From: Dr. Stephen Henson Date: Thu, 23 Oct 2014 19:36:17 +0000 (+0100) Subject: Unauthenticated DH client certificate fix. X-Git-Tag: OpenSSL_1_0_0p~4 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f7fe3d235abf201343c20a59f9d9c8957acc62ff;p=oweals%2Fopenssl.git Unauthenticated DH client certificate fix. Fix to prevent use of DH client certificates without sending certificate verify message. If we've used a client certificate to generate the premaster secret ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is never called. We can only skip the certificate verify message in ssl3_get_cert_verify if the client didn't send a certificate. Thanks to Karthikeyan Bhargavan for reporting this issue. CVE-2015-0205 Reviewed-by: Matt Caswell --- diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 0dce557df9..df51bf9c71 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2765,7 +2765,7 @@ int ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type & EVP_PKT_SIGN)) + if (peer != NULL) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);