diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 49ed112672..17efa8c22b 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -594,8 +594,8 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) else { MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT, - MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); - return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); + MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); } } #endif /* MBEDTLS_SSL_SRV_C */ @@ -741,9 +741,9 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ) mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len ); -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ cleanup: +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); return( ret ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index e45db76c2e..f3843b1e85 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1517,10 +1517,12 @@ static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Switch to handshake traffic keys for outbound traffic" ) ); if( ! ssl->handshake->certificate_request_sent ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Switch to handshake traffic keys for inbound traffic" ) ); mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake ); + } ret = mbedtls_ssl_tls13_process_finished_message( ssl ); if( ret != 0 ) return( ret ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index eb9c1f48f9..33a9552259 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11339,6 +11339,40 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ -s "=> parse client hello" \ -s "<= parse client hello" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ + "$P_CLI debug_level=4 crt_file=none key_file=none force_version=tls13" \ + 1 \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "=> write certificate request" \ + -s "SSL - No client certification received from the client, but required by the authentication mode" \ + -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "=> parse client hello" \ + -s "<= parse client hello" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \ + "$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ + "$P_CLI debug_level=4 force_version=tls13 crt_file=none key_file=none" \ + 0 \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "=> write certificate request" \ + -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "=> parse client hello" \ + -s "<= parse client hello" requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C