diff options
Diffstat (limited to 'src/lib/libssl/tls13_client.c')
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 79318d9313..24286569b1 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.54 2020/04/28 20:37:22 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -587,6 +587,14 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 587 | cert = NULL; | 587 | cert = NULL; |
| 588 | } | 588 | } |
| 589 | 589 | ||
| 590 | /* A server must always provide a non-empty certificate list. */ | ||
| 591 | if (sk_X509_num(certs) < 1) { | ||
| 592 | ctx->alert = SSL_AD_DECODE_ERROR; | ||
| 593 | tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, | ||
| 594 | "peer failed to provide a certificate", NULL); | ||
| 595 | goto err; | ||
| 596 | } | ||
| 597 | |||
| 590 | /* | 598 | /* |
| 591 | * At this stage we still have no proof of possession. As such, it would | 599 | * At this stage we still have no proof of possession. As such, it would |
| 592 | * be preferable to keep the chain and verify once we have successfully | 600 | * be preferable to keep the chain and verify once we have successfully |