summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorBrent Cook <bcook@cvs.openbsd.org>2015-02-25 03:49:22 +0000
committerBrent Cook <bcook@cvs.openbsd.org>2015-02-25 03:49:22 +0000
commite3c0ca7d7d2a425a28e97e805a14d335a8051550 (patch)
treebc2b6b5706530b8108f178ae8f436de335555b34 /lib/libssl
parent51881aa781daaec012eaab85c789f0cdb632806e (diff)
Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellman
certificates without requiring a CertificateVerify message. From OpenSSL commit: https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3 Thanks to Karthikeyan Bhargavan for reporting this. ok miod@
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/s3_srvr.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 32b379d98f2..0bff0204d96 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s)
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
s->s3->tmp.reuse_message = 1;
- if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
+ if (peer != NULL) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
SSL_R_MISSING_VERIFY_MESSAGE);