kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove redundant SSL_VERIFY_PEER check.

Browse Source 
None of the SSL_VERIFY_FAIL_IF_NO_PEER_CERT codepaths will ever be
reached if SSL_VERIFY_PEER is unset. If we've gotten as far as getting a
Certificate message, consider SSL_VERIFY_FAIL_IF_NO_PEER_CERT alone
significant grounds for rejecting no peer certificate.

Change-Id: I2c6be4269d65b2467b86b1fc7d76ac47ca735553
Reviewed-on: https://boringssl-review.googlesource.com/9070
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-08-01 19:57:43 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 0b3625bcfd
commit da2630c190
2 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/handshake_server.c
View File

@ -1276,8 +1276,7 @@ static int ssl3_get_client_certificate(SSL *ssl) {
if (ssl->version == SSL3_VERSION &&
ssl->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
/* In SSL 3.0, the Certificate message is omitted to signal no certificate. */
if ((ssl->verify_mode & SSL_VERIFY_PEER) &&
(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return -1;
@ -1320,8 +1319,7 @@ static int ssl3_get_client_certificate(SSL *ssl) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
goto err;
} else if ((ssl->verify_mode & SSL_VERIFY_PEER) &&
(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
} else if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
/* Fail for TLS only if we required a certificate */
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

3
ssl/tls13_both.c
View File

@ -218,8 +218,7 @@ int tls13_process_certificate(SSL *ssl) {
}
/* Servers may be configured to accept anonymous clients. */
if ((ssl->verify_mode & SSL_VERIFY_PEER) &&
(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
goto err;