From b958a03fbcadc7756562b7767378655598be4933 Mon Sep 17 00:00:00 2001
From: bcook <>
Date: Wed, 25 Feb 2015 03:49:21 +0000
Subject: Fix CVE-2015-0205: Do not accept client authentication with
 Diffie-Hellman certificates without requiring a CertificateVerify message.

From OpenSSL commit:
https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3

Thanks to Karthikeyan Bhargavan for reporting this.
ok miod@
---
 src/lib/libssl/s3_srvr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/s3_srvr.c')

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 32b379d98f..0bff0204d9 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.99 2015/02/07 08:56:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2190,7 +2190,7 @@ ssl3_get_cert_verify(SSL *s)
 
 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
 		s->s3->tmp.reuse_message = 1;
-		if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
+		if (peer != NULL) {
 			al = SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
 			    SSL_R_MISSING_VERIFY_MESSAGE);
-- 
cgit v1.2.3-55-g6feb