diff options
Diffstat (limited to 'src/lib/libssl/d1_srvr.c')
| -rw-r--r-- | src/lib/libssl/d1_srvr.c | 50 |
1 files changed, 32 insertions, 18 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index d94c08a313..8531f2db2b 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_srvr.c,v 1.30 2014/07/11 09:24:44 beck Exp $ */ | 1 | /* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -484,24 +484,38 @@ dtls1_accept(SSL *s) | |||
| 484 | 484 | ||
| 485 | case SSL3_ST_SW_CERT_REQ_A: | 485 | case SSL3_ST_SW_CERT_REQ_A: |
| 486 | case SSL3_ST_SW_CERT_REQ_B: | 486 | case SSL3_ST_SW_CERT_REQ_B: |
| 487 | if (/* don't request cert unless asked for it: */ | 487 | /* |
| 488 | !(s->verify_mode & SSL_VERIFY_PEER) || | 488 | * Determine whether or not we need to request a |
| 489 | /* if SSL_VERIFY_CLIENT_ONCE is set, | 489 | * certificate. |
| 490 | * don't request cert during re-negotiation: */ | 490 | * |
| 491 | * Do not request a certificate if: | ||
| 492 | * | ||
| 493 | * - We did not ask for it (SSL_VERIFY_PEER is unset). | ||
| 494 | * | ||
| 495 | * - SSL_VERIFY_CLIENT_ONCE is set and we are | ||
| 496 | * renegotiating. | ||
| 497 | * | ||
| 498 | * - We are using an anonymous ciphersuites | ||
| 499 | * (see section "Certificate request" in SSL 3 drafts | ||
| 500 | * and in RFC 2246) ... except when the application | ||
| 501 | * insists on verification (against the specs, but | ||
| 502 | * s3_clnt.c accepts this for SSL 3). | ||
| 503 | * | ||
| 504 | * - We are using a Kerberos ciphersuite. | ||
| 505 | * | ||
| 506 | * - We are using normal PSK certificates and | ||
| 507 | * Certificate Requests are omitted | ||
| 508 | */ | ||
| 509 | if (!(s->verify_mode & SSL_VERIFY_PEER) || | ||
| 491 | ((s->session->peer != NULL) && | 510 | ((s->session->peer != NULL) && |
| 492 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | 511 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || |
| 493 | /* never request cert in anonymous ciphersuites | 512 | ((s->s3->tmp.new_cipher->algorithm_auth & |
| 494 | * (see section "Certificate request" in SSL 3 drafts | 513 | SSL_aNULL) && !(s->verify_mode & |
| 495 | * and in RFC 2246): */ | 514 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || |
| 496 | ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && | 515 | (s->s3->tmp.new_cipher->algorithm_auth & |
| 497 | /* ... except when the application insists on verification | 516 | SSL_aKRB5) || |
| 498 | * (against the specs, but s3_clnt.c accepts this for SSL 3) */ | 517 | (s->s3->tmp.new_cipher->algorithm_mkey & |
| 499 | !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || | 518 | SSL_kPSK)) { |
| 500 | /* never request cert in Kerberos ciphersuites */ | ||
| 501 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) | ||
| 502 | /* With normal PSK Certificates and | ||
| 503 | * Certificate Requests are omitted */ | ||
| 504 | || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { | ||
| 505 | /* no cert request */ | 519 | /* no cert request */ |
| 506 | skip = 1; | 520 | skip = 1; |
| 507 | s->s3->tmp.cert_request = 0; | 521 | s->s3->tmp.cert_request = 0; |