diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1cd5589cd1..5adc128c96 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -104,6 +104,8 @@ set(src_tls ssl_ticket.c ssl_tls.c ssl_tls13_keys.c + ssl_tls13_server.c + ssl_tls13_client.c ) if(CMAKE_COMPILER_IS_GNUCC) diff --git a/library/Makefile b/library/Makefile index 0ee6e4f36f..8c58fb8501 100644 --- a/library/Makefile +++ b/library/Makefile @@ -167,6 +167,8 @@ OBJS_TLS= \ ssl_ticket.o \ ssl_tls.o \ ssl_tls13_keys.o \ + ssl_tls13_client.o \ + ssl_tls13_server.o \ # This line is intentionally left blank .SILENT: diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cc19f4723b..c8e2f4c884 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -881,6 +881,10 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ); +#endif int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); @@ -1259,4 +1263,50 @@ void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ); void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ +/** + * ssl utils functions for checking configuration. + */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ + #endif /* ssl_misc.h */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bb5ddc470e..923c671a7b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3142,6 +3142,53 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); } +static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + { + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) ); + return( 0 ); + } +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) ); + return( 0 ); + } +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } +#endif + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) ); + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); +} + +static int ssl_conf_check(const mbedtls_ssl_context *ssl) +{ + int ret; + ret = ssl_conf_version_check( ssl ); + if( ret != 0 ) + return( ret ); + + /* Space for further checks */ + + return( 0 ); +} + /* * Setup an SSL context */ @@ -3155,6 +3202,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->conf = conf; + if( ( ret = ssl_conf_check( ssl ) ) != 0 ) + return( ret ); + /* * Prepare base structures */ @@ -5085,11 +5135,31 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - ret = mbedtls_ssl_handshake_client_step( ssl ); + { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_client_step_tls1_3( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_client_step( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + } #endif #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - ret = mbedtls_ssl_handshake_server_step( ssl ); + { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_server_step_tls1_3( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_server_step( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + } #endif return( ret ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c new file mode 100644 index 0000000000..368b5572db --- /dev/null +++ b/library/ssl_tls13_client.c @@ -0,0 +1,38 @@ +/* + * TLS 1.3 client-side functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS ( https://tls.mbed.org ) + */ + +#include "common.h" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +#if defined(MBEDTLS_SSL_CLI_C) + +#include "ssl_misc.h" + +int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} + +#endif /* MBEDTLS_SSL_CLI_C */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c new file mode 100644 index 0000000000..a56727741b --- /dev/null +++ b/library/ssl_tls13_server.c @@ -0,0 +1,36 @@ +/* + * TLS 1.3 server-side functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +#include "common.h" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +#if defined(MBEDTLS_SSL_SRV_C) + +#include "ssl_misc.h" + +int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} + +#endif /* MBEDTLS_SSL_SRV_C */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 25fe21bd9d..86c314c35d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -395,13 +395,20 @@ int main( void ) USAGE_CURVES \ USAGE_DHMLEN \ "\n" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define TLS1_3_VERSION_OPTIONS ", tls1_3" +#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#define TLS1_3_VERSION_OPTIONS "" +#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #define USAGE4 \ " allow_sha1=%%d default: 0\n" \ " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, dtls1_2\n" \ - "\n" \ + " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ + "\n\n" \ " force_ciphersuite= default: all enabled\n"\ " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ @@ -1070,6 +1077,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1078,6 +1089,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1103,6 +1118,13 @@ int main( int argc, char *argv[] ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + { + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1570,41 +1592,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ /* - * 2. Start the connection - */ - if( opt.server_addr == NULL) - opt.server_addr = opt.server_name; - - mbedtls_printf( " . Connecting to %s/%s/%s...", - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", - opt.server_addr, opt.server_port ); - fflush( stdout ); - - if( ( ret = mbedtls_net_connect( &server_fd, - opt.server_addr, opt.server_port, - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? - MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n", - (unsigned int) -ret ); - goto exit; - } - - if( opt.nbio > 0 ) - ret = mbedtls_net_set_nonblock( &server_fd ); - else - ret = mbedtls_net_set_block( &server_fd ); - if( ret != 0 ) - { - mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", - (unsigned int) -ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - - /* - * 3. Setup stuff + * 2. Setup stuff */ mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); @@ -1956,6 +1944,40 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); + /* + * 3. Start the connection + */ + if( opt.server_addr == NULL) + opt.server_addr = opt.server_name; + + mbedtls_printf( " . Connecting to %s/%s/%s...", + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", + opt.server_addr, opt.server_port ); + fflush( stdout ); + + if( ( ret = mbedtls_net_connect( &server_fd, + opt.server_addr, opt.server_port, + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? + MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n", + (unsigned int) -ret ); + goto exit; + } + + if( opt.nbio > 0 ) + ret = mbedtls_net_set_nonblock( &server_fd ); + else + ret = mbedtls_net_set_block( &server_fd ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", + (unsigned int) -ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + /* * 4. Handshake */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d2aa48a059..83bd617c68 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -485,6 +485,13 @@ int main( void ) USAGE_ETM \ USAGE_CURVES \ "\n" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define TLS1_3_VERSION_OPTIONS ", tls1_3" +#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#define TLS1_3_VERSION_OPTIONS "" +#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #define USAGE4 \ USAGE_SSL_ASYNC \ USAGE_SNI \ @@ -492,8 +499,8 @@ int main( void ) " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, dtls1_2\n" \ - "\n" \ + " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ + "\n\n" \ " force_ciphersuite= default: all enabled\n" \ " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ @@ -1712,6 +1719,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1720,6 +1731,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1745,6 +1760,13 @@ int main( int argc, char *argv[] ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + { + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -2376,26 +2398,7 @@ int main( int argc, char *argv[] ) #endif /* SNI_OPTION */ /* - * 2. Setup the listening TCP socket - */ - mbedtls_printf( " . Bind on %s://%s:%s/ ...", - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", - opt.server_addr ? opt.server_addr : "*", - opt.server_port ); - fflush( stdout ); - - if( ( ret = mbedtls_net_bind( &listen_fd, opt.server_addr, opt.server_port, - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? - MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - - /* - * 3. Setup stuff + * 2. Setup stuff */ mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); @@ -2889,6 +2892,24 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); + /* + * 3. Setup the listening TCP socket + */ + mbedtls_printf( " . Bind on %s://%s:%s/ ...", + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", + opt.server_addr ? opt.server_addr : "*", + opt.server_port ); + fflush( stdout ); + + if( ( ret = mbedtls_net_bind( &listen_fd, opt.server_addr, opt.server_port, + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? + MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + mbedtls_printf( " ok\n" ); + reset: #if !defined(_WIN32) if( received_sigterm ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ba5a217790..01265ae9b3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -693,6 +693,11 @@ find_in_both() { fi } +SKIP_HANDSHAKE_CHECK="NO" +skip_handshake_stage_check() { + SKIP_HANDSHAKE_CHECK="YES" +} + # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] # Options: -s pattern pattern that must be present in server output # -c pattern pattern that must be present in client output @@ -855,21 +860,25 @@ run_test() { # (useful to avoid tests with only negative assertions and non-zero # expected client exit to incorrectly succeed in case of catastrophic # failure) - if is_polar "$SRV_CMD"; then - if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :; - else - fail "server or client failed to reach handshake stage" - return + if [ "X$SKIP_HANDSHAKE_CHECK" != "XYES" ] + then + if is_polar "$SRV_CMD"; then + if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :; + else + fail "server or client failed to reach handshake stage" + return + fi fi - fi - if is_polar "$CLI_CMD"; then - if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :; - else - fail "server or client failed to reach handshake stage" - return + if is_polar "$CLI_CMD"; then + if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :; + else + fail "server or client failed to reach handshake stage" + return + fi fi fi + SKIP_HANDSHAKE_CHECK="NO" # Check server exit code (only for Mbed TLS: GnuTLS and OpenSSL don't # exit with status 0 when interrupted by a signal, and we don't really # care anyway), in case e.g. the server reports a memory leak. @@ -8478,6 +8487,29 @@ run_test "export keys functionality" \ -c "EAP-TLS IV is:" \ -s "EAP-TLS IV is:" +# TLS1.3 test cases +# TODO: remove or rewrite this test case if #4832 is resolved. +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +skip_handshake_stage_check +run_test "TLS1.3: Not supported version check: tls1_2 and tls1_3" \ + "$P_SRV debug_level=1 min_version=tls1_2 max_version=tls1_3" \ + "$P_CLI debug_level=1 min_version=tls1_2 max_version=tls1_3" \ + 1 \ + -s "SSL - The requested feature is not available" \ + -c "SSL - The requested feature is not available" \ + -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \ + -c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS1.3: handshake dispatch test: tls1_3 only" \ + "$P_SRV min_version=tls1_3 max_version=tls1_3" \ + "$P_CLI min_version=tls1_3 max_version=tls1_3" \ + 1 \ + -s "SSL - The requested feature is not available" \ + -c "SSL - The requested feature is not available" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 197a7ef313..c51be4d0b1 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -60,10 +60,16 @@ void debug_print_msg_threshold( int threshold, int level, char * file, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); + + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_threshold( threshold ); - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_msg( &ssl, level, file, line, "Text message, 2 == %d", 2 ); @@ -89,10 +95,15 @@ void mbedtls_debug_print_ret( char * file, int line, char * text, int value, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_debug_print_ret( &ssl, 0, file, line, text, value); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); @@ -116,11 +127,15 @@ void mbedtls_debug_print_buf( char * file, int line, char * text, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_debug_print_buf( &ssl, 0, file, line, text, data->x, data->len ); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); @@ -146,10 +161,15 @@ void mbedtls_debug_print_crt( char * crt_file, char * file, int line, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt); @@ -177,12 +197,17 @@ void mbedtls_debug_print_mpi( int radix, char * value, char * file, int line, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); + + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); TEST_ASSERT( mbedtls_test_read_mpi( &val, radix, value ) == 0 ); - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );