Check that the default signature type is allowed

TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the others. TLS 1.2 sends a list of supported ciphers, but allows not sending it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory. When we didn't receive a list from the client, we always used the defaults without checking that they are allowed by the configuration. Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #10784
author: Kurt Roeckx <kurt@roeckx.be> 2020-01-02 22:53:32 +0100
committer: Kurt Roeckx <kurt@roeckx.be> 2020-01-25 14:10:40 +0100
commit: b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5 (patch)
tree: da10e34e905255c2db09f07aa8bd321e52c1a45e /ssl/ssl_local.h
parent: 5fd72d96a592c3c4ef28ff11c6ef334a856b0cd1 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 14515cadfe..43b0623a0b 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2606,7 +2606,7 @@ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
 #  endif
 __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
 __owur int ssl_set_client_disabled(SSL *s);
-__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
+__owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde);
 
 __owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
                                  size_t *hashlen);
author	Kurt Roeckx <kurt@roeckx.be>	2020-01-02 22:53:32 +0100
committer	Kurt Roeckx <kurt@roeckx.be>	2020-01-25 14:10:40 +0100
commit	b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5 (patch)
tree	da10e34e905255c2db09f07aa8bd321e52c1a45e /ssl/ssl_local.h
parent	5fd72d96a592c3c4ef28ff11c6ef334a856b0cd1 (diff)