make depend

[openssl.git] / ssl / s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 0a006a75342893fd4f2fdd30f930ec220b7694fa..9fbe15e80c00a33147de922702d9efcddb69bf6f 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -334,9 +334,9 @@ int ssl3_connect(SSL *s)
                                break;
                                }
 #endif
-                       /* Check if it is anon DH/ECDH */
+                       /* Check if it is anon DH/ECDH, SRP auth */
                        /* or PSK */
-                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) &&
                            !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                {
                                ret=ssl3_get_server_certificate(s);
@@ -1570,6 +1570,12 @@ int ssl3_get_key_exchange(SSL *s)
                p+=i;
                n-=param_len;
 
+               if (!srp_verify_server_param(s, &al))
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS);
+                       goto f_err;
+                       }
+
 /* We must check if there is a certificate */
 #ifndef OPENSSL_NO_RSA
                if (alg_a & SSL_aRSA)
@@ -1933,8 +1939,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                }
        else
                {
-               /* aNULL or kPSK do not need public keys */
-               if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
+               /* aNULL, aSRP or kPSK do not need public keys */
+               if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK))
                        {
                        /* Might be wrong key type, check it */
                        if (ssl3_check_cert_and_algorithm(s))