Digest cached records if not sending a certificate.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 6 May 2015 23:04:48 +0000 (00:04 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 6 May 2015 23:37:10 +0000 (00:37 +0100)
If server requests a certificate, but the client doesn't send one, cache
digested records. This is an optimisation and ensures the correct finished
mac is used when extended master secret is used with client authentication.

Reviewed-by: Tim Hudson <tjh@openssl.org>
ssl/s3_clnt.c

index ea4503f..86b7994 100644 (file)
@@ -3348,6 +3348,11 @@ int ssl3_send_client_certificate(SSL *s)
                 return (1);
             } else {
                 s->s3->tmp.cert_req = 2;
+                if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
+                    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+                    s->state = SSL_ST_ERR;
+                    return 0;
+                }
             }
         }