diff options
author | Matt Caswell <matt@openssl.org> | 2018-08-13 15:23:27 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-08-20 15:14:01 +0100 |
commit | 32097b33bdff520d149ad6c8a11bd344e4ef764b (patch) | |
tree | c46929e459ee7c2688765c56afbf329f38a6edda /ssl/statem/extensions_clnt.c | |
parent | 756510c102885005c2fc31eb01e3a6b95f8ed985 (diff) |
Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.
Fixes #6933.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
Diffstat (limited to 'ssl/statem/extensions_clnt.c')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 19 |
1 files changed, 2 insertions, 17 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 86d6189ea1..2d5b60a737 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1193,23 +1193,8 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx) { #ifndef OPENSSL_NO_TLS1_3 - if (!s->pha_forced) { - int i, n = 0; - - /* check for cert, if present, we can do post-handshake auth */ - if (s->cert == NULL) - return EXT_RETURN_NOT_SENT; - - for (i = 0; i < SSL_PKEY_NUM; i++) { - if (s->cert->pkeys[i].x509 != NULL - && s->cert->pkeys[i].privatekey != NULL) - n++; - } - - /* no identity certificates, so no extension */ - if (n == 0) - return EXT_RETURN_NOT_SENT; - } + if (!s->pha_enabled) + return EXT_RETURN_NOT_SENT; /* construct extension - 0 length, no contents */ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) |