tls-server: Terminate connection if peer certificate is required but not sent
authorPascal Knecht <pascal.knecht@hsr.ch>
Wed, 4 Nov 2020 12:07:49 +0000 (13:07 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
This change mainly affects legacy TLS versions because TLS 1.3
connections are terminated by the server once the peer does not send a
CertificateVerify message next to its empty Certificate message.

src/libtls/tls_server.c

index 07978b3..ce3714e 100644 (file)
@@ -708,6 +708,12 @@ static status_t process_certificate(private_tls_server_t *this,
                return NEED_MORE;
        }
        certs = bio_reader_create(data);
+       if (!certs->remaining(certs))
+       {
+               DBG1(DBG_TLS, "no certificate sent by peer");
+               this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+               return NEED_MORE;
+       }
        while (certs->remaining(certs))
        {
                if (!certs->read_data24(certs, &data))