diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:18:15 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:18:15 +0000 |
| commit | 79dcae32efbd48b79345d0ac7b63820eb8090530 (patch) | |
| tree | 3a007796c4c0d9b2e453ff3d5a32bef55578d566 | |
| parent | ccf6a19e2d825f4039163393023bd15670aee946 (diff) | |
give more meaningful error if presented with wrong certificate type by server
(backport from HEAD)
| -rw-r--r-- | ssl/s3_clnt.c | 17 | ||||
| -rw-r--r-- | ssl/ssl.h | 2 | ||||
| -rw-r--r-- | ssl/ssl_err.c | 2 |
3 files changed, 19 insertions, 2 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index f47737c483..0329da2df9 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1834,10 +1834,13 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { + /* aNULL or kPSK do not need public keys */ if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) - /* aNULL or kPSK do not need public keys */ { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); + /* Might be wrong key type, check it */ + if (ssl3_check_cert_and_algorithm(s)) + /* Otherwise this shouldn't happen */ + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } /* still data left over */ @@ -3335,6 +3338,16 @@ int ssl3_check_cert_and_algorithm(SSL *s) return 1; } } + else if (alg_a & SSL_aECDSA) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDSA_SIGNING_CERT); + goto f_err; + } + else if (alg_k & (SSL_kECDHr|SSL_kECDHe)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDH_CERT); + goto f_err; + } #endif pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); @@ -2604,6 +2604,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_MISSING_DH_KEY 163 #define SSL_R_MISSING_DH_RSA_CERT 164 #define SSL_R_MISSING_DSA_SIGNING_CERT 165 +#define SSL_R_MISSING_ECDH_CERT 382 +#define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 #define SSL_R_MISSING_RSA_CERTIFICATE 168 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index da667ccc65..d3c8bdea72 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -432,6 +432,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"}, {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"}, {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"}, +{ERR_REASON(SSL_R_MISSING_ECDH_CERT) ,"missing ecdh cert"}, +{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),"missing ecdsa signing cert"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"}, {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"}, |