projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 04fac50)
Update fixed DH requirements.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 27 Mar 2013 16:05:10 +0000 (16:05 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 28 Mar 2013 14:14:27 +0000 (14:14 +0000)
The relaxed signing requirements for fixed DH certificates apply to DTLS 1.2
too.

ssl/s3_clnt.c patch | blob | history

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index d8b9079efc295ef3b17af962c091a64686932e40..0a9bc1a99a5d0794633703753a32cf8b8def5ebf 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3404,14 +3404,14 @@ int ssl3_check_cert_and_algorithm(SSL *s)
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
                goto f_err;
                }
-       else if ((alg_k & SSL_kDHr) && (TLS1_get_version(s) < TLS1_2_VERSION) &&
+       else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
                !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
                goto f_err;
                }
 #ifndef OPENSSL_NO_DSA
-       else if ((alg_k & SSL_kDHd) && (TLS1_get_version(s) < TLS1_2_VERSION) &&
+       else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
                !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
Unnamed repository; edit this file 'description' to name the repository.