:
+ /* Failure when checking if cert_data data can be read. */
+ MBEDTLS_PUT_UINT24_BE( certificate_list_len - 3 + 1,
+ p_cert_data_len, 0 );
+ set_chk_buf_ptr_args( args, cert_data,
+ certificate_list + certificate_list_len,
+ certificate_list_len - 3 + 1 );
+ break;
+
+ case 6:
+ /* Failure when checking if the extensions length can be read. */
+ MBEDTLS_PUT_UINT24_BE( certificate_list_len - extensions_len - 1,
+ p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, p_extensions_len,
+ certificate_list + certificate_list_len - extensions_len - 1, 2 );
+ break;
+
+ case 7:
+ /* Failure when checking if extensions data can be read. */
+ MBEDTLS_PUT_UINT16_BE( extensions_len + 1, p_extensions_len, 0 );
+
+ set_chk_buf_ptr_args( args, extensions,
+ certificate_list + certificate_list_len, extensions_len + 1 );
+ break;
+
+ default:
+ return( -1 );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -5574,6 +5704,34 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */
+void cookie_parsing( data_t *cookie, int exp_ret )
+{
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ size_t len;
+
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_config_init( &conf );
+ TEST_EQUAL( mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+ MBEDTLS_SSL_PRESET_DEFAULT ),
+ 0 );
+
+ TEST_EQUAL( mbedtls_ssl_setup( &ssl, &conf ), 0 );
+ TEST_EQUAL( mbedtls_ssl_check_dtls_clihlo_cookie( &ssl, ssl.cli_id,
+ ssl.cli_id_len,
+ cookie->x, cookie->len,
+ ssl.out_buf,
+ MBEDTLS_SSL_OUT_CONTENT_LEN,
+ &len ),
+ exp_ret );
+
+ mbedtls_ssl_free( &ssl );
+ mbedtls_ssl_config_free( &conf );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */
void timing_final_delay_accessor( )
{
@@ -5735,3 +5893,87 @@
USE_PSA_DONE( );
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+void tls13_server_certificate_msg_invalid_vector_len( )
+{
+ int ret = -1;
+ mbedtls_endpoint client_ep, server_ep;
+ unsigned char *buf, *end;
+ size_t buf_len;
+ int step = 0;
+ int expected_result;
+ mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args;
+
+ /*
+ * Test set-up
+ */
+ USE_PSA_INIT( );
+
+ ret = mbedtls_endpoint_init( &client_ep, MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_PK_ECDSA, NULL, NULL, NULL, NULL );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_endpoint_init( &server_ep, MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_PK_ECDSA, NULL, NULL, NULL, NULL );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_mock_socket_connect( &(client_ep.socket),
+ &(server_ep.socket), 1024 );
+ TEST_EQUAL( ret, 0 );
+
+ while( 1 )
+ {
+ mbedtls_test_set_step( ++step );
+
+ ret = mbedtls_move_handshake_to_state( &(server_ep.ssl),
+ &(client_ep.ssl),
+ MBEDTLS_SSL_CERTIFICATE_VERIFY );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_ssl_flush_output( &(server_ep.ssl) );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_move_handshake_to_state( &(client_ep.ssl),
+ &(server_ep.ssl),
+ MBEDTLS_SSL_SERVER_CERTIFICATE );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_ssl_tls13_fetch_handshake_msg( &(client_ep.ssl),
+ MBEDTLS_SSL_HS_CERTIFICATE,
+ &buf, &buf_len );
+ TEST_EQUAL( ret, 0 );
+
+ end = buf + buf_len;
+
+ /*
+ * Tweak server Certificate message and parse it.
+ */
+
+ ret = tweak_tls13_certificate_msg_vector_len(
+ buf, &end, step, &expected_result, &expected_chk_buf_ptr_args );
+
+ if( ret != 0 )
+ break;
+
+ ret = mbedtls_ssl_tls13_parse_certificate( &(client_ep.ssl), buf, end );
+ TEST_EQUAL( ret, expected_result );
+
+ TEST_ASSERT( mbedtls_ssl_cmp_chk_buf_ptr_fail_args(
+ &expected_chk_buf_ptr_args ) == 0 );
+
+ mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
+
+ ret = mbedtls_ssl_session_reset( &(client_ep.ssl) );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_ssl_session_reset( &(server_ep.ssl) );
+ TEST_EQUAL( ret, 0 );
+ }
+
+exit:
+ mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
+ mbedtls_endpoint_free( &client_ep, NULL );
+ mbedtls_endpoint_free( &server_ep, NULL );
+ USE_PSA_DONE( );
+}
+/* END_CASE */