diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2014-08-08 11:24:25 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2014-08-09 00:09:14 +0100 |
| commit | 5ed0b6ac0c9226ee539f2f35871c10ee83a80b26 (patch) | |
| tree | 8973ecc146383439d7725776229cf40e80f9f5c2 /ssl/s3_lib.c | |
| parent | 90a549ddfbd56970dd88b4bb19fb2046331ed6a6 (diff) | |
Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:
A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)
Diffstat (limited to 'ssl/s3_lib.c')
| -rw-r--r-- | ssl/s3_lib.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a792edc1a4..1a1e3faac2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3441,8 +3441,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) cipher = s->s3->tmp.new_cipher; if (!cipher) return 0; - /* No certificate for unauthenticated ciphersuites */ - if (cipher->algorithm_auth & SSL_aNULL) + /* No certificate for unauthenticated ciphersuites + * or using SRP authentication + */ + if (cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) return 2; cpk = ssl_get_server_send_pkey(s); if (!cpk) @@ -4133,8 +4135,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, emask_k = cert->export_mask_k; emask_a = cert->export_mask_a; #ifndef OPENSSL_NO_SRP - mask_k=cert->mask_k | s->srp_ctx.srp_Mask; - emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask; + if (s->srp_ctx.srp_Mask & SSL_kSRP) + { + mask_k |= SSL_kSRP; + emask_k |= SSL_kSRP; + mask_a |= SSL_aSRP; + emask_a |= SSL_aSRP; + } #endif #ifdef KSSL_DEBUG |