Fix ssl3_get_cert_verify key type checks. EVP_PKT_SIGN is redundant with the RSA/EC check which, in turn, is redundant with sigalgs processing. The type need only be checked in the pre-1.2 case which was indeed missing an else. The client half was likewise missing an else, though it's unreachable due to leaf cert checks. Change-Id: Ib3550f71a2120b38eacdd671d4f1700876bcc485 Reviewed-on: https://boringssl-review.googlesource.com/8779 Reviewed-by: David Benjamin <davidben@google.com>

commit: 49ec9bb3533ae8ba2d3e98d03e691c3f82360b56 [log] [tgz]
author: David Benjamin <davidben@google.com> Thu Jul 14 00:11:26 2016 -0400
committer: David Benjamin <davidben@google.com> Thu Jul 14 16:14:11 2016 +0000
tree: ed2ce8b8c624c890908635c7792f1ffcfe61a2f2
parent: 5c900c8c4555a9de24c07a5d544b5f6aebb39252 [diff] [blame]
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 267e164..34681d3 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c

@@ -1269,6 +1269,10 @@
       signature_algorithm = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
     } else if (pkey->type == EVP_PKEY_EC) {
       signature_algorithm = SSL_SIGN_ECDSA_SHA1;
+    } else {
+      al = SSL_AD_UNSUPPORTED_CERTIFICATE;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+      goto f_err;
     }
 
     /* The last field in |server_key_exchange| is the signature. */
commit	49ec9bb3533ae8ba2d3e98d03e691c3f82360b56	[log] [tgz]
author	David Benjamin <davidben@google.com>	Thu Jul 14 00:11:26 2016 -0400
committer	David Benjamin <davidben@google.com>	Thu Jul 14 16:14:11 2016 +0000
tree	ed2ce8b8c624c890908635c7792f1ffcfe61a2f2
parent	5c900c8c4555a9de24c07a5d544b5f6aebb39252 [diff] [blame]