commit 37bdaab64f7bf5fe5ef319b1a2504d692828ae62
author Ronald Cron <ronald.cron@arm.com> Wed Mar 30 16:45:51 2022 +0200
committer Ronald Cron <ronald.cron@arm.com> Thu Mar 31 09:26:58 2022 +0200
tree 786625954dce06569e521bcc53537d4bde4607f2
parent 3cffc5ccb1b4e83f718c923d5b66025b1bf8639a

tls: Simplify the logic of the config version check and test it

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d5aed2e..0e1d0ea 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -882,13 +882,6 @@
     const mbedtls_ssl_config *conf = ssl->conf;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if( mbedtls_ssl_conf_is_tls13_enabled( conf ) &&
-        ( conf->endpoint == MBEDTLS_SSL_IS_SERVER ) )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 server is not supported yet." ) );
-        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
-
     if( mbedtls_ssl_conf_is_tls13_only( conf ) )
     {
         if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
@@ -896,6 +889,13 @@
              MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported." ) );
              return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
         }
+
+        if( conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 server is not supported yet." ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
         return( 0 );
     }
@@ -917,6 +917,13 @@
              MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2" ) );
              return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
         }
+
+        if( conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 server is not supported yet." ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is TLS 1.3 or TLS 1.2." ) );
         return( 0 );
     }

tests/suites/test_suite_ssl.data

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index e330016..f1b8fee 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3212,5 +3212,123 @@
 Test configuration of groups for DHE through mbedtls_ssl_conf_groups()
 conf_group:
 
+Version config: valid client TLS 1.2 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:3:0
+
+Version config: valid client DTLS 1.2 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:3:0
+
+Version config: valid server TLS 1.2 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:3:0
+
+Version config: valid server DTLS 1.2 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:3:0
+
+Version config: invalid client TLS 1.2 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:3:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid client DTLS 1.2 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:3:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid server TLS 1.2 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:3:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid server DTLS 1.2 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:3:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: valid client TLS 1.3 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:4:3:4:0
+
+Version config: unsupported client DTLS 1.3 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:4:3:4:MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
+Version config: unsupported server TLS 1.3 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:4:3:4:MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
+Version config: unsupported server DTLS 1.3 only
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:4:3:4:MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
+Version config: invalid client TLS 1.3 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:4:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid client DTLS 1.3 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:4:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid server TLS 1.3 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:4:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid server DTLS 1.3 only
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:4:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: valid client hybrid TLS 1.2/3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:4:0
+
+Version config: unsupported client hybrid DTLS 1.2/3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:4:MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
+Version config: unsupported server hybrid TLS 1.2/3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:4:MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
+Version config: unsupported server hybrid DTLS 1.2/3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:4:MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
+Version config: valid client hybrid TLS 1.2/3, no TLS 1.2
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: unsupported client hybrid DTLS 1.2/3, no TLS 1.2
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: unsupported server hybrid TLS 1.2/3, no TLS 1.2
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: unsupported server hybrid DTLS 1.2/3, no TLS 1.2
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_2
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: valid client hybrid TLS 1.2/3, no TLS 1.3
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: unsupported client hybrid DTLS 1.2/3, no TLS 1.3
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: unsupported server hybrid TLS 1.2/3, no TLS 1.3
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_STREAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: unsupported server hybrid DTLS 1.2/3, no TLS 1.3
+depends_on:!MBEDTLS_SSL_PROTO_TLS1_3
+conf_version:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_TRANSPORT_DATAGRAM:3:3:3:4:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid minimum version
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:2:3:3:MBEDTLS_ERR_SSL_BAD_CONFIG
+
+Version config: invalid maximum version
+conf_version:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_TRANSPORT_STREAM:3:4:3:5:MBEDTLS_ERR_SSL_BAD_CONFIG
+
 Test accessor into timing_delay_context
 timing_final_delay_accessor

tests/suites/test_suite_ssl.function

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 54ee23f..fc8b27f 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -5369,6 +5369,30 @@
 }
 /* END_CASE */
 
+/* BEGIN_CASE */
+void conf_version( int endpoint, int transport,
+                   int min_version_major, int min_version_minor,
+                   int max_version_major, int max_version_minor,
+                   int expected_ssl_setup_result )
+{
+    mbedtls_ssl_config conf;
+    mbedtls_ssl_context ssl;
+
+    mbedtls_ssl_config_init( &conf );
+    mbedtls_ssl_init( &ssl );
+
+    mbedtls_ssl_conf_endpoint( &conf, endpoint );
+    mbedtls_ssl_conf_transport( &conf, transport );
+    mbedtls_ssl_conf_min_version( &conf, min_version_major, min_version_minor );
+    mbedtls_ssl_conf_max_version( &conf, max_version_major, max_version_minor );
+
+    TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == expected_ssl_setup_result );
+
+    mbedtls_ssl_free( &ssl );
+    mbedtls_ssl_config_free( &conf );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
 void conf_curve()
 {