X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=1826dd2bb3656eb2e12239c811ce1a0874cba80e;hp=c076782842086fb3c3c9fca93f5845b6db7c4def;hb=309371d6266877a8f04d0aa7b0f6add6d269d962;hpb=5f96a95e2562f026557f625e50c052e77c7bc2e8 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c076782842..1826dd2bb3 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -661,7 +661,12 @@ static const uint16_t tls12_sigalgs[] = { TLSEXT_SIGALG_dsa_sha256, TLSEXT_SIGALG_dsa_sha384, - TLSEXT_SIGALG_dsa_sha512 + TLSEXT_SIGALG_dsa_sha512, +#endif +#ifndef OPENSSL_NO_GOST + TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, + TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, + TLSEXT_SIGALG_gostr34102001_gostr3411, #endif }; @@ -857,6 +862,21 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) break; } } + + /* + * Some GOST ciphersuites allow more than one signature algorithms + * */ + if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) { + int real_idx; + + for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; + real_idx--) { + if (s->cert->pkeys[real_idx].privatekey != NULL) { + idx = real_idx; + break; + } + } + } } else { idx = s->cert->key - s->cert->pkeys; } @@ -1467,11 +1487,13 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, } } - switch (ret) { - case SSL_TICKET_NO_DECRYPT: - case SSL_TICKET_SUCCESS_RENEW: - case SSL_TICKET_EMPTY: - s->ext.ticket_expected = 1; + if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { + switch (ret) { + case SSL_TICKET_NO_DECRYPT: + case SSL_TICKET_SUCCESS_RENEW: + case SSL_TICKET_EMPTY: + s->ext.ticket_expected = 1; + } } *psess = sess;