Don't call the client_cert_cb immediately in TLSv1.3
authorMatt Caswell <matt@openssl.org>
Thu, 11 Oct 2018 16:01:06 +0000 (17:01 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 30 Oct 2018 12:18:55 +0000 (12:18 +0000)
commita2388b50afc5136a1b65d0bf794f0398c31a1acb
tree12f6d910dbc886982043013a77157822c2241df8
parent5cf0f0e70887fbe9d94a95e25e379a64e1676010
Don't call the client_cert_cb immediately in TLSv1.3

In TLSv1.2 and below a CertificateRequest is sent after the Certificate
from the server. This means that by the time the client_cert_cb is called
on receipt of the CertificateRequest a call to SSL_get_peer_certificate()
will return the server certificate as expected. In TLSv1.3 a
CertificateRequest is sent before a Certificate message so calling
SSL_get_peer_certificate() returns NULL.

To workaround this we delay calling the client_cert_cb until after we
have processed the CertificateVerify message, when we are doing TLSv1.3.

Fixes #7384

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7413)

(cherry picked from commit e45620140fce22c3251440063bc17440289d730c)
ssl/statem/statem_clnt.c
ssl/statem/statem_lib.c