Remove logic for non-signing client certificates.

Now that only RSA and ECDSA certificates are supported, the server should just
reject non-signing ones outright, rather than allowing them to skip
CertificateVerify.

Change-Id: I7fe5ed3adde14481016ee841ed241faba18c26f0
Reviewed-on: https://boringssl-review.googlesource.com/1609
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2014-08-24 02:48:34 -04:00 committed by Adam Langley
parent a08e49d17a
commit ef86550537

View File

@ -2306,15 +2306,10 @@ int ssl3_get_cert_verify(SSL *s)
EVP_MD_CTX_init(&mctx); EVP_MD_CTX_init(&mctx);
/* Determine if a CertificateVerify message is expected at all. It is /* Only RSA and ECDSA client certificates are supported, so a
* important that this be determined before ssl_get_message is called, * CertificateVerify is required if and only if there's a
* so as not to process the ChangeCipherSpec message early. */ * client certificate. */
if (peer != NULL) if (peer == NULL)
{
pkey = X509_get_pubkey(peer);
type = X509_certificate_type(peer,pkey);
}
if (!(type & EVP_PKT_SIGN))
{ {
ret = 1; ret = 1;
goto done_with_buffer; goto done_with_buffer;
@ -2333,6 +2328,16 @@ int ssl3_get_cert_verify(SSL *s)
goto done; goto done;
} }
pkey = X509_get_pubkey(peer);
type = X509_certificate_type(peer,pkey);
if (!(type & EVP_PKT_SIGN))
{
/* If it's not a signing certificate, it's unsupported. */
al = SSL_AD_UNSUPPORTED_CERTIFICATE;
OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
goto f_err;
}
CBS_init(&certificate_verify, s->init_msg, n); CBS_init(&certificate_verify, s->init_msg, n);
/* We now have a signature that we need to verify. */ /* We now have a signature that we need to verify. */