diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 94bbee59b5..8fec3c6e2d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -664,7 +664,7 @@ typedef enum MBEDTLS_SSL_SERVER_FINISHED, MBEDTLS_SSL_FLUSH_BUFFERS, MBEDTLS_SSL_HANDSHAKE_WRAPUP, - MBEDTLS_SSL_HANDSHAKE_OVER, + MBEDTLS_SSL_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, MBEDTLS_SSL_HELLO_RETRY_REQUEST, @@ -674,7 +674,9 @@ typedef enum MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST, - MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH, + MBEDTLS_SSL_HANDSHAKE_OVER, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH, } mbedtls_ssl_states; @@ -4654,7 +4656,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); */ static inline int mbedtls_ssl_is_handshake_over( mbedtls_ssl_context *ssl ) { - return( ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_HANDSHAKE_OVER ); + return( ssl->MBEDTLS_PRIVATE( state ) >= MBEDTLS_SSL_HANDSHAKE_OVER ); } /** diff --git a/library/ssl_msg.c b/library/ssl_msg.c index dbc6391885..80471d4c5d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1907,7 +1907,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); mbedtls_ssl_set_timer( ssl, 0 ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ssl_double_retransmit_timeout( ssl ) != 0 ) { @@ -5299,7 +5299,7 @@ static int ssl_tls13_check_new_session_ticket( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket received" ) ); mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_NEW_SESSION_TICKET ); + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); return( MBEDTLS_ERR_SSL_WANT_READ ); } @@ -5502,7 +5502,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake( ssl ); if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && @@ -5758,7 +5758,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da90b2350f..506333d777 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3602,7 +3602,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ssl == NULL || ssl->conf == NULL || ssl->handshake == NULL || - mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3706,7 +3706,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); /* Main handshake loop */ - while( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake_step( ssl ); @@ -7544,7 +7544,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) #endif mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); - ssl->state++; + ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0372f2d98d..db8476c759 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2743,7 +2743,7 @@ static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl, } /* - * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl ) @@ -2857,7 +2857,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) - case MBEDTLS_SSL_NEW_SESSION_TICKET: + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: ret = ssl_tls13_process_new_session_ticket( ssl ); if( ret != 0 ) break; diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3cd03108f6..ce8767c5fd 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2628,7 +2628,7 @@ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) mbedtls_ssl_tls13_handshake_wrapup( ssl ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); #else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); #endif @@ -2636,7 +2636,7 @@ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) } /* - * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ #define SSL_NEW_SESSION_TICKET_SKIP 0 #define SSL_NEW_SESSION_TICKET_WRITE 1 @@ -2872,7 +2872,7 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl, } /* - * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl ) { @@ -2908,8 +2908,8 @@ static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl ) else ssl->handshake->new_session_tickets_count--; - mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH ); + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH ); } else { @@ -3045,7 +3045,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) - case MBEDTLS_SSL_NEW_SESSION_TICKET: + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: ret = ssl_tls13_write_new_session_ticket( ssl ); if( ret != 0 ) { @@ -3054,9 +3054,9 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ret ); } break; - case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH: + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH: /* This state is necessary to do the flush of the New Session - * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET + * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET * as part of ssl_prepare_handshake_step. */ ret = 0; @@ -3064,7 +3064,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) if( ssl->handshake->new_session_tickets_count == 0 ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); else - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 62205274c7..b460c67dc1 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1362,7 +1362,7 @@ do_run_test_once() { if [ -n "$PXY_CMD" ]; then kill $PXY_PID >/dev/null 2>&1 - wait $PXY_PID + wait $PXY_PID >> $PXY_OUT 2>&1 fi } @@ -12945,8 +12945,8 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, O->m" \ "$O_NEXT_CLI -msg -debug -tls1_3 -reconnect" \ 0 \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS @@ -12962,8 +12962,8 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \ -c "Connecting again- trying to resume previous session" \ -c "NEW SESSION TICKET (4) was received" \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \ -s "key exchange mode: ephemeral" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" @@ -12985,8 +12985,8 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \ -c "Reconnecting with saved session" \ -c "HTTP/1.0 200 OK" \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \ -s "key exchange mode: ephemeral" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" @@ -13040,8 +13040,8 @@ run_test "TLS 1.3: NewSessionTicket: servername check, m->m" \ -c "Reconnecting with saved session" \ -c "HTTP/1.0 200 OK" \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \ -s "key exchange mode: ephemeral" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" @@ -13064,8 +13064,8 @@ run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \ -c "Reconnecting with saved session" \ -c "Hostname mismatch the session ticket, disable session resumption." \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2