From 6630841d9c05ae2888f729f453466c8e2f30014c Mon Sep 17 00:00:00 2001 From: tb <> Date: Tue, 19 May 2020 20:22:33 +0000 Subject: OpenBSD 6.7 errata 004 6.7/004_libssl.patch.sig original commits: CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2020/05/16 08:44:55 Modified files: lib/libssl : tls13_client.c Log message: Ensure that a TLSv1.3 server has provided a certificate. The RFC requires that a server always provide a certificate for authentication. Ensure that this is the case, rather than proceeding and attempting validation. In the case where validation was disabled and the server returned an empty certificate list, this would have previously resulted in a NULL pointer deference. Issue reported by otto@ ok inoguchi@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2020/05/17 08:26:15 Modified files: lib/libssl : tls13_client.c Log message: Send a decode error alert if a server provides an empty certificate list. According to RFC 8446 section 4.4.2.4, a client receiving an empty certificate list must abort the handshake with a decode error alert. ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...') --- src/lib/libssl/tls13_internal.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/lib/libssl/tls13_internal.h') diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index d53672dbfe..b543e08900 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.67 2020/04/28 20:37:22 jsing Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.67.4.1 2020/05/19 20:22:33 tb Exp $ */ /* * Copyright (c) 2018 Bob Beck * Copyright (c) 2018 Theo Buehler @@ -43,6 +43,7 @@ __BEGIN_HIDDEN_DECLS #define TLS13_ERR_HRR_FAILED 17 #define TLS13_ERR_TRAILING_DATA 18 #define TLS13_ERR_NO_SHARED_CIPHER 19 +#define TLS13_ERR_NO_PEER_CERTIFICATE 21 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *_cbs); -- cgit v1.2.3-55-g6feb