Ensure that a TLSv1.3 server has provided a certificate.

The RFC requires that a server always provide a certificate for
authentication. Ensure that this is the case, rather than proceeding and
attempting validation. In the case where validation was disabled and the
server returned an empty certificate list, this would have previously
resulted in a NULL pointer deference.

Issue reported by otto@

ok inoguchi@ tb@

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index dbd5b0add7e..d3a68528bc6 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.59 2020/05/13 17:51:48 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.60 2020/05/16 14:44:55 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -595,6 +595,14 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
 		cert = NULL;
 	}
 
+	/* A server must always provide a non-empty certificate list. */
+	if (sk_X509_num(certs) < 1) {
+		ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
+		tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
+		    "peer failed to provide a certificate", NULL);
+		goto err;
+	}
+
 	/*
 	 * At this stage we still have no proof of possession. As such, it would
 	 * be preferable to keep the chain and verify once we have successfully