wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update fixed DH requirements.

Browse source 
The relaxed signing requirements for fixed DH certificates apply to DTLS 1.2
too.
This commit is contained in:
Dr. Stephen Henson 2013-03-27 16:05:10 +00:00
parent 04fac50045
commit fbbaaccaca
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ssl/s3_clnt.c
View file

@ -3404,14 +3404,14 @@ int ssl3_check_cert_and_algorithm(SSL *s)
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
goto f_err; goto f_err;
} }
else if ((alg_k & SSL_kDHr) && (TLS1_get_version(s) < TLS1_2_VERSION) && else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
!has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
{ {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
goto f_err; goto f_err;
} }
#ifndef OPENSSL_NO_DSA #ifndef OPENSSL_NO_DSA
else if ((alg_k & SSL_kDHd) && (TLS1_get_version(s) < TLS1_2_VERSION) && else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
!has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
{ {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);