Unauthenticated DH client certificate fix.
authorDr. Stephen Henson <steve@openssl.org>
Thu, 23 Oct 2014 19:36:17 +0000 (20:36 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 8 Jan 2015 15:49:45 +0000 (15:49 +0000)
commit1421e0c584ae9120ca1b88098f13d6d2e90b83a3
tree89b72de38c48b05c10e08f4251699aeb19923f92
parenta7a44ba55cb4f884c6bc9ceac90072dea38e66d0
Unauthenticated DH client certificate fix.

Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>
ssl/s3_srvr.c