diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:22:19 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:22:19 +0000 |
commit | 67d9dcf0030fc06b4bb68df0302761123f0d065f (patch) | |
tree | ae9882973715fb75834b46a8323f41ae9a2a3815 /ssl/ssl_ciph.c | |
parent | 79dcae32efbd48b79345d0ac7b63820eb8090530 (diff) |
perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange
(backport from HEAD)
Diffstat (limited to 'ssl/ssl_ciph.c')
-rw-r--r-- | ssl/ssl_ciph.c | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index f0cc5b1db6..bac2515789 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1890,5 +1890,47 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp) return comp->name; return NULL; } - #endif +/* For a cipher return the index corresponding to the certificate type */ +int ssl_cipher_get_cert_index(const SSL_CIPHER *c) + { + unsigned long alg_k, alg_a; + + alg_k = c->algorithm_mkey; + alg_a = c->algorithm_auth; + + if (alg_k & (SSL_kECDHr|SSL_kECDHe)) + { + /* we don't need to look at SSL_kEECDH + * since no certificate is needed for + * anon ECDH and for authenticated + * EECDH, the check for the auth + * algorithm will set i correctly + * NOTE: For ECDH-RSA, we need an ECC + * not an RSA cert but for EECDH-RSA + * we need an RSA cert. Placing the + * checks for SSL_kECDH before RSA + * checks ensures the correct cert is chosen. + */ + return SSL_PKEY_ECC; + } + else if (alg_a & SSL_aECDSA) + return SSL_PKEY_ECC; + else if (alg_k & SSL_kDHr) + return SSL_PKEY_DH_RSA; + else if (alg_k & SSL_kDHd) + return SSL_PKEY_DH_DSA; + else if (alg_a & SSL_aDSS) + return SSL_PKEY_DSA_SIGN; + else if (alg_a & SSL_aRSA) + return SSL_PKEY_RSA_ENC; + else if (alg_a & SSL_aKRB5) + /* VRS something else here? */ + return -1; + else if (alg_a & SSL_aGOST94) + return SSL_PKEY_GOST94; + else if (alg_a & SSL_aGOST01) + return SSL_PKEY_GOST01; + return -1; + } + |