diff options
| author | Matt Caswell <matt@openssl.org> | 2016-12-05 17:04:51 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-01-10 23:02:50 +0000 |
| commit | 2c5dfdc357046a4d6f40afb3311f7c3f06c58ebe (patch) | |
| tree | 4775fcf266a7204526fc9cae3c0f4cf0de9d5de3 /ssl/statem/statem_srvr.c | |
| parent | d8bc139978ee86efe1039a1f783a30b63b89f665 (diff) | |
| download | openssl-2c5dfdc357046a4d6f40afb3311f7c3f06c58ebe.zip openssl-2c5dfdc357046a4d6f40afb3311f7c3f06c58ebe.tar.gz openssl-2c5dfdc357046a4d6f40afb3311f7c3f06c58ebe.tar.bz2 | |
Make CertificateVerify TLS1.3 aware
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Diffstat (limited to 'ssl/statem/statem_srvr.c')
| -rw-r--r-- | ssl/statem/statem_srvr.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index f29f0f3..d08ed6f 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -427,6 +427,10 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_CERT: + st->hand_state = TLS_ST_SW_CERT_VRFY; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_VRFY: st->hand_state = TLS_ST_SW_FINISHED; return WRITE_TRAN_CONTINUE; @@ -826,6 +830,12 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, *mt = SSL3_MT_CERTIFICATE; break; + case TLS_ST_SW_CERT_VRFY: + *confunc = tls_construct_cert_verify; + *mt = SSL3_MT_CERTIFICATE_VERIFY; + break; + + case TLS_ST_SW_KEY_EXCH: *confunc = tls_construct_server_key_exchange; *mt = SSL3_MT_SERVER_KEY_EXCHANGE; @@ -3109,6 +3119,17 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) * certificate, while we do include it in statem_clnt.c */ sk = NULL; + + /* Save the current hash state for when we receive the CertificateVerify */ + if (SSL_IS_TLS13(s) + && !ssl_handshake_hash(s, s->cert_verify_hash, + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + goto f_err; + } + ret = MSG_PROCESS_CONTINUE_READING; goto done; |