diff options
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_lib.c | 32 |
1 files changed, 13 insertions, 19 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 65a515753e..720b24a734 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1864,7 +1864,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #endif X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; - int signature_nid = 0; + int signature_nid = 0, pk_nid = 0, md_nid = 0; if (c == NULL) return; @@ -1994,18 +1994,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) EVP_PKEY_bits(ecc_pkey) : 0; EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) + { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); + OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); + } #ifndef OPENSSL_NO_ECDH if (ecdh_ok) { - const char *sig = OBJ_nid2ln(signature_nid); - if (sig == NULL) - { - ERR_clear_error(); - sig = "unknown"; - } - - if (strstr(sig, "WithRSA")) + + if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { mask_k|=SSL_kECDHr; mask_a|=SSL_aECDH; @@ -2016,7 +2013,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } } - if (signature_nid == NID_ecdsa_with_SHA1) + if (pk_nid == NID_X9_62_id_ecPublicKey) { mask_k|=SSL_kECDHe; mask_a|=SSL_aECDH; @@ -2070,7 +2067,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) unsigned long alg_k, alg_a; EVP_PKEY *pkey = NULL; int keysize = 0; - int signature_nid = 0; + int signature_nid = 0, md_nid = 0, pk_nid = 0; const SSL_CIPHER *cs = s->s3->tmp.new_cipher; alg_k = cs->algorithm_mkey; @@ -2089,7 +2086,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) /* This call populates the ex_flags field correctly */ X509_check_purpose(x, -1, 0); if ((x->sig_alg) && (x->sig_alg->algorithm)) + { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); + OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); + } if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { /* key usage, if present, must allow key agreement */ @@ -2101,7 +2101,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION) { /* signature alg must be ECDSA */ - if (signature_nid != NID_ecdsa_with_SHA1) + if (pk_nid != NID_X9_62_id_ecPublicKey) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); return 0; @@ -2111,13 +2111,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { /* signature alg must be RSA */ - const char *sig = OBJ_nid2ln(signature_nid); - if (sig == NULL) - { - ERR_clear_error(); - sig = "unknown"; - } - if (strstr(sig, "WithRSA") == NULL) + if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); return 0; |