diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2408fd1211..6eec644354 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1069,21 +1069,6 @@ int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl, int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -/** - * \brief TLS 1.3 client side state machine entry - * - * \param ssl SSL context - */ -int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ); - -/** - * \brief TLS 1.3 server side state machine entry - * - * \param ssl SSL context - */ -int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ); -#endif int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); @@ -1184,9 +1169,6 @@ static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ); int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ); -int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ); -int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl ); - int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ); int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ); @@ -1487,7 +1469,72 @@ void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ); void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ +/** + * ssl utils functions for checking configuration. + */ + #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl ); +void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ); + +/** + * \brief TLS 1.3 client side state machine entry + * + * \param ssl SSL context + */ +int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ); + +/** + * \brief TLS 1.3 server side state machine entry + * + * \param ssl SSL context + */ +int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ); + /* * Helper functions around key exchange modes. @@ -1575,56 +1622,6 @@ static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - -/** - * ssl utils functions for checking configuration. - */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) -{ - if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && - conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) - { - return( 1 ); - } - return( 0 ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) -static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) -{ - if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && - conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) - { - return( 1 ); - } - return( 0 ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) -{ - if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && - conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) - { - return( 1 ); - } - return( 0 ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - /* * Helper functions for NamedGroup. */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index a2e5f33a0d..d848415316 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1636,7 +1636,7 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl ) */ static int ssl_tls1_3_flush_buffers( mbedtls_ssl_context *ssl ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); return( 0 ); } @@ -1646,9 +1646,16 @@ static int ssl_tls1_3_flush_buffers( mbedtls_ssl_context *ssl ) */ static int ssl_tls1_3_handshake_wrapup( mbedtls_ssl_context *ssl ) { - ((void) ssl); - MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) ); + mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application ); + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) ); + mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application ); + + mbedtls_ssl_tls13_handshake_wrapup( ssl ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); + return( 0 ); } int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f17bf994c2..12ef4d58c8 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1103,6 +1103,25 @@ cleanup: return( ret ); } +void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) +{ + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); + + /* + * Free the previous session and switch to the current one. + */ + if( ssl->session ) + { + mbedtls_ssl_session_free( ssl->session ); + mbedtls_free( ssl->session ); + } + ssl->session = ssl->session_negotiate; + ssl->session_negotiate = NULL; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 43759c59e4..1ac34dae77 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8809,12 +8809,10 @@ run_test "TLS1.3: handshake dispatch test: tls1_3 only" \ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL requires_config_disabled MBEDTLS_USE_PSA_CRYPTO -run_test "TLS1.3: Test client hello msg work - openssl" \ - "$O_NEXT_SRV -tls1_3 -msg -no_middlebox" \ +run_test "TLS1.3: minimal feature sets - openssl" \ + "$O_NEXT_SRV -msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=3 min_version=tls1_3 max_version=tls1_3" \ - 1 \ - -c "SSL - The requested feature is not available" \ - -s "ServerHello" \ + 0 \ -c "tls1_3 client state: 0" \ -c "tls1_3 client state: 2" \ -c "tls1_3 client state: 19" \ @@ -8834,18 +8832,18 @@ run_test "TLS1.3: Test client hello msg work - openssl" \ -c "=> parse certificate verify" \ -c "<= parse certificate verify" \ -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \ - -c "<= parse finished message" + -c "<= parse finished message" \ + -c "HTTP/1.0 200 ok" requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL requires_config_disabled MBEDTLS_USE_PSA_CRYPTO -run_test "TLS1.3: Test client hello msg work - gnutls" \ +run_test "TLS1.3: minimal feature sets - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \ "$P_CLI debug_level=3 min_version=tls1_3 max_version=tls1_3" \ - 1 \ - -c "SSL - The requested feature is not available" \ + 0 \ -s "SERVER HELLO was queued" \ -c "tls1_3 client state: 0" \ -c "tls1_3 client state: 2" \ @@ -8866,7 +8864,8 @@ run_test "TLS1.3: Test client hello msg work - gnutls" \ -c "=> parse certificate verify" \ -c "<= parse certificate verify" \ -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \ - -c "<= parse finished message" + -c "<= parse finished message" \ + -c "HTTP/1.0 200 OK" # Test heap memory usage after handshake