CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2020/05/19 14:22:33
Modified files:
lib/libssl : Tag: OPENBSD_6_7 tls13_client.c
tls13_internal.h tls13_legacy.c
Log message:
OpenBSD 6.7 errata 004 6.7/004_libssl.patch.sig
original commits:
CVSROOT: /cvs
Module name: src
Changes by: js...@cvs.openbsd.org 2020/05/16 08:44:55
Modified files:
lib/libssl : tls13_client.c
Log message:
Ensure that a TLSv1.3 server has provided a certificate.
The RFC requires that a server always provide a certificate for
authentication. Ensure that this is the case, rather than proceeding and
attempting validation. In the case where validation was disabled and the
server returned an empty certificate list, this would have previously
resulted in a NULL pointer deference.
Issue reported by otto@
ok inoguchi@ tb@
CVSROOT: /cvs
Module name: src
Changes by: js...@cvs.openbsd.org 2020/05/17 08:26:15
Modified files:
lib/libssl : tls13_client.c
Log message:
Send a decode error alert if a server provides an empty certificate list.
According to RFC 8446 section 4.4.2.4, a client receiving an empty
certificate list must abort the handshake with a decode error alert.
ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...')
