(fix) Client MUST send certificate msg if requested by server

13.go

@@ -220,7 +220,7 @@ CurvePreferenceLoop:
 	// TODO: we should have 2 separated methods - one for full-handshake and the other for PSK-handshake
 	if !c.didResume {
 		// Server MUST NOT send CertificateRequest if authenticating with PSK
-		if (c.config.ClientAuth >= RequestClientCert) {
+		if c.config.ClientAuth >= RequestClientCert {
 
 			certReq := new(certificateRequestMsg13)
 			// extension 'signature_algorithms' MUST be specified
@@ -303,6 +303,12 @@ func (hs *serverHandshakeState) readClientFinished13(hasConfirmLock bool) error
 	// client authentication
 	if certMsg, ok := msg.(*certificateMsg13); ok {
 
+		// (4.4.2) Client MUST send certificate msg if requested by server
+		if c.config.ClientAuth < RequestClientCert {
+			c.sendAlert(alertUnexpectedMessage)
+			return unexpectedMessageError(certMsg, msg)
+		}
+
 		hs.keySchedule.write(certMsg.marshal())
 		pubKey, err := hs.processCertsFromClient13(certMsg)
 		if err != nil {
@@ -1075,6 +1081,7 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 	hs.keySchedule.setSecret(nil) // derive master secret
 	appServerCipher, _ := hs.keySchedule.prepareCipher(secretApplicationServer)
 	appClientCipher, _ := hs.keySchedule.prepareCipher(secretApplicationClient)
+	// TODO store initial traffic secret key for KeyUpdate GH #85
 
 	// Change outbound handshake cipher for final step
 	c.out.setCipher(c.vers, clientCipher)
@@ -1096,8 +1103,6 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 		return err
 	}
 
-	// TODO store initial traffic secret key for KeyUpdate
-
 	// Handshake done, set application traffic secret
 	c.out.setCipher(c.vers, appClientCipher)
 	if c.hand.Len() > 0 {

_dev/tris-testclient/client.go

@@ -225,4 +225,5 @@ x/M73jMCgYBBge3/ugnZPE78TDL3DdefrjeYFaKhVc622eimS/MEPbkbdxh8azTM
 LAoibwDU1NC8/3MfOBYMe6Qklu3kjexOJrfdo0Z7Khgd9F8A4tKwslUndSSlAfKF
 2rjfqabVMZMLZ2XEbA4W5JTfaZS4YYGcrjY7+i7OsnSxoYG2sb+xlQ==
 -----END RSA PRIVATE KEY-----`
-)
+)
+