diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 191dc548d3..ef9cd1796e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -733,30 +733,6 @@ cleanup: return( ret ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0 -#define SSL_CERTIFICATE_REQUEST_SKIP 1 -/* Coordination: - * Check whether a CertificateRequest message should be written. - * Returns a negative code on failure, or - * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST - * - SSL_CERTIFICATE_REQUEST_SKIP - * indicating if the writing of the CertificateRequest - * should be skipped or not. - */ -static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) -{ - int authmode; - - authmode = ssl->conf->authmode; - - if( authmode == MBEDTLS_SSL_VERIFY_NONE ) - return( SSL_CERTIFICATE_REQUEST_SKIP ); - - return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST ); -} -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - /* * Handler for MBEDTLS_SSL_SERVER_HELLO */ @@ -1170,14 +1146,7 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); else { - MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) ); - if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST ) - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); - else - { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); - ret = 0; - } + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); } #else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); @@ -1190,6 +1159,28 @@ cleanup: } #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0 +#define SSL_CERTIFICATE_REQUEST_SKIP 1 +/* Coordination: + * Check whether a CertificateRequest message should be written. + * Returns a negative code on failure, or + * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST + * - SSL_CERTIFICATE_REQUEST_SKIP + * indicating if the writing of the CertificateRequest + * should be skipped or not. + */ +static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) +{ + int authmode; + + authmode = ssl->conf->authmode; + + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + return( SSL_CERTIFICATE_REQUEST_SKIP ); + + return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST ); +} + /* * struct { * opaque certificate_request_context<0..2^8-1>; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 762a963e8d..591b6d39ff 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11316,7 +11316,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_tls1_3 -run_test "TLS 1.3: Server side check - openssl with cient authentication" \ +run_test "TLS 1.3: Server side check - openssl with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ 1 \ @@ -11325,6 +11325,7 @@ run_test "TLS 1.3: Server side check - openssl with cient authentication" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "=> write certificate request" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11351,7 +11352,7 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "TLS 1.3: Server side check - gnutls with cient authentication" \ +run_test "TLS 1.3: Server side check - gnutls with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 1 \ @@ -11360,6 +11361,7 @@ run_test "TLS 1.3: Server side check - gnutls with cient authentication" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "=> write certificate request" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11376,6 +11378,7 @@ run_test "TLS 1.3: Server side check - mbedtls" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "=> write certificate request" \ -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ @@ -11385,7 +11388,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C -run_test "TLS 1.3: Server side check - mbedtls with cient authentication" \ +run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13" \ 1 \