From: Dr. Stephen Henson Date: Thu, 30 Aug 2012 12:46:22 +0000 (+0000) Subject: give more meaningful error if presented with wrong certificate type by server X-Git-Tag: master-pre-reformat~1662 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=becfdb995baa14d1db3ebed7991545a15d6040d1;p=openssl give more meaningful error if presented with wrong certificate type by server --- diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 721c3ba3cb..81e45a758e 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1833,10 +1833,13 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { + /* aNULL or kPSK do not need public keys */ if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) - /* aNULL or kPSK do not need public keys */ { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); + /* Might be wrong key type, check it */ + if (ssl3_check_cert_and_algorithm(s)) + /* Otherwise this shouldn't happen */ + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } /* still data left over */ @@ -3334,6 +3337,16 @@ int ssl3_check_cert_and_algorithm(SSL *s) return 1; } } + else if (alg_a & SSL_aECDSA) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDSA_SIGNING_CERT); + goto f_err; + } + else if (alg_k & (SSL_kECDHr|SSL_kECDHe)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDH_CERT); + goto f_err; + } #endif pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); diff --git a/ssl/ssl.h b/ssl/ssl.h index 73bb026723..c5d45049a0 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2624,6 +2624,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_MISSING_DH_KEY 163 #define SSL_R_MISSING_DH_RSA_CERT 164 #define SSL_R_MISSING_DSA_SIGNING_CERT 165 +#define SSL_R_MISSING_ECDH_CERT 382 +#define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 #define SSL_R_MISSING_RSA_CERTIFICATE 168 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 4a7d7f2194..119a43c6a5 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -431,6 +431,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"}, {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"}, {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"}, +{ERR_REASON(SSL_R_MISSING_ECDH_CERT) ,"missing ecdh cert"}, +{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),"missing ecdsa signing cert"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"}, {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},