diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:17:40 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:17:40 +0000 |
commit | ccf6a19e2d825f4039163393023bd15670aee946 (patch) | |
tree | dd5bb510651fbdaf23fdcef6c4cbf55489dfb7c4 /ssl/s3_lib.c | |
parent | 28fbbe3b1bc89cd5dba6a0d9e74a3cf24d341002 (diff) |
Add three Suite B modes to TLS code, supporting RFC6460.
(backport from HEAD)
Diffstat (limited to 'ssl/s3_lib.c')
-rw-r--r-- | ssl/s3_lib.c | 57 |
1 files changed, 18 insertions, 39 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2932b9fca1..964e094da1 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3956,7 +3956,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } #endif - if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) { prio = srvr; allow = clnt; @@ -4030,7 +4030,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, /* if we are considering an ECC cipher suite that uses * an ephemeral EC key check it */ if (alg_k & SSL_kEECDH) - ok = ok && tls1_check_ec_tmp_key(s); + ok = ok && tls1_check_ec_tmp_key(s, c->id); #endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_TLSEXT */ @@ -4049,7 +4049,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) { int ret=0; const unsigned char *sig; - size_t siglen; + size_t i, siglen; int have_rsa_sign = 0, have_dsa_sign = 0, have_ecdsa_sign = 0; int nostrict = 1; unsigned long alg_k; @@ -4060,48 +4060,27 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) memcpy(p, s->cert->ctypes, s->cert->ctype_num); return (int)s->cert->ctype_num; } - /* Else see if we have any signature algorithms configured */ - if (s->cert->client_sigalgs) + /* get configured sigalgs */ + siglen = tls12_get_psigalgs(s, &sig); + if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) + nostrict = 0; + for (i = 0; i < siglen; i+=2, sig+=2) { - sig = s->cert->client_sigalgs; - siglen = s->cert->client_sigalgslen; - } - else - { - sig = s->cert->conf_sigalgs; - siglen = s->cert->conf_sigalgslen; - } - /* If we have sigalgs work out if we can sign with RSA, DSA, ECDSA */ - if (sig) - { - size_t i; - if (s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT) - nostrict = 0; - for (i = 0; i < siglen; i+=2, sig+=2) + switch(sig[1]) { - switch(sig[1]) - { - case TLSEXT_signature_rsa: - have_rsa_sign = 1; - break; + case TLSEXT_signature_rsa: + have_rsa_sign = 1; + break; - case TLSEXT_signature_dsa: - have_dsa_sign = 1; - break; + case TLSEXT_signature_dsa: + have_dsa_sign = 1; + break; - case TLSEXT_signature_ecdsa: - have_ecdsa_sign = 1; - break; - } + case TLSEXT_signature_ecdsa: + have_ecdsa_sign = 1; + break; } } - /* Otherwise allow anything */ - else - { - have_rsa_sign = 1; - have_dsa_sign = 1; - have_ecdsa_sign = 1; - } alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |