diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 4a19e30c7aed..68149c9db1a6 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3285,3 +3285,6 @@ tls13_cli_early_data_status:"not sent" TLS 1.3 cli, early data status, server rejects early data tls13_cli_early_data_status:"server rejects" + +TLS 1.3 cli, early data status, hello retry request +tls13_cli_early_data_status:"hrr" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 33f3fda4691e..754a9d881c9e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3740,6 +3740,11 @@ void tls13_cli_early_data_status(char *scenario_string) mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; + uint16_t group_list[3] = { + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE + }; mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); @@ -3759,6 +3764,8 @@ void tls13_cli_early_data_status(char *scenario_string) scenario = 1; } else if (strcmp(scenario_string, "server rejects") == 0) { scenario = 2; + } else if (strcmp(scenario_string, "hrr") == 0) { + scenario = 3; } else { TEST_FAIL("Unknown scenario."); } @@ -3770,6 +3777,10 @@ void tls13_cli_early_data_status(char *scenario_string) client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.pk_alg = MBEDTLS_PK_ECDSA; server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + if (scenario == 3) { + client_options.group_list = group_list; + server_options.group_list = group_list; + } ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, &saved_session); @@ -3785,6 +3796,9 @@ void tls13_cli_early_data_status(char *scenario_string) case 2: server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; + case 3: + server_options.group_list = group_list + 1; + break; } ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, @@ -3838,6 +3852,15 @@ void tls13_cli_early_data_status(char *scenario_string) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); break; + case 3: + if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); + } else { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + } + break; } break; @@ -3853,6 +3876,15 @@ void tls13_cli_early_data_status(char *scenario_string) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + case 3: + if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + } else { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + } + break; } break; @@ -3868,6 +3900,10 @@ void tls13_cli_early_data_status(char *scenario_string) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + case 3: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; } break; @@ -3883,7 +3919,8 @@ void tls13_cli_early_data_status(char *scenario_string) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case 2: + case 2: /* Intentional fallthrough */ + case 3: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3908,7 +3945,8 @@ void tls13_cli_early_data_status(char *scenario_string) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case 2: + case 2: /* Intentional fallthrough */ + case 3: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3927,7 +3965,8 @@ void tls13_cli_early_data_status(char *scenario_string) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case 2: + case 2: /* Intentional fallthrough */ + case 3: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3939,13 +3978,20 @@ void tls13_cli_early_data_status(char *scenario_string) TEST_ASSERT(scenario != 1); switch (scenario) { case 0: /* Intentional fallthrough */ - case 2: + case 2: /* Intentional fallthrough */ + case 3: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); break; } break; + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: + TEST_ASSERT(scenario == 3); + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: TEST_ASSERT(scenario != 0); switch (scenario) { @@ -3954,7 +4000,8 @@ void tls13_cli_early_data_status(char *scenario_string) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case 2: + case 2: /* Intentional fallthrough */ + case 3: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3976,7 +4023,8 @@ void tls13_cli_early_data_status(char *scenario_string) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case 2: + case 2: /* Intentional fallthrough */ + case 3: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break;