give more meaningful error if presented with wrong certificate type by server

(backport from HEAD)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index f47737c483ef5389f245eb2ba5c8277c3f4a9f34..0329da2df9545ec30bd51040b21eb97e1f306cc9 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1834,10 +1834,13 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                }
        else
                {
+               /* aNULL or kPSK do not need public keys */
                if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
-                       /* aNULL or kPSK do not need public keys */
                        {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                       /* Might be wrong key type, check it */
+                       if (ssl3_check_cert_and_algorithm(s))
+                               /* Otherwise this shouldn't happen */
+                               SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
                        goto err;
                        }
                /* still data left over */
@@ -3335,6 +3338,16 @@ int ssl3_check_cert_and_algorithm(SSL *s)
                        return 1;
                        }
                }
+       else if (alg_a & SSL_aECDSA)
+               {
+               SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDSA_SIGNING_CERT);
+               goto f_err;
+               }
+       else if (alg_k & (SSL_kECDHr|SSL_kECDHe))
+               {
+               SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_ECDH_CERT);
+               goto f_err;
+               }
 #endif
        pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
        i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 87d606fd2cb41a4f135593cde12ca6881a44b7b2..080735a6ea358cd9ac62735f5abf7f9937413a1b 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2604,6 +2604,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_DH_KEY                            163
 #define SSL_R_MISSING_DH_RSA_CERT                       164
 #define SSL_R_MISSING_DSA_SIGNING_CERT                  165
+#define SSL_R_MISSING_ECDH_CERT                                 382
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT                381
 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY                         166
 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY                167
 #define SSL_R_MISSING_RSA_CERTIFICATE                   168

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index da667ccc65817b3c8e9b22eedafe3a136f1af4f4..d3c8bdea7276ff2860591a595bdb67166f51a4d7 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -432,6 +432,8 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_MISSING_DH_KEY)        ,"missing dh key"},
 {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   ,"missing dh rsa cert"},
 {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
+{ERR_REASON(SSL_R_MISSING_ECDH_CERT)     ,"missing ecdh cert"},
+{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),"missing ecdsa signing cert"},
 {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
 {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
 {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},