diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 879e0e07b0..c8e2f4c884 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -881,6 +881,10 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ); +#endif int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 911a80c64b..923c671a7b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5135,11 +5135,31 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - ret = mbedtls_ssl_handshake_client_step( ssl ); + { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_client_step_tls1_3( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_client_step( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + } #endif #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - ret = mbedtls_ssl_handshake_server_step( ssl ); + { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_server_step_tls1_3( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_server_step( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + } #endif return( ret ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c35fedc575..368b5572db 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -27,7 +27,11 @@ #include "ssl_misc.h" - +int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} #endif /* MBEDTLS_SSL_CLI_C */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 370f11920e..a56727741b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1,5 +1,5 @@ /* - * TLSv1.3 server-side functions + * TLS 1.3 server-side functions * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -21,11 +21,15 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - #if defined(MBEDTLS_SSL_SRV_C) #include "ssl_misc.h" +int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} #endif /* MBEDTLS_SSL_SRV_C */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ecead57916..01265ae9b3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8501,6 +8501,15 @@ run_test "TLS1.3: Not supported version check: tls1_2 and tls1_3" \ -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \ -c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS1.3: handshake dispatch test: tls1_3 only" \ + "$P_SRV min_version=tls1_3 max_version=tls1_3" \ + "$P_CLI min_version=tls1_3 max_version=tls1_3" \ + 1 \ + -s "SSL - The requested feature is not available" \ + -c "SSL - The requested feature is not available" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C