Honour SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the TLSv1.3 server.

ok beck@
author: jsing <> 2020-05-10 16:59:51 +0000
committer: jsing <> 2020-05-10 16:59:51 +0000
commit: d8a73cb59ee68723f87063e50ae6037929f06a83 (patch)
tree: 43c144aa4833e0005dd19b10c7233d1f65e07dfd /src
parent: bce4aa62bab1463452a4ce16efa8902c7f37b85b (diff)
download: openbsd-d8a73cb59ee68723f87063e50ae6037929f06a83.tar.gz
openbsd-d8a73cb59ee68723f87063e50ae6037929f06a83.tar.bz2
openbsd-d8a73cb59ee68723f87063e50ae6037929f06a83.zip
3 files changed, 16 insertions, 8 deletions
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index d6839ea3aa..f27f46df52 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.73 2020/05/10 16:56:11 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.74 2020/05/10 16:59:51 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -43,6 +43,7 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_ERR_HRR_FAILED            17
 #define TLS13_ERR_TRAILING_DATA         18
 #define TLS13_ERR_NO_SHARED_CIPHER      19
+#define TLS13_ERR_NO_PEER_CERTIFICATE   20
 #define TLS13_ALERT_LEVEL_WARNING                       1
 #define TLS13_ALERT_LEVEL_FATAL                         2
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 18e66cbe33..8f8259344f 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.4 2020/05/10 16:56:11 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.5 2020/05/10 16:59:51 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -119,6 +119,9 @@ tls13_legacy_error(SSL *ssl)
        case TLS13_ERR_NO_SHARED_CIPHER:
                reason = SSL_R_NO_SHARED_CIPHER;
                break;
+        case TLS13_ERR_NO_PEER_CERTIFICATE:
+                reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
+                break;
        }
        /* Something (probably libcrypto) already pushed an error on the stack. */
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 9dfb4a7227..f96d054500 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.41 2020/05/10 16:56:11 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -619,9 +619,14 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
                goto err;
+        if (CBS_len(&cert_list) == 0) {
-        if (CBS_len(&cert_list) == 0)
+                if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
-                return 1;
+                        return 1;
+                ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
+                tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
+                    "peer did not provide a certificate", NULL);
+                goto err;
+        }
        if ((certs = sk_X509_new_null()) == NULL)
                goto err;
@@ -648,8 +653,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
         * be preferable to keep the chain and verify once we have successfully
         * processed the CertificateVerify message.
         */
-        if (ssl_verify_cert_chain(s, certs) <= 0 &&
+        if (ssl_verify_cert_chain(s, certs) <= 0) {
-            s->verify_mode != SSL_VERIFY_NONE) {
                ctx->alert = ssl_verify_alarm_type(s->verify_result);
                tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
                    "failed to verify peer certificate", NULL);
author	jsing <>	2020-05-10 16:59:51 +0000
committer	jsing <>	2020-05-10 16:59:51 +0000
commit	d8a73cb59ee68723f87063e50ae6037929f06a83 (patch)
tree	43c144aa4833e0005dd19b10c7233d1f65e07dfd /src
parent	bce4aa62bab1463452a4ce16efa8902c7f37b85b (diff)
download	openbsd-d8a73cb59ee68723f87063e50ae6037929f06a83.tar.gz openbsd-d8a73cb59ee68723f87063e50ae6037929f06a83.tar.bz2 openbsd-d8a73cb59ee68723f87063e50ae6037929f06a83.zip

diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index d6839ea3aa..f27f46df52 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.73 2020/05/10 16:56:11 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.74 2020/05/10 16:59:51 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -43,6 +43,7 @@ __BEGIN_HIDDEN_DECLS
43	#define TLS13_ERR_HRR_FAILED 17	43	#define TLS13_ERR_HRR_FAILED 17
44	#define TLS13_ERR_TRAILING_DATA 18	44	#define TLS13_ERR_TRAILING_DATA 18
45	#define TLS13_ERR_NO_SHARED_CIPHER 19	45	#define TLS13_ERR_NO_SHARED_CIPHER 19
		46	#define TLS13_ERR_NO_PEER_CERTIFICATE 20
46		47
47	#define TLS13_ALERT_LEVEL_WARNING 1	48	#define TLS13_ALERT_LEVEL_WARNING 1
48	#define TLS13_ALERT_LEVEL_FATAL 2	49	#define TLS13_ALERT_LEVEL_FATAL 2


diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c index 18e66cbe33..8f8259344f 100644 --- a/src/lib/libssl/tls13_legacy.c +++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_legacy.c,v 1.4 2020/05/10 16:56:11 jsing Exp $ */	1	/* $OpenBSD: tls13_legacy.c,v 1.5 2020/05/10 16:59:51 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -119,6 +119,9 @@ tls13_legacy_error(SSL *ssl)
119	case TLS13_ERR_NO_SHARED_CIPHER:	119	case TLS13_ERR_NO_SHARED_CIPHER:
120	reason = SSL_R_NO_SHARED_CIPHER;	120	reason = SSL_R_NO_SHARED_CIPHER;
121	break;	121	break;
		122	case TLS13_ERR_NO_PEER_CERTIFICATE:
		123	reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
		124	break;
122	}	125	}
123		126
124	/* Something (probably libcrypto) already pushed an error on the stack. */	127	/* Something (probably libcrypto) already pushed an error on the stack. */


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 9dfb4a7227..f96d054500 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.41 2020/05/10 16:56:11 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -619,9 +619,14 @@ tls13_client_certificate_recv(struct tls13_ctx ctx, CBS cbs)
619	goto err;	619	goto err;
620	if (!CBS_get_u24_length_prefixed(cbs, &cert_list))	620	if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
621	goto err;	621	goto err;
622		622	if (CBS_len(&cert_list) == 0) {
623	if (CBS_len(&cert_list) == 0)	623	if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
624	return 1;	624	return 1;
		625	ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
		626	tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
		627	"peer did not provide a certificate", NULL);
		628	goto err;
		629	}
625		630
626	if ((certs = sk_X509_new_null()) == NULL)	631	if ((certs = sk_X509_new_null()) == NULL)
627	goto err;	632	goto err;
@@ -648,8 +653,7 @@ tls13_client_certificate_recv(struct tls13_ctx ctx, CBS cbs)
648	* be preferable to keep the chain and verify once we have successfully	653	* be preferable to keep the chain and verify once we have successfully
649	* processed the CertificateVerify message.	654	* processed the CertificateVerify message.
650	*/	655	*/
651	if (ssl_verify_cert_chain(s, certs) <= 0 &&	656	if (ssl_verify_cert_chain(s, certs) <= 0) {
652	s->verify_mode != SSL_VERIFY_NONE) {
653	ctx->alert = ssl_verify_alarm_type(s->verify_result);	657	ctx->alert = ssl_verify_alarm_type(s->verify_result);
654	tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,	658	tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
655	"failed to verify peer certificate", NULL);	659	"failed to verify peer certificate", NULL);