From: Pascal Knecht <pascal.knecht@hsr.ch>
Date: Wed, 4 Nov 2020 12:07:49 +0000 (+0100)
Subject: tls-server: Terminate connection if peer certificate is required but not sent
X-Git-Tag: 5.9.2rc1~23^2~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc49d457a289f5686975b1784bceda4f5f209cbf;p=thirdparty%2Fstrongswan.git

tls-server: Terminate connection if peer certificate is required but not sent

This change mainly affects legacy TLS versions because TLS 1.3
connections are terminated by the server once the peer does not send a
CertificateVerify message next to its empty Certificate message.
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 07978b3f17..ce3714ed14 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -708,6 +708,12 @@ static status_t process_certificate(private_tls_server_t *this,
 		return NEED_MORE;
 	}
 	certs = bio_reader_create(data);
+	if (!certs->remaining(certs))
+	{
+		DBG1(DBG_TLS, "no certificate sent by peer");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
 	while (certs->remaining(certs))
 	{
 		if (!certs->read_data24(certs, &data))