diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2017-09-14 14:48:39 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2017-09-20 12:50:23 +0100 |
commit | 6aaa29fb35c6d830c19e673650e6baf3f21ceda0 (patch) | |
tree | c9afe961f72bb3aba52bdcb7c067a8fd18d91d88 /ssl/ssl_lib.c | |
parent | b46867d771a5e08bbee450d73ff332388b93df96 (diff) |
Allow use of RSA-PSS certificates in TLS 1.2
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
Diffstat (limited to 'ssl/ssl_lib.c')
-rw-r--r-- | ssl/ssl_lib.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b02d4f1707..cc110bc677 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3090,9 +3090,15 @@ void ssl_set_masks(SSL *s) if (dh_tmp) mask_k |= SSL_kDHE; - if (rsa_enc || rsa_sign) { + /* + * If we only have an RSA-PSS certificate allow RSA authentication + * if TLS 1.2 and peer supports it. + */ + + if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN) + && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION)) mask_a |= SSL_aRSA; - } if (dsa_sign) { mask_a |= SSL_aDSS; |