git.ipfire.org Git - thirdparty/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Thu, 11 Oct 2018 16:01:06 +0000 (17:01 +0100)
committer	Matt Caswell <matt@openssl.org>
	Tue, 30 Oct 2018 12:08:42 +0000 (12:08 +0000)
commit	e45620140fce22c3251440063bc17440289d730c
tree	3d2a409735c08e86cd550797e0350e76f145bb82	tree \| snapshot
parent	828b52951cf182d5f9cf159804419230b27840c9	commit \| diff

Don't call the client_cert_cb immediately in TLSv1.3

In TLSv1.2 and below a CertificateRequest is sent after the Certificate
from the server. This means that by the time the client_cert_cb is called
on receipt of the CertificateRequest a call to SSL_get_peer_certificate()
will return the server certificate as expected. In TLSv1.3 a
CertificateRequest is sent before a Certificate message so calling
SSL_get_peer_certificate() returns NULL.

To workaround this we delay calling the client_cert_cb until after we
have processed the CertificateVerify message, when we are doing TLSv1.3.

Fixes #7384

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7413)

ssl/statem/statem_clnt.c		diff \| blob \| blame \| history
ssl/statem/statem_lib.c		diff \| blob \| blame \| history