For TLS < 1.2 use default digest for client certificate

author Dr. Stephen Henson <steve@openssl.org>

Sun, 29 Nov 2015 14:13:33 +0000 (14:13 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Mon, 30 Nov 2015 01:13:51 +0000 (01:13 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 29 Nov 2015 14:13:33 +0000 (14:13 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Mon, 30 Nov 2015 01:13:51 +0000 (01:13 +0000)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index dcfb44fdbfac85f903e1ce988011902059972f9a..bdeaf7e0e047a4251f2856e96c90c223676cc9cd 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3015,11 +3015,17 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
  #ifdef SSL_DEBUG
              fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
  #endif
-        } else if (pkey->type == EVP_PKEY_RSA) {
-            md = EVP_md5_sha1();
          } else {
-            md = EVP_sha1();
+            /* Use default digest for this key type */
+            int idx = ssl_cert_type(NULL, pkey);
+            if (idx >= 0)
+                md = s->s3->tmp.md[idx];
+            if (md == NULL) {
+                al = SSL_AD_INTERNAL_ERROR;
+                goto f_err;
+            }
          }
+
          if (!PACKET_get_net_2(pkt, &len)) {
              SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
              al = SSL_AD_DECODE_ERROR;
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 29 Nov 2015 14:13:33 +0000 (14:13 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Mon, 30 Nov 2015 01:13:51 +0000 (01:13 +0000)