diff options
| author |   bcook <bcook@openbsd.org> | 2015-02-25 03:49:21 +0000 |
|---|---|---|
| committer | bcook <bcook@openbsd.org> | 2015-02-25 03:49:21 +0000 |
| commit | 6de2d86e54f08bf8b25833dcc02536f2edcb2895 (patch) | |
| tree | 8afc940da2c5c1bb2594d8310392f28e72c6dcd3 /lib/libssl/src | |
| parent | we don't let strtonum errors bleed through now. (diff) | |
| download | wireguard-openbsd-6de2d86e54f08bf8b25833dcc02536f2edcb2895.tar.xz wireguard-openbsd-6de2d86e54f08bf8b25833dcc02536f2edcb2895.zip | |
Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellman
certificates without requiring a CertificateVerify message.
From OpenSSL commit:
https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3
Thanks to Karthikeyan Bhargavan for reporting this.
ok miod@
Diffstat (limited to 'lib/libssl/src')
| -rw-r--r-- | lib/libssl/src/ssl/s3_srvr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 32b379d98f2..0bff0204d96 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message = 1; - if ((peer != NULL) && (type & EVP_PKT_SIGN)) { + if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE); |