Add SRP and PSK to disallowed CertificateRequest ciphersuites

There was a discrepancy between what ciphersuites we allowed to send a
CertificateRequest, and what ciphersuites we allowed to receive one. So
add PSK and SRP to the disallowed ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 2ad41f5276a3bbbcd6cf9a4df8fbf0b6fd25abf5..c9d760f00e0bea4fc8672c9f95f8224ec927cbf0 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -182,8 +182,9 @@ static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
 static inline int cert_req_allowed(SSL *s)
 {
     /* TLS does not like anon-DH with client cert */
 static inline int cert_req_allowed(SSL *s)
 {
     /* TLS does not like anon-DH with client cert */

-    if (s->version > SSL3_VERSION
-            && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+    if ((s->version > SSL3_VERSION
+                && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+            || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))

         return 0;
 
     return 1;
         return 0;
 
     return 1;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index a4bc0e380d4fdb5de0222e83f90d1593010413e1..6f51d5dc76f9957b4cfd9bf694e313aeceac8df6 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -391,7 +391,7 @@ static int send_certificate_request(SSL *s)
             * With normal PSK Certificates and Certificate Requests
             * are omitted
             */
             * With normal PSK Certificates and Certificate Requests
             * are omitted
             */

-           && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
+           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {

         return 1;
     }
 
         return 1;
     }