Send alerts on certificate verification failures of server certs

ok tb@
author: beck <> 2020-01-22 11:26:47 +0000
committer: beck <> 2020-01-22 11:26:47 +0000
commit: 46864e8e115245d4a8ed9cd263276063c800ab95 (patch)
tree: 32c6816503ef48148938248f7ca6bc298602f243 /src
parent: 6a2447dfdce031bb52ea2e7f122e31185e7a1c60 (diff)
download: openbsd-46864e8e115245d4a8ed9cd263276063c800ab95.tar.gz
openbsd-46864e8e115245d4a8ed9cd263276063c800ab95.tar.bz2
openbsd-46864e8e115245d4a8ed9cd263276063c800ab95.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index b42167a58a..3648d09b22 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.26 2020/01/22 05:06:23 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.27 2020/01/22 11:26:47 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -535,7 +535,7 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx)
         */
        if (ssl_verify_cert_chain(s, certs) <= 0 &&
            s->verify_mode != SSL_VERIFY_NONE) {
-                /* XXX send alert */
+                ctx->alert = ssl_verify_alarm_type(s->verify_result);
                tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
                    "failed to verify peer certificate", NULL);
                goto err;
author	beck <>	2020-01-22 11:26:47 +0000
committer	beck <>	2020-01-22 11:26:47 +0000
commit	46864e8e115245d4a8ed9cd263276063c800ab95 (patch)
tree	32c6816503ef48148938248f7ca6bc298602f243 /src
parent	6a2447dfdce031bb52ea2e7f122e31185e7a1c60 (diff)
download	openbsd-46864e8e115245d4a8ed9cd263276063c800ab95.tar.gz openbsd-46864e8e115245d4a8ed9cd263276063c800ab95.tar.bz2 openbsd-46864e8e115245d4a8ed9cd263276063c800ab95.zip

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index b42167a58a..3648d09b22 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.26 2020/01/22 05:06:23 tb Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.27 2020/01/22 11:26:47 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -535,7 +535,7 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx)
535	*/	535	*/
536	if (ssl_verify_cert_chain(s, certs) <= 0 &&	536	if (ssl_verify_cert_chain(s, certs) <= 0 &&
537	s->verify_mode != SSL_VERIFY_NONE) {	537	s->verify_mode != SSL_VERIFY_NONE) {
538	/* XXX send alert */	538	ctx->alert = ssl_verify_alarm_type(s->verify_result);
539	tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,	539	tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
540	"failed to verify peer certificate", NULL);	540	"failed to verify peer certificate", NULL);
541	goto err;	541	goto err;