From b1dc59a125982ce6bebbb91db44ce6106b0b604b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 5 Aug 2021 15:58:09 +0800 Subject: [PATCH 1/7] Add tls1.3 parameters to ssl_{client,server2} To support tls1.3 relative tests, add `tls1_3` parameter for `{min,max}_version` and `force_version` issues: #4844 Change-Id: I1b22a076582374b8aabc733086562e9d03a94a2a Signed-off-by: Jerry Yu --- programs/ssl/ssl_client2.c | 26 ++++++++++++++++++++++++-- programs/ssl/ssl_server2.c | 26 ++++++++++++++++++++++++-- 2 files changed, 48 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 25fe21bd9..d967bcf96 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -395,13 +395,20 @@ int main( void ) USAGE_CURVES \ USAGE_DHMLEN \ "\n" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define TLS1_3_VERSION_OPTIONS ", tls1_3" +#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#define TLS1_3_VERSION_OPTIONS "" +#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #define USAGE4 \ " allow_sha1=%%d default: 0\n" \ " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, dtls1_2\n" \ - "\n" \ + " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ + "\n\n" \ " force_ciphersuite= default: all enabled\n"\ " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ @@ -1070,6 +1077,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1078,6 +1089,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1103,6 +1118,13 @@ int main( int argc, char *argv[] ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + { + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d2aa48a05..264325e07 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -485,6 +485,13 @@ int main( void ) USAGE_ETM \ USAGE_CURVES \ "\n" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define TLS1_3_VERSION_OPTIONS ", tls1_3" +#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#define TLS1_3_VERSION_OPTIONS "" +#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #define USAGE4 \ USAGE_SSL_ASYNC \ USAGE_SNI \ @@ -492,8 +499,8 @@ int main( void ) " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, dtls1_2\n" \ - "\n" \ + " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ + "\n\n" \ " force_ciphersuite= default: all enabled\n" \ " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ @@ -1712,6 +1719,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1720,6 +1731,10 @@ int main( int argc, char *argv[] ) if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } @@ -1745,6 +1760,13 @@ int main( int argc, char *argv[] ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( q, "tls1_3" ) == 0 ) + { + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else goto usage; } From 2a572cf376137a6d67d459d825b0ca4855592dfe Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 6 Aug 2021 11:21:08 +0800 Subject: [PATCH 2/7] Move socket setup behind ssl structure setup. If socket setup fail, ssl structure setup won't be called. And the order of them do not affect final result, but it will break ssl setup negative tests. Change the order can fix that. issue: #4844 Change-Id: I2488ed5f74773421eb1eac0cfd7f1ce4fbb0b32d Signed-off-by: Jerry Yu --- programs/ssl/ssl_client2.c | 70 +++++++++++++++++++------------------- programs/ssl/ssl_server2.c | 39 +++++++++++---------- 2 files changed, 54 insertions(+), 55 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d967bcf96..86c314c35 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1592,41 +1592,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ /* - * 2. Start the connection - */ - if( opt.server_addr == NULL) - opt.server_addr = opt.server_name; - - mbedtls_printf( " . Connecting to %s/%s/%s...", - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", - opt.server_addr, opt.server_port ); - fflush( stdout ); - - if( ( ret = mbedtls_net_connect( &server_fd, - opt.server_addr, opt.server_port, - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? - MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n", - (unsigned int) -ret ); - goto exit; - } - - if( opt.nbio > 0 ) - ret = mbedtls_net_set_nonblock( &server_fd ); - else - ret = mbedtls_net_set_block( &server_fd ); - if( ret != 0 ) - { - mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", - (unsigned int) -ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - - /* - * 3. Setup stuff + * 2. Setup stuff */ mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); @@ -1978,6 +1944,40 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); + /* + * 3. Start the connection + */ + if( opt.server_addr == NULL) + opt.server_addr = opt.server_name; + + mbedtls_printf( " . Connecting to %s/%s/%s...", + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", + opt.server_addr, opt.server_port ); + fflush( stdout ); + + if( ( ret = mbedtls_net_connect( &server_fd, + opt.server_addr, opt.server_port, + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? + MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n", + (unsigned int) -ret ); + goto exit; + } + + if( opt.nbio > 0 ) + ret = mbedtls_net_set_nonblock( &server_fd ); + else + ret = mbedtls_net_set_block( &server_fd ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", + (unsigned int) -ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + /* * 4. Handshake */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 264325e07..83bd617c6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2398,26 +2398,7 @@ int main( int argc, char *argv[] ) #endif /* SNI_OPTION */ /* - * 2. Setup the listening TCP socket - */ - mbedtls_printf( " . Bind on %s://%s:%s/ ...", - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", - opt.server_addr ? opt.server_addr : "*", - opt.server_port ); - fflush( stdout ); - - if( ( ret = mbedtls_net_bind( &listen_fd, opt.server_addr, opt.server_port, - opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? - MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - - /* - * 3. Setup stuff + * 2. Setup stuff */ mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); @@ -2911,6 +2892,24 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); + /* + * 3. Setup the listening TCP socket + */ + mbedtls_printf( " . Bind on %s://%s:%s/ ...", + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp", + opt.server_addr ? opt.server_addr : "*", + opt.server_port ); + fflush( stdout ); + + if( ( ret = mbedtls_net_bind( &listen_fd, opt.server_addr, opt.server_port, + opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? + MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + mbedtls_printf( " ok\n" ); + reset: #if !defined(_WIN32) if( received_sigterm ) From 60835a88c3249e266d0a1aac69a955f2a1ac26f4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 4 Aug 2021 10:13:52 +0800 Subject: [PATCH 3/7] Add config check utils functions Check configuration parameter in structure setup function to make sure the config data is available and valid. Current implementation checks the version config. Available version configs are - tls1_3 only - tls1_2 only issues: #4844 Change-Id: Ia762bd3d817440ae130b45f19b80a2868afae924 Signed-off-by: Jerry Yu --- library/ssl_misc.h | 46 ++++++++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cc19f4723..879e0e07b 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1259,4 +1259,50 @@ void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ); void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ +/** + * ssl utils functions for checking configuration. + */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ + #endif /* ssl_misc.h */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bb5ddc470..911a80c64 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3142,6 +3142,53 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); } +static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + { + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) ); + return( 0 ); + } +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) ); + return( 0 ); + } +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } +#endif + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) ); + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); +} + +static int ssl_conf_check(const mbedtls_ssl_context *ssl) +{ + int ret; + ret = ssl_conf_version_check( ssl ); + if( ret != 0 ) + return( ret ); + + /* Space for further checks */ + + return( 0 ); +} + /* * Setup an SSL context */ @@ -3155,6 +3202,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->conf = conf; + if( ( ret = ssl_conf_check( ssl ) ) != 0 ) + return( ret ); + /* * Prepare base structures */ From c46e9b4091fd3d682a4128c2111e339ced186ab4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 6 Aug 2021 11:22:24 +0800 Subject: [PATCH 4/7] tests: Add negative version config tests. tls1.3 and tls1.2 can not be enabled at same time before #4832 resolved. And the test won't run into `handshake` stage, add `skip_handshak_check` function to skip it. Change-Id: I13f3b06b2f33b9c9beb8cac90f5fda41a4ed53f3 Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 45 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ba5a21779..ecead5791 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -693,6 +693,11 @@ find_in_both() { fi } +SKIP_HANDSHAKE_CHECK="NO" +skip_handshake_stage_check() { + SKIP_HANDSHAKE_CHECK="YES" +} + # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] # Options: -s pattern pattern that must be present in server output # -c pattern pattern that must be present in client output @@ -855,21 +860,25 @@ run_test() { # (useful to avoid tests with only negative assertions and non-zero # expected client exit to incorrectly succeed in case of catastrophic # failure) - if is_polar "$SRV_CMD"; then - if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :; - else - fail "server or client failed to reach handshake stage" - return + if [ "X$SKIP_HANDSHAKE_CHECK" != "XYES" ] + then + if is_polar "$SRV_CMD"; then + if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :; + else + fail "server or client failed to reach handshake stage" + return + fi fi - fi - if is_polar "$CLI_CMD"; then - if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :; - else - fail "server or client failed to reach handshake stage" - return + if is_polar "$CLI_CMD"; then + if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :; + else + fail "server or client failed to reach handshake stage" + return + fi fi fi + SKIP_HANDSHAKE_CHECK="NO" # Check server exit code (only for Mbed TLS: GnuTLS and OpenSSL don't # exit with status 0 when interrupted by a signal, and we don't really # care anyway), in case e.g. the server reports a memory leak. @@ -8478,6 +8487,20 @@ run_test "export keys functionality" \ -c "EAP-TLS IV is:" \ -s "EAP-TLS IV is:" +# TLS1.3 test cases +# TODO: remove or rewrite this test case if #4832 is resolved. +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +skip_handshake_stage_check +run_test "TLS1.3: Not supported version check: tls1_2 and tls1_3" \ + "$P_SRV debug_level=1 min_version=tls1_2 max_version=tls1_3" \ + "$P_CLI debug_level=1 min_version=tls1_2 max_version=tls1_3" \ + 1 \ + -s "SSL - The requested feature is not available" \ + -c "SSL - The requested feature is not available" \ + -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \ + -c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C From b19ccc3998d40d0463e0e92bb8c1e18669de2d40 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 9 Aug 2021 17:44:56 +0800 Subject: [PATCH 5/7] fix test_suite_debug test fail Before `mbedtls_ssl_setup`, config functions should be called. Without it, `mbedtls_ssl_setup` will raise invalid value error. Change-Id: I46fdaa5e8eb83d06c620087a9e1e7e14e1c5d9b5 Signed-off-by: Jerry Yu --- tests/suites/test_suite_debug.function | 39 +++++++++++++++++++++----- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 197a7ef31..c51be4d0b 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -60,10 +60,16 @@ void debug_print_msg_threshold( int threshold, int level, char * file, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); + + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_threshold( threshold ); - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_msg( &ssl, level, file, line, "Text message, 2 == %d", 2 ); @@ -89,10 +95,15 @@ void mbedtls_debug_print_ret( char * file, int line, char * text, int value, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_debug_print_ret( &ssl, 0, file, line, text, value); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); @@ -116,11 +127,15 @@ void mbedtls_debug_print_buf( char * file, int line, char * text, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_debug_print_buf( &ssl, 0, file, line, text, data->x, data->len ); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); @@ -146,10 +161,15 @@ void mbedtls_debug_print_crt( char * crt_file, char * file, int line, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt); @@ -177,12 +197,17 @@ void mbedtls_debug_print_mpi( int radix, char * value, char * file, int line, memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ); + + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); TEST_ASSERT( mbedtls_test_read_mpi( &val, radix, value ) == 0 ); - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); From 3cc4c2a50698006726ee19679fc8339176363540 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 6 Aug 2021 16:29:08 +0800 Subject: [PATCH 6/7] Add dummy ssl_tls13_{client,server}.c Change-Id: Ic1cd1d55b097f5a31c9f48e9d55733d75ab49982 Signed-off-by: Jerry Yu --- library/CMakeLists.txt | 2 ++ library/Makefile | 2 ++ library/ssl_tls13_client.c | 34 ++++++++++++++++++++++++++++++++++ library/ssl_tls13_server.c | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 library/ssl_tls13_client.c create mode 100644 library/ssl_tls13_server.c diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1cd5589cd..5adc128c9 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -104,6 +104,8 @@ set(src_tls ssl_ticket.c ssl_tls.c ssl_tls13_keys.c + ssl_tls13_server.c + ssl_tls13_client.c ) if(CMAKE_COMPILER_IS_GNUCC) diff --git a/library/Makefile b/library/Makefile index 0ee6e4f36..8c58fb850 100644 --- a/library/Makefile +++ b/library/Makefile @@ -167,6 +167,8 @@ OBJS_TLS= \ ssl_ticket.o \ ssl_tls.o \ ssl_tls13_keys.o \ + ssl_tls13_client.o \ + ssl_tls13_server.o \ # This line is intentionally left blank .SILENT: diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c new file mode 100644 index 000000000..c35fedc57 --- /dev/null +++ b/library/ssl_tls13_client.c @@ -0,0 +1,34 @@ +/* + * TLS 1.3 client-side functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS ( https://tls.mbed.org ) + */ + +#include "common.h" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +#if defined(MBEDTLS_SSL_CLI_C) + +#include "ssl_misc.h" + + + +#endif /* MBEDTLS_SSL_CLI_C */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c new file mode 100644 index 000000000..370f11920 --- /dev/null +++ b/library/ssl_tls13_server.c @@ -0,0 +1,32 @@ +/* + * TLSv1.3 server-side functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +#include "common.h" + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + + +#if defined(MBEDTLS_SSL_SRV_C) + +#include "ssl_misc.h" + + +#endif /* MBEDTLS_SSL_SRV_C */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ From b9930e7d7053197649cbe0723658f9bd0b7c442e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 6 Aug 2021 17:11:51 +0800 Subject: [PATCH 7/7] Add dummy tls1.3 handshake dispatch functions Base on version config, `handshack_{clinet,server}_step` will call different step function. TLS1.3 features will be gradully added base on it. And a new test cases is added to make sure it reports `feature is not available`. Change-Id: I4f0e36cb610f5aa59f97910fb8204bfbf2825949 Signed-off-by: Jerry Yu --- library/ssl_misc.h | 4 ++++ library/ssl_tls.c | 24 ++++++++++++++++++++++-- library/ssl_tls13_client.c | 6 +++++- library/ssl_tls13_server.c | 8 ++++++-- tests/ssl-opt.sh | 9 +++++++++ 5 files changed, 46 insertions(+), 5 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 879e0e07b..c8e2f4c88 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -881,6 +881,10 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ); +#endif int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 911a80c64..923c671a7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5135,11 +5135,31 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - ret = mbedtls_ssl_handshake_client_step( ssl ); + { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_client_step_tls1_3( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_client_step( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + } #endif #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - ret = mbedtls_ssl_handshake_server_step( ssl ); + { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_server_step_tls1_3( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + ret = mbedtls_ssl_handshake_server_step( ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + } #endif return( ret ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c35fedc57..368b5572d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -27,7 +27,11 @@ #include "ssl_misc.h" - +int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} #endif /* MBEDTLS_SSL_CLI_C */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 370f11920..a56727741 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1,5 +1,5 @@ /* - * TLSv1.3 server-side functions + * TLS 1.3 server-side functions * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -21,11 +21,15 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - #if defined(MBEDTLS_SSL_SRV_C) #include "ssl_misc.h" +int mbedtls_ssl_handshake_server_step_tls1_3( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} #endif /* MBEDTLS_SSL_SRV_C */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ecead5791..01265ae9b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8501,6 +8501,15 @@ run_test "TLS1.3: Not supported version check: tls1_2 and tls1_3" \ -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \ -c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS1.3: handshake dispatch test: tls1_3 only" \ + "$P_SRV min_version=tls1_3 max_version=tls1_3" \ + "$P_CLI min_version=tls1_3 max_version=tls1_3" \ + 1 \ + -s "SSL - The requested feature is not available" \ + -c "SSL - The requested feature is not available" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C