diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d911e9021b..4a44003381 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1264,6 +1264,13 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl ) mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len ); + /* Update state */ + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) ); + if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST ) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); + else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 07ad1b3fd4..fb1b4c7059 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11312,6 +11312,23 @@ run_test "TLS 1.3: Server side check - openssl" \ -s "=> parse client hello" \ -s "<= parse client hello" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_openssl_tls1_3 +run_test "TLS 1.3: Server side check - openssl with cient authentication" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ + "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ + 1 \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "SSL - The requested feature is not available" \ + -s "=> parse client hello" \ + -s "<= parse client hello" + requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -11329,6 +11346,24 @@ run_test "TLS 1.3: Server side check - gnutls" \ -s "=> parse client hello" \ -s "<= parse client hello" +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Server side check - gnutls with cient authentication" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ + "$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ + 1 \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "SSL - The requested feature is not available" \ + -s "=> parse client hello" \ + -s "<= parse client hello" + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C