Change base on review
Fix comments
Add test cases for client authentication with empty certificate
Change-Id: Id8a741ddd997ca92e36832f26088eb0e67830ad8
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 49ed112..17efa8c 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -594,8 +594,8 @@
else
{
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
- MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
- return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
+ MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+ return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
}
}
#endif /* MBEDTLS_SSL_SRV_C */
@@ -741,9 +741,9 @@
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
buf, buf_len );
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
cleanup:
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
return( ret );
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index e45db76..f3843b1 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1517,10 +1517,12 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "Switch to handshake traffic keys for outbound traffic" ) );
if( ! ssl->handshake->certificate_request_sent )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "Switch to handshake traffic keys for inbound traffic" ) );
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
+ }
ret = mbedtls_ssl_tls13_process_finished_message( ssl );
if( ret != 0 )
return( ret );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index eb9c1f4..33a9552 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11339,6 +11339,40 @@
-s "=> parse client hello" \
-s "<= parse client hello"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \
+ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$P_CLI debug_level=4 crt_file=none key_file=none force_version=tls13" \
+ 1 \
+ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
+ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
+ -s "=> write certificate request" \
+ -s "SSL - No client certification received from the client, but required by the authentication mode" \
+ -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
+ -s "=> parse client hello" \
+ -s "<= parse client hello"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \
+ "$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$P_CLI debug_level=4 force_version=tls13 crt_file=none key_file=none" \
+ 0 \
+ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
+ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
+ -s "=> write certificate request" \
+ -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
+ -s "=> parse client hello" \
+ -s "<= parse client hello"
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C