projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
give more meaningful error if presented with wrong certificate type by server
[openssl.git] / ssl / s3_srvr.c
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 28f3bdd6e92259fd74890cead7361d4e9005c8e1..76f49f7978b9e0e0cfb56f6cba3a6dcb1ea34ef7 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1704,8 +1704,8 @@ int ssl3_send_server_key_exchange(SSL *s)
                        ecdhp=cert->ecdh_tmp;
                        if (s->cert->ecdh_tmp_auto)
                                {
-                               /* Get NID of first shared curve */
-                               int nid = tls1_shared_curve(s, 0);
+                               /* Get NID of appropriate shared curve */
+                               int nid = tls1_shared_curve(s, -2);
                                if (nid != NID_undef)
                                        ecdhp = EC_KEY_new_by_curve_name(nid);
                                }
@@ -3051,26 +3051,15 @@ int ssl3_get_cert_verify(SSL *s)
                {       
                if (TLS1_get_version(s) >= TLS1_2_VERSION)
                        {
-                       int sigalg = tls12_get_sigid(pkey);
-                       /* Should never happen */
-                       if (sigalg == -1)
+                       int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
+                       if (rv == -1)
                                {
-                               SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
-                               al=SSL_AD_INTERNAL_ERROR;
+                               al = SSL_AD_INTERNAL_ERROR;
                                goto f_err;
                                }
-                       /* Check key type is consistent with signature */
-                       if (sigalg != (int)p[1])
+                       else if (rv == 0)
                                {
-                               SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE);
-                               al=SSL_AD_DECODE_ERROR;
-                               goto f_err;
-                               }
-                       md = tls12_get_hash(p[0]);
-                       if (md == NULL)
-                               {
-                               SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST);
-                               al=SSL_AD_DECODE_ERROR;
+                               al = SSL_AD_DECODE_ERROR;
                                goto f_err;
                                }
 #ifdef SSL_DEBUG
Unnamed repository; edit this file 'description' to name the repository.