diff options
Diffstat (limited to '')
-rw-r--r-- | src/lib/libssl/tls13_server.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 9dfb4a7227..f96d054500 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: tls13_server.c,v 1.41 2020/05/10 16:56:11 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
@@ -619,9 +619,14 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
619 | goto err; | 619 | goto err; |
620 | if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) | 620 | if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) |
621 | goto err; | 621 | goto err; |
622 | 622 | if (CBS_len(&cert_list) == 0) { | |
623 | if (CBS_len(&cert_list) == 0) | 623 | if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) |
624 | return 1; | 624 | return 1; |
625 | ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; | ||
626 | tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, | ||
627 | "peer did not provide a certificate", NULL); | ||
628 | goto err; | ||
629 | } | ||
625 | 630 | ||
626 | if ((certs = sk_X509_new_null()) == NULL) | 631 | if ((certs = sk_X509_new_null()) == NULL) |
627 | goto err; | 632 | goto err; |
@@ -648,8 +653,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
648 | * be preferable to keep the chain and verify once we have successfully | 653 | * be preferable to keep the chain and verify once we have successfully |
649 | * processed the CertificateVerify message. | 654 | * processed the CertificateVerify message. |
650 | */ | 655 | */ |
651 | if (ssl_verify_cert_chain(s, certs) <= 0 && | 656 | if (ssl_verify_cert_chain(s, certs) <= 0) { |
652 | s->verify_mode != SSL_VERIFY_NONE) { | ||
653 | ctx->alert = ssl_verify_alarm_type(s->verify_result); | 657 | ctx->alert = ssl_verify_alarm_type(s->verify_result); |
654 | tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, | 658 | tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, |
655 | "failed to verify peer certificate", NULL); | 659 | "failed to verify peer certificate", NULL); |