diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2017-03-01 17:15:43 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2017-03-03 21:58:33 +0000 |
| commit | 224b4e37c075f5bbe1573a90a1dc5e5d9a91d9c1 (patch) | |
| tree | c2ecf53e0372173a6ac7610105dbe36b26897034 /ssl/t1_lib.c | |
| parent | dbaa069a5eb7892b3178a21839a0e14b8d808d81 (diff) | |
Don't allow DSA for TLS 1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 099dcdb72a..87ef620e1b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1396,6 +1396,9 @@ static int tls12_sigalg_allowed(SSL *s, int op, uint16_t ptmp) /* See if sigalgs is recognised and if hash is enabled */ if (lu == NULL || ssl_md(lu->hash_idx) == NULL) return 0; + /* DSA is not allowed in TLS 1.3 */ + if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) + return 0; /* See if public key algorithm allowed */ if (tls12_get_pkey_idx(lu->sig) == -1) return 0; |