summaryrefslogtreecommitdiffstats
path: root/lib/libssl/tls13_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libssl/tls13_server.c')
-rw-r--r--lib/libssl/tls13_server.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index cd5f19afebf..4e40aa7ba3f 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.46 2020/05/13 17:53:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.47 2020/05/16 14:40:53 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -438,6 +438,13 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
/* XXX - Need to revisit certificate selection. */
cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+ if (cpk->x509 == NULL) {
+ /* A server must always provide a certificate. */
+ ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
+ tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0,
+ "no server certificate", NULL);
+ goto err;
+ }
if ((chain = cpk->chain) == NULL)
chain = s->ctx->extra_certs;
@@ -447,9 +454,6 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
goto err;
- if (cpk->x509 == NULL)
- goto done;
-
if (!tls13_cert_add(&cert_list, cpk->x509))
goto err;
@@ -459,7 +463,6 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
goto err;
}
- done:
if (!CBB_flush(cbb))
goto err;
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.