Support for fixed DH ciphersuites.

The cipher definitions of these ciphersuites have been around since SSLeay but were always disabled. Now OpenSSL supports DH certificates they can be finally enabled. Various additional changes were needed to make them work properly: many unused fixed DH sections of code were untested.
2012-01-16 18:19:14 +00:00
parent a985410d2d
commit 8e1dc4d7ca
10 changed files with 120 additions and 51 deletions
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -594,6 +594,18 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
 		{
 		ret = SSL_PKEY_GOST01;
 		}
+	else if (x && i == EVP_PKEY_DH)
+		{
+		/* For DH two cases: DH certificate signed with RSA and
+		 * DH certificate signed with DSA.
+		 */
+		i = X509_certificate_type(x, pk);
+		if (i & EVP_PKS_RSA)
+			ret = SSL_PKEY_DH_RSA;
+		else if (i & EVP_PKS_DSA)
+			ret = SSL_PKEY_DH_DSA;
+		}
+		
 err:
 	if(!pkey) EVP_PKEY_free(pk);
 	return(ret);