ssl_tls.c: Reject TLS 1.3 version configuration for server
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e174219..6a1bfa8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -853,12 +853,21 @@
static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
{
+ const mbedtls_ssl_config *conf = ssl->conf;
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
+ if( mbedtls_ssl_conf_is_tls13_enabled( conf ) &&
+ ( conf->endpoint == MBEDTLS_SSL_IS_SERVER ) )
{
- if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 server is not supported yet." ) );
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ }
+
+ if( mbedtls_ssl_conf_is_tls13_only( conf ) )
+ {
+ if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported." ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
@@ -867,7 +876,7 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
+ if( mbedtls_ssl_conf_is_tls12_only( conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
return( 0 );
@@ -875,7 +884,7 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
+ if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index aff2411..03351d4 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -9630,26 +9630,23 @@
-c "Version: TLS1.3"
# TLS1.3 test cases
-# TODO: remove or rewrite this test case if #4832 is resolved.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
skip_handshake_stage_check
run_test "TLS 1.3: Not supported version check: tls12 and tls13" \
- "$P_SRV debug_level=1 min_version=tls12 max_version=tls13" \
+ "$P_SRV debug_level=1" \
"$P_CLI debug_level=1 min_version=tls12 max_version=tls13" \
1 \
- -s "SSL - The requested feature is not available" \
-c "SSL - The requested feature is not available" \
- -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \
-c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test "TLS 1.3: handshake dispatch test: tls13 only" \
- "$P_SRV debug_level=2 min_version=tls13 max_version=tls13" \
- "$P_CLI debug_level=2 min_version=tls13 max_version=tls13" \
+skip_handshake_stage_check
+run_test "TLS 1.3: No server support" \
+ "$P_SRV debug_level=2 force_version=tls13" \
+ "$P_CLI debug_level=2 force_version=tls13" \
1 \
- -s "tls13 server state: MBEDTLS_SSL_HELLO_REQUEST" \
- -c "tls13 client state: MBEDTLS_SSL_HELLO_REQUEST"
+ -s "TLS 1.3 server is not supported yet."
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 7de562a..e330016 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -101,6 +101,7 @@
mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_CLIENT
Test mbedtls_endpoint sanity for the server
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_SERVER
Test moving clients handshake to state: HELLO_REQUEST