From: Pascal Knecht <pascal.knecht@hsr.ch>
Date: Wed, 4 Nov 2020 12:07:49 +0000 (+0100)
Subject: tls-server: Terminate connection if peer certificate is required but not sent
X-Git-Tag: 5.9.2rc1~23^2~29
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=dc49d457a289f5686975b1784bceda4f5f209cbf

tls-server: Terminate connection if peer certificate is required but not sent

This change mainly affects legacy TLS versions because TLS 1.3
connections are terminated by the server once the peer does not send a
CertificateVerify message next to its empty Certificate message.
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 07978b3..ce3714e 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -708,6 +708,12 @@ static status_t process_certificate(private_tls_server_t *this,
 		return NEED_MORE;
 	}
 	certs = bio_reader_create(data);
+	if (!certs->remaining(certs))
+	{
+		DBG1(DBG_TLS, "no certificate sent by peer");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
 	while (certs->remaining(certs))
 	{
 		if (!certs->read_data24(certs, &data))