Backport support for fixed DH ciphersuites (from HEAD)

author: Dr. Stephen Henson <steve@openssl.org> 2012-04-06 11:33:12 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-04-06 11:33:12 +0000
commit: 0ffa49970b9f8ea66b43ce2eb7f8fd523b65bc2c (patch)
tree: 916ed4cced31cec4dd4e0728155451458c514d73 /ssl/ssl_rsa.c
parent: 8cd2ea552e3c6b0cc34e20959daae01b53f03bd7 (diff)
1 files changed, 17 insertions, 2 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index c0960b5712..b7c19051e9 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -182,8 +182,23 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
 	{
 	int i;
-
-	i=ssl_cert_type(NULL,pkey);
+	/* Special case for DH: check two DH certificate types for a match.
+	 * This means for DH certificates we must set the certificate first.
+	 */
+	if (pkey->type == EVP_PKEY_DH)
+		{
+		X509 *x;
+		i = -1;
+		x = c->pkeys[SSL_PKEY_DH_RSA].x509;
+		if (x && X509_check_private_key(x, pkey))
+				i = SSL_PKEY_DH_RSA;
+		x = c->pkeys[SSL_PKEY_DH_DSA].x509;
+		if (i == -1 && x && X509_check_private_key(x, pkey))
+				i = SSL_PKEY_DH_DSA;
+		ERR_clear_error();
+		}
+	else 
+		i=ssl_cert_type(NULL,pkey);
 	if (i < 0)
 		{
 		SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
author	Dr. Stephen Henson <steve@openssl.org>	2012-04-06 11:33:12 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-04-06 11:33:12 +0000
commit	0ffa49970b9f8ea66b43ce2eb7f8fd523b65bc2c (patch)
tree	916ed4cced31cec4dd4e0728155451458c514d73 /ssl/ssl_rsa.c
parent	8cd2ea552e3c6b0cc34e20959daae01b53f03bd7 (diff)