diff options
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 60 |
1 files changed, 31 insertions, 29 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 89325b7be9..2d1bee1723 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.75 2014/07/11 22:57:25 miod Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -447,36 +447,38 @@ ssl3_accept(SSL *s) | |||
| 447 | 447 | ||
| 448 | case SSL3_ST_SW_CERT_REQ_A: | 448 | case SSL3_ST_SW_CERT_REQ_A: |
| 449 | case SSL3_ST_SW_CERT_REQ_B: | 449 | case SSL3_ST_SW_CERT_REQ_B: |
| 450 | if (/* Don't request cert unless asked for it: */ | 450 | /* |
| 451 | !(s->verify_mode & SSL_VERIFY_PEER) || | 451 | * Determine whether or not we need to request a |
| 452 | /* | 452 | * certificate. |
| 453 | * If SSL_VERIFY_CLIENT_ONCE is set, | 453 | * |
| 454 | * don't request cert during re-negotiation: | 454 | * Do not request a certificate if: |
| 455 | */ | 455 | * |
| 456 | * - We did not ask for it (SSL_VERIFY_PEER is unset). | ||
| 457 | * | ||
| 458 | * - SSL_VERIFY_CLIENT_ONCE is set and we are | ||
| 459 | * renegotiating. | ||
| 460 | * | ||
| 461 | * - We are using an anonymous ciphersuites | ||
| 462 | * (see section "Certificate request" in SSL 3 drafts | ||
| 463 | * and in RFC 2246) ... except when the application | ||
| 464 | * insists on verification (against the specs, but | ||
| 465 | * s3_clnt.c accepts this for SSL 3). | ||
| 466 | * | ||
| 467 | * - We are using a Kerberos ciphersuite. | ||
| 468 | * | ||
| 469 | * - We are using normal PSK certificates and | ||
| 470 | * Certificate Requests are omitted | ||
| 471 | */ | ||
| 472 | if (!(s->verify_mode & SSL_VERIFY_PEER) || | ||
| 456 | ((s->session->peer != NULL) && | 473 | ((s->session->peer != NULL) && |
| 457 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | 474 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || |
| 458 | /* | ||
| 459 | * Never request cert in anonymous ciphersuites | ||
| 460 | * (see section "Certificate request" in SSL 3 | ||
| 461 | * drafts and in RFC 2246): | ||
| 462 | */ | ||
| 463 | ((s->s3->tmp.new_cipher->algorithm_auth & | 475 | ((s->s3->tmp.new_cipher->algorithm_auth & |
| 464 | SSL_aNULL) && | 476 | SSL_aNULL) && !(s->verify_mode & |
| 465 | /* | 477 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || |
| 466 | * ... except when the application insists on | 478 | (s->s3->tmp.new_cipher->algorithm_auth & |
| 467 | * verification (against the specs, but | 479 | SSL_aKRB5) || |
| 468 | * s3_clnt.c accepts this for SSL 3) | 480 | (s->s3->tmp.new_cipher->algorithm_mkey & |
| 469 | */ | 481 | SSL_kPSK)) { |
| 470 | !(s->verify_mode & | ||
| 471 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || | ||
| 472 | /* never request cert in Kerberos ciphersuites */ | ||
| 473 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) | ||
| 474 | /* | ||
| 475 | * With normal PSK Certificates and | ||
| 476 | * Certificate Requests are omitted | ||
| 477 | */ | ||
| 478 | || (s->s3->tmp.new_cipher->algorithm_mkey & | ||
| 479 | SSL_kPSK)) { | ||
| 480 | /* No cert request */ | 482 | /* No cert request */ |
| 481 | skip = 1; | 483 | skip = 1; |
| 482 | s->s3->tmp.cert_request = 0; | 484 | s->s3->tmp.cert_request = 0; |