diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-08-08 11:24:25 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-08-09 00:09:14 +0100 |
commit | 5ed0b6ac0c9226ee539f2f35871c10ee83a80b26 (patch) | |
tree | 8973ecc146383439d7725776229cf40e80f9f5c2 /ssl/s3_clnt.c | |
parent | 90a549ddfbd56970dd88b4bb19fb2046331ed6a6 (diff) |
Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:
A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)
Diffstat (limited to 'ssl/s3_clnt.c')
-rw-r--r-- | ssl/s3_clnt.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index b4964f29e4..d7722ed812 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -327,9 +327,9 @@ int ssl3_connect(SSL *s) break; } #endif - /* Check if it is anon DH/ECDH */ + /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && + if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { ret=ssl3_get_server_certificate(s); @@ -1916,8 +1916,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { - /* aNULL or kPSK do not need public keys */ - if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) + /* aNULL, aSRP or kPSK do not need public keys */ + if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK)) { /* Might be wrong key type, check it */ if (ssl3_check_cert_and_algorithm(s)) |