tls-server: Terminate connection if peer certificate is required but not sent

This change mainly affects legacy TLS versions because TLS 1.3
connections are terminated by the server once the peer does not send a
CertificateVerify message next to its empty Certificate message.

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 07978b3f177a6642362d5f10ee23d08283173f7d..ce3714ed14342524de51ccdaea1378ce01c430e6 100644 (file)
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -708,6 +708,12 @@ static status_t process_certificate(private_tls_server_t *this,
                return NEED_MORE;
        }
        certs = bio_reader_create(data);
+       if (!certs->remaining(certs))
+       {
+               DBG1(DBG_TLS, "no certificate sent by peer");
+               this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+               return NEED_MORE;
+       }
        while (certs->remaining(certs))
        {
                if (!certs->read_data24(certs, &data))