summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/tls13_server.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 9dfb4a7227..f96d054500 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_server.c,v 1.41 2020/05/10 16:56:11 jsing Exp $ */ 1/* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -619,9 +619,14 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
619 goto err; 619 goto err;
620 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 620 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
621 goto err; 621 goto err;
622 622 if (CBS_len(&cert_list) == 0) {
623 if (CBS_len(&cert_list) == 0) 623 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
624 return 1; 624 return 1;
625 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
626 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
627 "peer did not provide a certificate", NULL);
628 goto err;
629 }
625 630
626 if ((certs = sk_X509_new_null()) == NULL) 631 if ((certs = sk_X509_new_null()) == NULL)
627 goto err; 632 goto err;
@@ -648,8 +653,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
648 * be preferable to keep the chain and verify once we have successfully 653 * be preferable to keep the chain and verify once we have successfully
649 * processed the CertificateVerify message. 654 * processed the CertificateVerify message.
650 */ 655 */
651 if (ssl_verify_cert_chain(s, certs) <= 0 && 656 if (ssl_verify_cert_chain(s, certs) <= 0) {
652 s->verify_mode != SSL_VERIFY_NONE) {
653 ctx->alert = ssl_verify_alarm_type(s->verify_result); 657 ctx->alert = ssl_verify_alarm_type(s->verify_result);
654 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 658 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
655 "failed to verify peer certificate", NULL); 659 "failed to verify peer certificate", NULL);