diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 725b156d5d06..0abcb75fc57d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -623,6 +623,7 @@ typedef enum MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, + MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ } mbedtls_ssl_states; diff --git a/library/common.h b/library/common.h index 780ce378dece..9b10ec8fbbdb 100644 --- a/library/common.h +++ b/library/common.h @@ -318,4 +318,12 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c } #endif +/* Fix MSVC C99 compatible issue + * MSVC support __func__ from visual studio 2015( 1900 ) + * Use MSVC predefine macro to avoid name check fail. + */ +#if (defined(_MSC_VER) && ( _MSC_VER <= 1900 )) +#define /*no-check-names*/ __func__ __FUNCTION__ +#endif + #endif /* MBEDTLS_LIBRARY_COMMON_H */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 13e932c4535b..633bb8da2e4d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -701,6 +701,7 @@ static int ssl_tls13_prepare_client_hello( mbedtls_ssl_context *ssl ) /* * Write ClientHello handshake message. + * Handler for MBEDTLS_SSL_CLIENT_HELLO */ static int ssl_tls13_write_client_hello( mbedtls_ssl_context *ssl ) { @@ -736,11 +737,121 @@ static int ssl_tls13_write_client_hello( mbedtls_ssl_context *ssl ) return ret; } +/* + * Handler for MBEDTLS_SSL_SERVER_HELLO + */ +static int ssl_tls1_3_process_server_hello( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS + */ +static int ssl_tls1_3_process_encrypted_extensions( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST + */ +static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE + */ +static int ssl_tls1_3_process_server_certificate( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY + */ +static int ssl_tls1_3_process_certificate_verify( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_SERVER_FINISHED + */ +static int ssl_tls1_3_process_server_finished( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE + */ +static int ssl_tls1_3_write_client_certificate( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY + */ +static int ssl_tls1_3_write_client_certificate_verify( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_CLIENT_FINISHED + */ +static int ssl_tls1_3_write_client_finished( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_FLUSH_BUFFERS + */ +static int ssl_tls1_3_flush_buffers( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP + */ +static int ssl_tls1_3_handshake_wrapup( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} + int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) { int ret = 0; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls1_3 client state: %d", ssl->state ) ); switch( ssl->state ) { @@ -754,9 +865,47 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) break; case MBEDTLS_SSL_SERVER_HELLO: - // Stop here : we haven't finished whole flow - ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); + ret = ssl_tls1_3_process_server_hello( ssl ); + break; + + case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: + ret = ssl_tls1_3_process_encrypted_extensions( ssl ); + break; + + case MBEDTLS_SSL_CERTIFICATE_REQUEST: + ret = ssl_tls1_3_process_certificate_request( ssl ); + break; + + case MBEDTLS_SSL_SERVER_CERTIFICATE: + ret = ssl_tls1_3_process_server_certificate( ssl ); + break; + + case MBEDTLS_SSL_CERTIFICATE_VERIFY: + ret = ssl_tls1_3_process_certificate_verify( ssl ); + break; + + case MBEDTLS_SSL_SERVER_FINISHED: + ret = ssl_tls1_3_process_server_finished( ssl ); + break; + + case MBEDTLS_SSL_CLIENT_CERTIFICATE: + ret = ssl_tls1_3_write_client_certificate( ssl ); + break; + + case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: + ret = ssl_tls1_3_write_client_certificate_verify( ssl ); + break; + + case MBEDTLS_SSL_CLIENT_FINISHED: + ret = ssl_tls1_3_write_client_finished( ssl ); + break; + + case MBEDTLS_SSL_FLUSH_BUFFERS: + ret = ssl_tls1_3_flush_buffers( ssl ); + break; + + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: + ret = ssl_tls1_3_handshake_wrapup( ssl ); break; default: diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 0dcd7ed60273..86f44cb65f0d 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -23,11 +23,15 @@ #if defined(MBEDTLS_SSL_SRV_C) +#include "mbedtls/debug.h" + #include "ssl_misc.h" int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) { ((void) ssl); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls1_3 server state: %d", ssl->state ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 39499d441c30..66c648573bfc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8660,29 +8660,53 @@ run_test "TLS1.3: Not supported version check: tls1_2 and tls1_3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS1.3: handshake dispatch test: tls1_3 only" \ - "$P_SRV min_version=tls1_3 max_version=tls1_3" \ - "$P_CLI min_version=tls1_3 max_version=tls1_3" \ + "$P_SRV debug_level=2 min_version=tls1_3 max_version=tls1_3" \ + "$P_CLI debug_level=2 min_version=tls1_3 max_version=tls1_3" \ 1 \ - -s "SSL - The requested feature is not available" \ - -c "SSL - The requested feature is not available" + -s "tls1_3 server state: 0" \ + -c "tls1_3 client state: 0" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS1.3: Test client hello msg work - openssl" \ "$O_NEXT_SRV -tls1_3 -msg" \ - "$P_CLI min_version=tls1_3 max_version=tls1_3" \ + "$P_CLI debug_level=2 min_version=tls1_3 max_version=tls1_3" \ 1 \ -c "SSL - The requested feature is not available" \ - -s "ServerHello" + -s "ServerHello" \ + -c "tls1_3 client state: 0" \ + -c "tls1_3 client state: 2" \ + -c "tls1_3 client state: 19" \ + -c "tls1_3 client state: 5" \ + -c "tls1_3 client state: 3" \ + -c "tls1_3 client state: 9" \ + -c "tls1_3 client state: 13" \ + -c "tls1_3 client state: 7" \ + -c "tls1_3 client state: 20" \ + -c "tls1_3 client state: 11" \ + -c "tls1_3 client state: 14" \ + -c "tls1_3 client state: 15" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS1.3: Test client hello msg work - gnutls" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --debug=4" \ - "$P_CLI min_version=tls1_3 max_version=tls1_3" \ + "$P_CLI debug_level=2 min_version=tls1_3 max_version=tls1_3" \ 1 \ -c "SSL - The requested feature is not available" \ - -s "SERVER HELLO was queued" + -s "SERVER HELLO was queued" \ + -c "tls1_3 client state: 0" \ + -c "tls1_3 client state: 2" \ + -c "tls1_3 client state: 19" \ + -c "tls1_3 client state: 5" \ + -c "tls1_3 client state: 3" \ + -c "tls1_3 client state: 9" \ + -c "tls1_3 client state: 13" \ + -c "tls1_3 client state: 7" \ + -c "tls1_3 client state: 20" \ + -c "tls1_3 client state: 11" \ + -c "tls1_3 client state: 14" \ + -c "tls1_3 client state: 15" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG