diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2013-01-15 16:18:13 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2013-01-15 16:18:13 +0000 |
| commit | 50b5966e574275c3745cf45d329239dad3305586 (patch) | |
| tree | 90ccbe8634ee3496a2612666412bd3321927c395 /ssl/t1_lib.c | |
| parent | 8eb4456f93d7fff93e494148e3b25ef847b89974 (diff) | |
Add support for broken protocol tests (backport from master branch)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c74605af5f..a2f5a7fa25 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -707,6 +707,11 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { unsigned char curve_id[2]; EC_KEY *ec = s->cert->ecdh_tmp; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Allow any curve: not just those peer supports */ + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + return 1; +#endif /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, * no other curves permitted. */ @@ -3424,6 +3429,32 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) tls1_set_shared_sigalgs(s); +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + { + /* Use first set signature preference to force message + * digest, ignoring any peer preferences. + */ + const unsigned char *sigs = NULL; + if (s->server) + sigs = c->conf_sigalgs; + else + sigs = c->client_sigalgs; + if (sigs) + { + idx = tls12_get_pkey_idx(sigs[1]); + md = tls12_get_hash(sigs[0]); + c->pkeys[idx].digest = md; + c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + if (idx == SSL_PKEY_RSA_SIGN) + { + c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + c->pkeys[SSL_PKEY_RSA_ENC].digest = md; + } + } + } +#endif + for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { @@ -3719,6 +3750,8 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) sig.sigalgcnt = 0; if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; + if (c == NULL) + return 1; return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); } @@ -3837,6 +3870,15 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* If no cert or key, forget it */ if (!x || !pk) goto end; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Allow any certificate to pass test */ + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + { + rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN; + cpk->valid_flags = rv; + return rv; + } +#endif } else { |