diff options
| author | jsing <> | 2020-05-16 14:40:53 +0000 |
|---|---|---|
| committer | jsing <> | 2020-05-16 14:40:53 +0000 |
| commit | 0bb664280316b10f11538bb75f9d3c60ae9a5c98 (patch) | |
| tree | 310153696c645fb584054ce8e2690d12f8e2c85a /src | |
| parent | 0a1dcbe05d21795b7042ce242cc0c6b8a960f3a2 (diff) | |
| download | openbsd-0bb664280316b10f11538bb75f9d3c60ae9a5c98.tar.gz openbsd-0bb664280316b10f11538bb75f9d3c60ae9a5c98.tar.bz2 openbsd-0bb664280316b10f11538bb75f9d3c60ae9a5c98.zip | |
Avoid sending an empty certificate list from the TLSv1.3 server.
A TLSv1.3 server must always send a certificate - return an error and abort
the handshake if none is available.
ok inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index cd5f19afeb..4e40aa7ba3 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.46 2020/05/13 17:53:15 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.47 2020/05/16 14:40:53 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -438,6 +438,13 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 438 | 438 | ||
| 439 | /* XXX - Need to revisit certificate selection. */ | 439 | /* XXX - Need to revisit certificate selection. */ |
| 440 | cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; | 440 | cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; |
| 441 | if (cpk->x509 == NULL) { | ||
| 442 | /* A server must always provide a certificate. */ | ||
| 443 | ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; | ||
| 444 | tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, | ||
| 445 | "no server certificate", NULL); | ||
| 446 | goto err; | ||
| 447 | } | ||
| 441 | 448 | ||
| 442 | if ((chain = cpk->chain) == NULL) | 449 | if ((chain = cpk->chain) == NULL) |
| 443 | chain = s->ctx->extra_certs; | 450 | chain = s->ctx->extra_certs; |
| @@ -447,9 +454,6 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 447 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) | 454 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) |
| 448 | goto err; | 455 | goto err; |
| 449 | 456 | ||
| 450 | if (cpk->x509 == NULL) | ||
| 451 | goto done; | ||
| 452 | |||
| 453 | if (!tls13_cert_add(&cert_list, cpk->x509)) | 457 | if (!tls13_cert_add(&cert_list, cpk->x509)) |
| 454 | goto err; | 458 | goto err; |
| 455 | 459 | ||
| @@ -459,7 +463,6 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 459 | goto err; | 463 | goto err; |
| 460 | } | 464 | } |
| 461 | 465 | ||
| 462 | done: | ||
| 463 | if (!CBB_flush(cbb)) | 466 | if (!CBB_flush(cbb)) |
| 464 | goto err; | 467 | goto err; |
| 465 | 468 | ||