From d8a73cb59ee68723f87063e50ae6037929f06a83 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 10 May 2020 16:59:51 +0000
Subject: Honour SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the TLSv1.3 server.

ok beck@
---
 src/lib/libssl/tls13_internal.h |  3 ++-
 src/lib/libssl/tls13_legacy.c   |  5 ++++-
 src/lib/libssl/tls13_server.c   | 16 ++++++++++------
 3 files changed, 16 insertions(+), 8 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index d6839ea3aa..f27f46df52 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.73 2020/05/10 16:56:11 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.74 2020/05/10 16:59:51 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -43,6 +43,7 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_ERR_HRR_FAILED		17
 #define TLS13_ERR_TRAILING_DATA		18
 #define TLS13_ERR_NO_SHARED_CIPHER	19
+#define TLS13_ERR_NO_PEER_CERTIFICATE	20
 
 #define TLS13_ALERT_LEVEL_WARNING			1
 #define TLS13_ALERT_LEVEL_FATAL				2
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 18e66cbe33..8f8259344f 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_legacy.c,v 1.4 2020/05/10 16:56:11 jsing Exp $ */
+/*	$OpenBSD: tls13_legacy.c,v 1.5 2020/05/10 16:59:51 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -119,6 +119,9 @@ tls13_legacy_error(SSL *ssl)
 	case TLS13_ERR_NO_SHARED_CIPHER:
 		reason = SSL_R_NO_SHARED_CIPHER;
 		break;
+	case TLS13_ERR_NO_PEER_CERTIFICATE:
+		reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
+		break;
 	}
 
 	/* Something (probably libcrypto) already pushed an error on the stack. */
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 9dfb4a7227..f96d054500 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.41 2020/05/10 16:56:11 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -619,9 +619,14 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
 		goto err;
 	if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
 		goto err;
-
-	if (CBS_len(&cert_list) == 0)
-		return 1;
+	if (CBS_len(&cert_list) == 0) {
+		if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
+			return 1;
+		ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
+		tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
+		    "peer did not provide a certificate", NULL);
+		goto err;
+	}
 
 	if ((certs = sk_X509_new_null()) == NULL)
 		goto err;
@@ -648,8 +653,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
 	 * be preferable to keep the chain and verify once we have successfully
 	 * processed the CertificateVerify message.
 	 */
-	if (ssl_verify_cert_chain(s, certs) <= 0 &&
-	    s->verify_mode != SSL_VERIFY_NONE) {
+	if (ssl_verify_cert_chain(s, certs) <= 0) {
 		ctx->alert = ssl_verify_alarm_type(s->verify_result);
 		tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
 		    "failed to verify peer certificate", NULL);
-- 
cgit v1.2.3-55-g6feb