Don't call the client_cert_cb immediately in TLSv1.3
authorMatt Caswell <matt@openssl.org>
Thu, 11 Oct 2018 16:01:06 +0000 (17:01 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 30 Oct 2018 12:08:42 +0000 (12:08 +0000)
commite45620140fce22c3251440063bc17440289d730c
tree3d2a409735c08e86cd550797e0350e76f145bb82
parent828b52951cf182d5f9cf159804419230b27840c9
Don't call the client_cert_cb immediately in TLSv1.3

In TLSv1.2 and below a CertificateRequest is sent after the Certificate
from the server. This means that by the time the client_cert_cb is called
on receipt of the CertificateRequest a call to SSL_get_peer_certificate()
will return the server certificate as expected. In TLSv1.3 a
CertificateRequest is sent before a Certificate message so calling
SSL_get_peer_certificate() returns NULL.

To workaround this we delay calling the client_cert_cb until after we
have processed the CertificateVerify message, when we are doing TLSv1.3.

Fixes #7384

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7413)
ssl/statem/statem_clnt.c
ssl/statem/statem_lib.c