diff options
| author | Matt Caswell <matt@openssl.org> | 2016-06-22 19:43:46 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-07-18 14:30:14 +0100 |
| commit | 672f3337c36d932bf214edf0a1a65fd069142282 (patch) | |
| tree | c2e0c3472495b51546c6485da2774a114dece66a /ssl/statem/statem_clnt.c | |
| parent | 10e6d235494f69365914f959f83b448b0b21dca2 (diff) | |
Fix SSLv3 alert if no Client Ceritifcate sent after a request for one
In TLS if the server sends a CertificateRequest and the client does not
provide one, if the server cannot continue it should send a
HandshakeFailure alert. In SSLv3 the same should happen, but instead we
were sending an UnexpectedMessage alert. This is incorrect - the message
isn't unexpected - it is valid for the client not to send one - its just
that we cannot continue without one.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'ssl/statem/statem_clnt.c')
| -rw-r--r-- | ssl/statem/statem_clnt.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 2ab1f8e3f0..864f76cfcd 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -175,7 +175,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt) } else { ske_expected = key_exchange_expected(s); if (ske_expected < 0) - return 0; + goto err; /* SKE is optional for some PSK ciphersuites */ if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) @@ -210,7 +210,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt) case TLS_ST_CR_CERT_STATUS: ske_expected = key_exchange_expected(s); if (ske_expected < 0) - return 0; + goto err; /* SKE is optional for some PSK ciphersuites */ if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) @@ -219,7 +219,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt) st->hand_state = TLS_ST_CR_KEY_EXCH; return 1; } - return 0; + goto err; } /* Fall through */ @@ -229,7 +229,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt) st->hand_state = TLS_ST_CR_CERT_REQ; return 1; } - return 0; + goto err; } /* Fall through */ @@ -270,7 +270,10 @@ int ossl_statem_client_read_transition(SSL *s, int mt) break; } + err: /* No valid transition found */ + ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE); return 0; } |