projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix EAP-FAST
[openssl.git]
/
ssl
/
t1_lib.c
diff --git
a/ssl/t1_lib.c
b/ssl/t1_lib.c
index c076782842086fb3c3c9fca93f5845b6db7c4def..1826dd2bb3656eb2e12239c811ce1a0874cba80e 100644
(file)
--- a/
ssl/t1_lib.c
+++ b/
ssl/t1_lib.c
@@
-661,7
+661,12
@@
static const uint16_t tls12_sigalgs[] = {
TLSEXT_SIGALG_dsa_sha256,
TLSEXT_SIGALG_dsa_sha384,
TLSEXT_SIGALG_dsa_sha256,
TLSEXT_SIGALG_dsa_sha384,
- TLSEXT_SIGALG_dsa_sha512
+ TLSEXT_SIGALG_dsa_sha512,
+#endif
+#ifndef OPENSSL_NO_GOST
+ TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+ TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
+ TLSEXT_SIGALG_gostr34102001_gostr3411,
#endif
};
#endif
};
@@
-857,6
+862,21
@@
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
break;
}
}
break;
}
}
+
+ /*
+ * Some GOST ciphersuites allow more than one signature algorithms
+ * */
+ if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) {
+ int real_idx;
+
+ for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01;
+ real_idx--) {
+ if (s->cert->pkeys[real_idx].privatekey != NULL) {
+ idx = real_idx;
+ break;
+ }
+ }
+ }
} else {
idx = s->cert->key - s->cert->pkeys;
}
} else {
idx = s->cert->key - s->cert->pkeys;
}
@@
-1467,11
+1487,13
@@
SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
}
}
}
}
- switch (ret) {
- case SSL_TICKET_NO_DECRYPT:
- case SSL_TICKET_SUCCESS_RENEW:
- case SSL_TICKET_EMPTY:
- s->ext.ticket_expected = 1;
+ if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
+ switch (ret) {
+ case SSL_TICKET_NO_DECRYPT:
+ case SSL_TICKET_SUCCESS_RENEW:
+ case SSL_TICKET_EMPTY:
+ s->ext.ticket_expected = 1;
+ }
}
*psess = sess;
}
*psess = sess;