From: Dr. Stephen Henson Date: Wed, 26 Dec 2012 16:18:15 +0000 (+0000) Subject: give more meaningful error if presented with wrong certificate type by server X-Git-Tag: OpenSSL_1_0_2-beta1~499 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=79dcae32efbd48b79345d0ac7b63820eb8090530;p=oweals%2Fopenssl.git give more meaningful error if presented with wrong certificate type by server (backport from HEAD) --- diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index f47737c483..0329da2df9 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1834,10 +1834,13 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { + /* aNULL or kPSK do not need public keys */ if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) - /* aNULL or kPSK do not need public keys */ { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); + /* Might be wrong key type, check it */ + if (ssl3_check_cert_and_algorithm(s)) + /* Otherwise this shouldn't happen */ + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } /* still data left over */ @@ -3335,6 +3338,16 @@ int ssl3_check_cert_and_algorithm(SSL *s) return 1; } } + else if (alg_a & SSL_aECDSA) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDSA_SIGNING_CERT); + goto f_err; + } + else if (alg_k & (SSL_kECDHr|SSL_kECDHe)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDH_CERT); + goto f_err; + } #endif pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); diff --git a/ssl/ssl.h b/ssl/ssl.h index 87d606fd2c..080735a6ea 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2604,6 +2604,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_MISSING_DH_KEY 163 #define SSL_R_MISSING_DH_RSA_CERT 164 #define SSL_R_MISSING_DSA_SIGNING_CERT 165 +#define SSL_R_MISSING_ECDH_CERT 382 +#define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 #define SSL_R_MISSING_RSA_CERTIFICATE 168 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index da667ccc65..d3c8bdea72 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -432,6 +432,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"}, {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"}, {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"}, +{ERR_REASON(SSL_R_MISSING_ECDH_CERT) ,"missing ecdh cert"}, +{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),"missing ecdsa signing cert"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"}, {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},