diff options
| author | Brent Cook <bcook@cvs.openbsd.org> | 2015-02-25 03:49:22 +0000 |
|---|---|---|
| committer | Brent Cook <bcook@cvs.openbsd.org> | 2015-02-25 03:49:22 +0000 |
| commit | 7b32368e7632095cb837d0792397d66128c1d357 (patch) | |
| tree | 9c1157dda467c778c050e3eaa7090f9b4fd719cd | |
| parent | fc6cf559ffa7603d09a84e0c26521e1c331e10d8 (diff) | |
Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellman
certificates without requiring a CertificateVerify message.
From OpenSSL commit:
https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3
Thanks to Karthikeyan Bhargavan for reporting this.
ok miod@
| -rw-r--r-- | lib/libssl/src/ssl/s3_srvr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 32b379d98f2..0bff0204d96 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message = 1; - if ((peer != NULL) && (type & EVP_PKT_SIGN)) { + if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE); |