Google Git
Sign in
boringssl/boringssl.git/ef865505372ca3f1e437494352ba6c5280a1aba0^!/./ssl/s3_srvr.c
commit
ef865505372ca3f1e437494352ba6c5280a1aba0
[log]
author
David Benjamin <davidben@chromium.org>
Sun Aug 24 02:48:34 2014 -0400
committer
Adam Langley <agl@google.com>
Tue Aug 26 17:41:08 2014 +0000
tree
74a74d58621b29c4ae790cc82feead6f910caf18
parent
a08e49d17ad6fcf738d73647511a63bc752fe307 [diff] [blame]
Remove logic for non-signing client certificates.

Now that only RSA and ECDSA certificates are supported, the server should just
reject non-signing ones outright, rather than allowing them to skip
CertificateVerify.

Change-Id: I7fe5ed3adde14481016ee841ed241faba18c26f0
Reviewed-on: https://boringssl-review.googlesource.com/1609
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index b5c50b4..6f91909 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c

@@ -2306,15 +2306,10 @@
 
 	EVP_MD_CTX_init(&mctx);
 
-	/* Determine if a CertificateVerify message is expected at all. It is
-	 * important that this be determined before ssl_get_message is called,
-	 * so as not to process the ChangeCipherSpec message early. */
-	if (peer != NULL)
-		{
-		pkey = X509_get_pubkey(peer);
-		type = X509_certificate_type(peer,pkey);
-		}
-	if (!(type & EVP_PKT_SIGN))
+	/* Only RSA and ECDSA client certificates are supported, so a
+	 * CertificateVerify is required if and only if there's a
+	 * client certificate. */
+	if (peer == NULL)
 		{
 		ret = 1;
 		goto done_with_buffer;
@@ -2333,6 +2328,16 @@
 		goto done;
 		}
 
+	pkey = X509_get_pubkey(peer);
+	type = X509_certificate_type(peer,pkey);
+	if (!(type & EVP_PKT_SIGN))
+		{
+		/* If it's not a signing certificate, it's unsupported. */
+		al = SSL_AD_UNSUPPORTED_CERTIFICATE;
+		OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+		goto f_err;
+		}
+
 	CBS_init(&certificate_verify, s->init_msg, n);
 
 	/* We now have a signature that we need to verify. */