generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Abort handshake if signature algorithm used not supported by peer.

Browse Source 
(backport from HEAD)
This commit is contained in:
Dr. Stephen Henson
2012-12-26 15:27:24 +00:00
parent 44adfeb6c0
commit 25d4c9254c
7 changed files with 63 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ssl/s3_srvr.c
View File

@@ -3054,26 +3054,15 @@ int ssl3_get_cert_verify(SSL *s)
{
if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
int sigalg = tls12_get_sigid(pkey);
/* Should never happen */
if (sigalg == -1)
int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
if (rv == -1)
{
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
al=SSL_AD_INTERNAL_ERROR;
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
/* Check key type is consistent with signature */
if (sigalg != (int)p[1])
else if (rv == 0)
{
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE);
al=SSL_AD_DECODE_ERROR;
goto f_err;
}
md = tls12_get_hash(p[0]);
if (md == NULL)
{
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST);
al=SSL_AD_DECODE_ERROR;
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
#ifdef SSL_DEBUG