From 129aeb9b0e985e77f628714fb1291cafbd1e7ccb Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Thu, 2 Jun 2022 09:29:18 +0000 Subject: [PATCH] Update test cases and support sni ca override Change-Id: I6052acde0b0ec1c25537f8dd81a35562da05a393 Signed-off-by: XiaokangQian --- library/ssl_tls.c | 12 ++---------- library/ssl_tls13_server.c | 13 +++++++++++++ tests/ssl-opt.sh | 36 +++--------------------------------- 3 files changed, 18 insertions(+), 43 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f1f6e84eb..6c2ba7263 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8240,13 +8240,6 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl, size_t server_name_list_len, hostname_len; const unsigned char *server_name_list_end; - if( ssl->conf->p_sni == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "No SNI callback configured. Skip SNI parsing." ) ); - return( 0 ); - } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); @@ -8273,9 +8266,8 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); - mbedtls_ssl_send_alert_message( - ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME, + MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME ); return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME ); } return( 0 ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 7508685fa..e130fa53a 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -688,6 +688,19 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } + /* + * Server certification selection (after processing TLS extensions) + */ + if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret ); + return( ret ); + } +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + ssl->handshake->sni_name = NULL; + ssl->handshake->sni_name_len = 0; +#endif + /* Update checksum with either * - The entire content of the CH message, if no PSK extension is present * - The content up to but excluding the PSK extension, if present. diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6eb2f250b..d3996c422 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11409,18 +11409,8 @@ run_test "TLS 1.3: Server side check - openssl with sni" \ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ "$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ 0 \ - -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ - -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ - -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ - -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ -s "parse ServerName extension" \ - -s "=> parse client hello" \ - -s "<= parse client hello" + -s "HTTP/1.0 200 OK" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -11433,18 +11423,8 @@ run_test "TLS 1.3: Server side check - gnutls with sni" \ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \ 0 \ - -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ - -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ - -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ - -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ -s "parse ServerName extension" \ - -s "=> parse client hello" \ - -s "<= parse client hello" + -s "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE @@ -11457,18 +11437,8 @@ run_test "TLS 1.3: Server side check - mbedtls with sni" \ "$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key \ force_version=tls13" \ 0 \ - -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ - -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ - -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ - -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ -s "parse ServerName extension" \ - -s "=> parse client hello" \ - -s "<= parse client hello" + -s "HTTP/1.0 200 OK" for i in opt-testcases/*.sh do