Remove logic for non-signing client certificates.
Now that only RSA and ECDSA certificates are supported, the server should just reject non-signing ones outright, rather than allowing them to skip CertificateVerify. Change-Id: I7fe5ed3adde14481016ee841ed241faba18c26f0 Reviewed-on: https://boringssl-review.googlesource.com/1609 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
a08e49d17a
commit
ef86550537
@ -2306,15 +2306,10 @@ int ssl3_get_cert_verify(SSL *s)
|
|||||||
|
|
||||||
EVP_MD_CTX_init(&mctx);
|
EVP_MD_CTX_init(&mctx);
|
||||||
|
|
||||||
/* Determine if a CertificateVerify message is expected at all. It is
|
/* Only RSA and ECDSA client certificates are supported, so a
|
||||||
* important that this be determined before ssl_get_message is called,
|
* CertificateVerify is required if and only if there's a
|
||||||
* so as not to process the ChangeCipherSpec message early. */
|
* client certificate. */
|
||||||
if (peer != NULL)
|
if (peer == NULL)
|
||||||
{
|
|
||||||
pkey = X509_get_pubkey(peer);
|
|
||||||
type = X509_certificate_type(peer,pkey);
|
|
||||||
}
|
|
||||||
if (!(type & EVP_PKT_SIGN))
|
|
||||||
{
|
{
|
||||||
ret = 1;
|
ret = 1;
|
||||||
goto done_with_buffer;
|
goto done_with_buffer;
|
||||||
@ -2333,6 +2328,16 @@ int ssl3_get_cert_verify(SSL *s)
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pkey = X509_get_pubkey(peer);
|
||||||
|
type = X509_certificate_type(peer,pkey);
|
||||||
|
if (!(type & EVP_PKT_SIGN))
|
||||||
|
{
|
||||||
|
/* If it's not a signing certificate, it's unsupported. */
|
||||||
|
al = SSL_AD_UNSUPPORTED_CERTIFICATE;
|
||||||
|
OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
|
||||||
CBS_init(&certificate_verify, s->init_msg, n);
|
CBS_init(&certificate_verify, s->init_msg, n);
|
||||||
|
|
||||||
/* We now have a signature that we need to verify. */
|
/* We now have a signature that we need to verify. */
|
||||||
|
Loading…
Reference in New Issue
Block a user