Allow no authentication of the server in 1.3 See notes about optional two commits ago for why we're doing this. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: 2b98a4ee3b1922b2802f5f4b0781a7de703b5178 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Aug 14 10:44:02 2024 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Aug 20 22:03:10 2024 +0200
tree: b862651fad44ca394cad530ddfe1a231a808251e
parent: a0a781eaddcf8c9a42de4aa3448a241ed8daf696 [diff] [blame]
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 4b027de..2104567 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c

@@ -684,6 +684,18 @@
 #endif /* MBEDTLS_SSL_CLI_C */
     }
 
+    /*
+     * NONE means we skip all checks
+     *
+     * Note: we still check above that the server did send a certificate,
+     * because only a non-compliant server would fail to do so. NONE means we
+     * don't care about the server certificate being valid, but we still care
+     * about the server otherwise following the TLS standard.
+     */
+    if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+        return 0;
+    }
+
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
     if (ssl->handshake->sni_ca_chain != NULL) {
         ca_chain = ssl->handshake->sni_ca_chain;
commit	2b98a4ee3b1922b2802f5f4b0781a7de703b5178	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Wed Aug 14 10:44:02 2024 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Tue Aug 20 22:03:10 2024 +0200
tree	b862651fad44ca394cad530ddfe1a231a808251e
parent	a0a781eaddcf8c9a42de4aa3448a241ed8daf696 [diff] [blame]