generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add three Suite B modes to TLS code, supporting RFC6460.

Browse Source 
(backport from HEAD)
This commit is contained in:
Dr. Stephen Henson
2012-12-26 16:17:40 +00:00
parent 28fbbe3b1b
commit ccf6a19e2d
15 changed files with 375 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ssl/s3_clnt.c
View File

@@ -3155,8 +3155,9 @@ err:
}
/* Check a certificate can be used for client authentication. Currently
* check cert exists, if we have a suitable digest for TLS 1.2 and if
* static DH client certificates can be used.
* check cert exists, if we have a suitable digest for TLS 1.2 if
* static DH client certificates can be used and optionally checks
* suitability for Suite B.
*/
static int ssl3_check_client_certificate(SSL *s)
{
@@ -3166,6 +3167,12 @@ static int ssl3_check_client_certificate(SSL *s)
/* If no suitable signature algorithm can't use certificate */
if (TLS1_get_version(s) >= TLS1_2_VERSION && !s->cert->key->digest)
return 0;
/* If strict mode check suitability of chain before using it.
* This also adjusts suite B digest if necessary.
*/
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
!tls1_check_chain(s, NULL, NULL, NULL, -2))
return 0;
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
/* See if we can use client certificate for fixed DH */
if (alg_k & (SSL_kDHr|SSL_kDHd))