Push some duplicated code into ssl_verify_cert_chain.
No sense in having it in both the 1.2 and 1.3 code.
Change-Id: Ib3854714afed24253af7f4bcee26d25e95a10211
Reviewed-on: https://boringssl-review.googlesource.com/9071
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 8a28c18..c47ba67 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -1313,12 +1313,15 @@
/* No client certificate so the handshake buffer may be discarded. */
ssl3_free_handshake_buffer(ssl);
- /* TLS does not mind 0 certs returned */
+ /* In SSL 3.0, sending no certificate is signaled by omitting the
+ * Certificate message. */
if (ssl->version == SSL3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
goto err;
- } else if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
+ }
+
+ if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
/* Fail for TLS only if we required a certificate */
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
@@ -1330,10 +1333,7 @@
ssl->s3->new_session->peer_sha256_valid = 1;
}
- if (ssl_verify_cert_chain(ssl, chain) <= 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL,
- ssl_verify_alarm_type(ssl->verify_result));
+ if (!ssl_verify_cert_chain(ssl, chain)) {
goto err;
}
}