Allow optional authentication of the server in 1.3
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.
In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3bcf4f4..dd793d1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1354,29 +1354,6 @@
return ret;
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* RFC 8446 section 4.4.3
- *
- * If the verification fails, the receiver MUST terminate the handshake with
- * a "decrypt_error" alert.
- *
- * If the client is configured as TLS 1.3 only with optional verify, return
- * bad config.
- *
- */
- if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
- (mbedtls_ssl_context *) ssl) &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
- MBEDTLS_SSL_DEBUG_MSG(
- 1, ("Optional verify auth mode "
- "is not available for TLS 1.3 client"));
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
@@ -8190,6 +8167,7 @@
{
int ret = 0;
int crt_expected;
+ /* Authmode: precedence order is SNI if used else configuration */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
? ssl->handshake->sni_authmode
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 8f8f8c2..4b027de 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -629,22 +629,17 @@
static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
{
int ret = 0;
- int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
uint32_t verify_result = 0;
- /* If SNI was used, overwrite authentication mode
- * from the configuration. */
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
- authmode = ssl->handshake->sni_authmode;
- } else
-#endif
- authmode = ssl->conf->authmode;
- }
+ /* Authmode: precedence order is SNI if used else configuration */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+ ? ssl->handshake->sni_authmode
+ : ssl->conf->authmode;
+#else
+ const int authmode = ssl->conf->authmode;
#endif
/*
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 7237920..18a292b 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -5841,6 +5841,17 @@
run_test "Authentication: server badcert, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI force_version=tls13 debug_level=3 auth_mode=optional" \
+ 0 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "send alert level=2 message=48" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: server badcert, client optional (1.2)" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=optional" \
0 \
-c "x509_verify_cert() returned" \
@@ -5860,9 +5871,23 @@
-C "send alert level=2 message=48" \
-C "X509 - Certificate verification failed"
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+# TODO: server goodcert, client none, no trusted CA
+
+requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: server goodcert, client optional, no trusted CA" \
"$P_SRV" \
+ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
+ 0 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed" \
+ -C "SSL - No CA Chain is set, but required to operate"
+
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test "Authentication: server goodcert, client optional, no trusted CA (1.2)" \
+ "$P_SRV" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
0 \
-c "x509_verify_cert() returned" \
@@ -6129,7 +6154,7 @@
run_test "Authentication: server max_int+1 chain, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
- "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
+ "$P_CLI server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
auth_mode=optional" \
1 \
-c "X509 - A fatal error occurred"