Digest cached records if not sending a certificate.

If server requests a certificate, but the client doesn't send one, cache digested records. This is an optimisation and ensures the correct finished mac is used when extended master secret is used with client authentication. Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2015-05-07 00:04:48 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2015-05-07 00:37:10 +0100
commit: dab18ab596acb35eff2545643e25757e4f9cd777 (patch)
tree: 3381e1ce7cce177283936f5eae4913c769d322b8
parent: 45ebd7312874548904f3e438b39704d0134c7a1b (diff)
download: openssl-dab18ab596acb35eff2545643e25757e4f9cd777.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index ea4503fbcb..86b7994ca4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3348,6 +3348,11 @@ int ssl3_send_client_certificate(SSL *s)
                 return (1);
             } else {
                 s->s3->tmp.cert_req = 2;
+                if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
+                    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+                    s->state = SSL_ST_ERR;
+                    return 0;
+                }
             }
         }
author	Dr. Stephen Henson <steve@openssl.org>	2015-05-07 00:04:48 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2015-05-07 00:37:10 +0100
commit	dab18ab596acb35eff2545643e25757e4f9cd777 (patch)
tree	3381e1ce7cce177283936f5eae4913c769d322b8
parent	45ebd7312874548904f3e438b39704d0134c7a1b (diff)
download	openssl-dab18ab596acb35eff2545643e25757e4f9cd777.tar.gz