summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/d1_srvr.c')
-rw-r--r--src/lib/libssl/d1_srvr.c31
1 files changed, 9 insertions, 22 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 8531f2db2b..a94b7ed61b 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -427,9 +427,9 @@ dtls1_accept(SSL *s)
427 427
428 case SSL3_ST_SW_CERT_A: 428 case SSL3_ST_SW_CERT_A:
429 case SSL3_ST_SW_CERT_B: 429 case SSL3_ST_SW_CERT_B:
430 /* Check if it is anon DH or normal PSK */ 430 /* Check if it is anon DH. */
431 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 431 if (!(s->s3->tmp.new_cipher->algorithm_auth &
432 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 432 SSL_aNULL)) {
433 dtls1_start_timer(s); 433 dtls1_start_timer(s);
434 ret = dtls1_send_server_certificate(s); 434 ret = dtls1_send_server_certificate(s);
435 if (ret <= 0) 435 if (ret <= 0)
@@ -500,22 +500,13 @@ dtls1_accept(SSL *s)
500 * and in RFC 2246) ... except when the application 500 * and in RFC 2246) ... except when the application
501 * insists on verification (against the specs, but 501 * insists on verification (against the specs, but
502 * s3_clnt.c accepts this for SSL 3). 502 * s3_clnt.c accepts this for SSL 3).
503 *
504 * - We are using a Kerberos ciphersuite.
505 *
506 * - We are using normal PSK certificates and
507 * Certificate Requests are omitted
508 */ 503 */
509 if (!(s->verify_mode & SSL_VERIFY_PEER) || 504 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
510 ((s->session->peer != NULL) && 505 ((s->session->peer != NULL) &&
511 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 506 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
512 ((s->s3->tmp.new_cipher->algorithm_auth & 507 ((s->s3->tmp.new_cipher->algorithm_auth &
513 SSL_aNULL) && !(s->verify_mode & 508 SSL_aNULL) && !(s->verify_mode &
514 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 509 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
515 (s->s3->tmp.new_cipher->algorithm_auth &
516 SSL_aKRB5) ||
517 (s->s3->tmp.new_cipher->algorithm_mkey &
518 SSL_kPSK)) {
519 /* no cert request */ 510 /* no cert request */
520 skip = 1; 511 skip = 1;
521 s->s3->tmp.cert_request = 0; 512 s->s3->tmp.cert_request = 0;
@@ -1216,8 +1207,7 @@ dtls1_send_server_key_exchange(SSL *s)
1216 n += 2 + nr[i]; 1207 n += 2 + nr[i];
1217 } 1208 }
1218 1209
1219 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1210 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1220 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1221 if ((pkey = ssl_get_sign_pkey(s, 1211 if ((pkey = ssl_get_sign_pkey(s,
1222 s->s3->tmp.new_cipher, NULL)) == NULL) { 1212 s->s3->tmp.new_cipher, NULL)) == NULL) {
1223 al = SSL_AD_DECODE_ERROR; 1213 al = SSL_AD_DECODE_ERROR;
@@ -1463,12 +1453,9 @@ dtls1_send_server_certificate(SSL *s)
1463 if (s->state == SSL3_ST_SW_CERT_A) { 1453 if (s->state == SSL3_ST_SW_CERT_A) {
1464 x = ssl_get_server_send_cert(s); 1454 x = ssl_get_server_send_cert(s);
1465 if (x == NULL) { 1455 if (x == NULL) {
1466 /* VRS: allow null cert if auth == KRB5 */ 1456 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
1467 if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || 1457 ERR_R_INTERNAL_ERROR);
1468 (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) { 1458 return (0);
1469 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
1470 return (0);
1471 }
1472 } 1459 }
1473 1460
1474 l = dtls1_output_cert_chain(s, x); 1461 l = dtls1_output_cert_chain(s, x);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 11:56:32 +0000