generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial TLS v1.2 client support. Include a default supported signature

Browse Source 
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.

Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
This commit is contained in:
Dr. Stephen Henson
2011-05-09 15:44:01 +00:00
parent 0b59755f43
commit a2f9200fba
10 changed files with 206 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
ssl/ssl_lib.c
View File

@@ -2185,12 +2185,13 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
#ifndef OPENSSL_NO_EC
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
{
unsigned long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int keysize = 0;
int signature_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
@@ -2217,7 +2218,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
return 0;
}
if (alg_k & SSL_kECDHe)
if ((alg_k & SSL_kECDHe) && s->version < TLS1_2_VERSION)
{
/* signature alg must be ECDSA */
if (signature_nid != NID_ecdsa_with_SHA1)
@@ -2226,7 +2227,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
return 0;
}
}
if (alg_k & SSL_kECDHr)
if ((alg_k & SSL_kECDHr) && s->version < TLS1_2_VERSION)
{
/* signature alg must be RSA */