feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

TLS 1.3: fail immediately if server sends empty certificate message

Browse Source
This commit is contained in:
Sean Parkinson
2022-02-21 08:51:15 +10:00
parent ffb4ae07df
commit 9263e6ead3
1 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/internal.c
View File

@ -12116,11 +12116,21 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->count = args->totalCerts; args->count = args->totalCerts;
args->certIdx = 0; /* select peer cert (first one) */ args->certIdx = 0; /* select peer cert (first one) */
if (args->count == 0 && (ssl->options.mutualAuth || if (args->count == 0) {
(ssl->options.failNoCert && IsAtLeastTLSv1_3(ssl->version))) && /* Empty certificate message. */
ssl->options.side == WOLFSSL_SERVER_END) { if ((ssl->options.side == WOLFSSL_SERVER_END) &&
ret = NO_PEER_CERT; (ssl->options.mutualAuth || (ssl->options.failNoCert &&
DoCertFatalAlert(ssl, ret); IsAtLeastTLSv1_3(ssl->version)))) {
WOLFSSL_MSG("No peer cert from Client");
ret = NO_PEER_CERT;
DoCertFatalAlert(ssl, ret);
}
else if ((ssl->options.side == WOLFSSL_CLIENT_END) &&
IsAtLeastTLSv1_3(ssl->version)) {
WOLFSSL_MSG("No peer cert from Server");
ret = NO_PEER_CERT;
SendAlert(ssl, alert_fatal, decode_error);
}
} }
args->dCertInit = 0; args->dCertInit = 0;