Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellman

certificates without requiring a CertificateVerify message. From OpenSSL commit: https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3 Thanks to Karthikeyan Bhargavan for reporting this. ok miod@
author: bcook <> 2015-02-25 03:49:21 +0000
committer: bcook <> 2015-02-25 03:49:21 +0000
commit: b958a03fbcadc7756562b7767378655598be4933 (patch)
tree: 75c88661ecd7efdaf08aec471754e2258d4359d8 /src/lib
parent: 2d4851f4f089bc03076859501f5d61e961eb2add (diff)
download: openbsd-b958a03fbcadc7756562b7767378655598be4933.tar.gz
openbsd-b958a03fbcadc7756562b7767378655598be4933.tar.bz2
openbsd-b958a03fbcadc7756562b7767378655598be4933.zip
2 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 32b379d98f..0bff0204d9 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s)
        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
                s->s3->tmp.reuse_message = 1;
-                if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
+                if (peer != NULL) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
                            SSL_R_MISSING_VERIFY_MESSAGE);
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 32b379d98f..0bff0204d9 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s)
        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
                s->s3->tmp.reuse_message = 1;
-                if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
+                if (peer != NULL) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
                            SSL_R_MISSING_VERIFY_MESSAGE);
author	bcook <>	2015-02-25 03:49:21 +0000
committer	bcook <>	2015-02-25 03:49:21 +0000
commit	b958a03fbcadc7756562b7767378655598be4933 (patch)
tree	75c88661ecd7efdaf08aec471754e2258d4359d8 /src/lib
parent	2d4851f4f089bc03076859501f5d61e961eb2add (diff)
download	openbsd-b958a03fbcadc7756562b7767378655598be4933.tar.gz openbsd-b958a03fbcadc7756562b7767378655598be4933.tar.bz2 openbsd-b958a03fbcadc7756562b7767378655598be4933.zip

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 32b379d98f..0bff0204d9 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s)
2190		2190
2191	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {	2191	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2192	s->s3->tmp.reuse_message = 1;	2192	s->s3->tmp.reuse_message = 1;
2193	if ((peer != NULL) && (type & EVP_PKT_SIGN)) {	2193	if (peer != NULL) {
2194	al = SSL_AD_UNEXPECTED_MESSAGE;	2194	al = SSL_AD_UNEXPECTED_MESSAGE;
2195	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,	2195	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2196	SSL_R_MISSING_VERIFY_MESSAGE);	2196	SSL_R_MISSING_VERIFY_MESSAGE);


diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 32b379d98f..0bff0204d9 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s)
2190		2190
2191	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {	2191	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2192	s->s3->tmp.reuse_message = 1;	2192	s->s3->tmp.reuse_message = 1;
2193	if ((peer != NULL) && (type & EVP_PKT_SIGN)) {	2193	if (peer != NULL) {
2194	al = SSL_AD_UNEXPECTED_MESSAGE;	2194	al = SSL_AD_UNEXPECTED_MESSAGE;
2195	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,	2195	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2196	SSL_R_MISSING_VERIFY_MESSAGE);	2196	SSL_R_MISSING_VERIFY_MESSAGE);