diff options
author | Brent Cook <bcook@cvs.openbsd.org> | 2015-02-25 03:49:22 +0000 |
---|---|---|
committer | Brent Cook <bcook@cvs.openbsd.org> | 2015-02-25 03:49:22 +0000 |
commit | e3c0ca7d7d2a425a28e97e805a14d335a8051550 (patch) | |
tree | bc2b6b5706530b8108f178ae8f436de335555b34 /lib/libssl | |
parent | 51881aa781daaec012eaab85c789f0cdb632806e (diff) |
Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellman
certificates without requiring a CertificateVerify message.
From OpenSSL commit:
https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3
Thanks to Karthikeyan Bhargavan for reporting this.
ok miod@
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/s3_srvr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 32b379d98f2..0bff0204d96 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message = 1; - if ((peer != NULL) && (type & EVP_PKT_SIGN)) { + if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE); |