ssl_tls.c: Reject TLS 1.3 version configuration for server

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

library/ssl_tls.c

@@ -853,12 +853,21 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
 
 static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
 {
+    const mbedtls_ssl_config *conf = ssl->conf;
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
+    if( mbedtls_ssl_conf_is_tls13_enabled( conf ) &&
+        ( conf->endpoint == MBEDTLS_SSL_IS_SERVER ) )
     {
-        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 server is not supported yet." ) );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    if( mbedtls_ssl_conf_is_tls13_only( conf ) )
+    {
+        if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
         {
-             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
+             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported." ) );
              return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
         }
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
@@ -867,7 +876,7 @@ static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-    if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
+    if( mbedtls_ssl_conf_is_tls12_only( conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
         return( 0 );
@@ -875,7 +884,7 @@ static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
+    if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );

tests/ssl-opt.sh

@@ -9630,26 +9630,23 @@ run_test    "TLS 1.3: Test gnutls tls1_3 feature" \
             -c "Version: TLS1.3"
 
 # TLS1.3 test cases
-# TODO: remove or rewrite this test case if #4832 is resolved.
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 skip_handshake_stage_check
 run_test    "TLS 1.3: Not supported version check: tls12 and tls13" \
-            "$P_SRV debug_level=1 min_version=tls12 max_version=tls13" \
+            "$P_SRV debug_level=1" \
             "$P_CLI debug_level=1 min_version=tls12 max_version=tls13" \
             1 \
-            -s "SSL - The requested feature is not available" \
             -c "SSL - The requested feature is not available" \
-            -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \
             -c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test    "TLS 1.3: handshake dispatch test: tls13 only" \
-            "$P_SRV debug_level=2 min_version=tls13 max_version=tls13" \
-            "$P_CLI debug_level=2 min_version=tls13 max_version=tls13" \
+skip_handshake_stage_check
+run_test    "TLS 1.3: No server support" \
+            "$P_SRV debug_level=2 force_version=tls13" \
+            "$P_CLI debug_level=2 force_version=tls13" \
             1 \
-            -s "tls13 server state: MBEDTLS_SSL_HELLO_REQUEST"     \
-            -c "tls13 client state: MBEDTLS_SSL_HELLO_REQUEST"
+            -s "TLS 1.3 server is not supported yet."
 
 requires_openssl_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3

tests/suites/test_suite_ssl.data

@@ -101,6 +101,7 @@ Test mbedtls_endpoint sanity for the client
 mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_CLIENT
 
 Test mbedtls_endpoint sanity for the server
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
 mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_SERVER
 
 Test moving clients handshake to state: HELLO_REQUEST