commit aefc5938b0b73bd3174e6b32c6ebcb4371b29103
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Aug 12 10:36:40 2024 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Sep 02 12:46:03 2024 +0200
tree ca8c88134764aa197eff8fb1ef6ccf46097eac8e
parent 5f9428ac8a478b78942adae47080aa1bb38f045c

Add comments about 1.3 server sending no cert

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/ssl_tls13_generic.c

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 5fdc527..8f8f8c2 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -472,6 +472,7 @@
         mbedtls_free(ssl->session_negotiate->peer_cert);
     }
 
+    /* This is used by ssl_tls13_validate_certificate() */
     if (certificate_list_len == 0) {
         ssl->session_negotiate->peer_cert = NULL;
         ret = 0;
@@ -675,6 +676,11 @@
 #endif /* MBEDTLS_SSL_SRV_C */
 
 #if defined(MBEDTLS_SSL_CLI_C)
+        /* Regardless of authmode, the server is not allowed to send an empty
+         * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The
+         * server's certificate_list MUST always be non-empty.") With authmode
+         * optional/none, we continue the handshake if we can't validate the
+         * server's cert, but we still break it if no certificate was sent. */
         if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
             MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
                                          MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);