yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Change base on review

Browse source 
Fix comments
Add test cases for client authentication with empty certificate

Change-Id: Id8a741ddd997ca92e36832f26088eb0e67830ad8
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-05-19 07:19:31 +00:00
parent 989f06d52d
commit aca9048b5f
3 changed files with 41 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
library/ssl_tls13_generic.c
View file

@ -594,8 +594,8 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
else
{
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
}
}
#endif /* MBEDTLS_SSL_SRV_C */
@ -741,9 +741,9 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
buf, buf_len );
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
cleanup:
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
return( ret );

6
library/ssl_tls13_server.c
View file

@ -1517,10 +1517,12 @@ static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Switch to handshake traffic keys for outbound traffic" ) );
if( ! ssl->handshake->certificate_request_sent )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Switch to handshake traffic keys for inbound traffic" ) );
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
}
ret = mbedtls_ssl_tls13_process_finished_message( ssl );
if( ret != 0 )
return( ret );

34
tests/ssl-opt.sh
View file

@ -11339,6 +11339,40 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
-s "=> parse client hello" \
-s "<= parse client hello"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$P_CLI debug_level=4 crt_file=none key_file=none force_version=tls13" \
1 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "=> write certificate request" \
-s "SSL - No client certification received from the client, but required by the authentication mode" \
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "=> parse client hello" \
-s "<= parse client hello"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \
"$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$P_CLI debug_level=4 force_version=tls13 crt_file=none key_file=none" \
0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "=> write certificate request" \
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "=> parse client hello" \
-s "<= parse client hello"
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C