When certificate validation fails, we must send a DECRYPT_ERROR alert

according to RFC8446.

ok jsing@

1 files changed, 6 insertions, 3 deletions

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 477cca2e04f..20b3038b93e 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.31 2020/01/23 07:30:55 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.32 2020/01/23 11:06:59 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -656,17 +656,20 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 		if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
 			goto err;
 	}
-	if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len))
+	if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
+		ctx->alert = TLS1_AD_DECRYPT_ERROR;
 		goto err;
+	}
 	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
 	    CBS_len(&signature)) <= 0) {
+		ctx->alert = TLS1_AD_DECRYPT_ERROR;
 		goto err;
 	}
 
 	ret = 1;
 
  err:
-	if (!ret)
+	if (!ret && ctx->alert == 0)
 		ctx->alert = TLS1_AD_DECODE_ERROR;
 	CBB_cleanup(&cbb);
 	EVP_MD_CTX_free(mdctx);