diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-08-31 11:18:54 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-08-31 11:18:54 +0000 |
commit | d47c01a31a67ff4370b1883a58cabd0279752bb4 (patch) | |
tree | f4a20b85fe78d1b17263a3b2455d8fac76bd98be /ssl/ssl_lib.c | |
parent | ef6b34bec2adf7d62a91cb8901252bd95301a3d5 (diff) | |
download | openssl-d47c01a31a67ff4370b1883a58cabd0279752bb4.tar.gz |
perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange
Diffstat (limited to 'ssl/ssl_lib.c')
-rw-r--r-- | ssl/ssl_lib.c | 53 |
1 files changed, 6 insertions, 47 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f2318f114e..4289a745c9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2336,56 +2336,15 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif -/* THIS NEEDS CLEANING UP */ static int ssl_get_server_cert_index(SSL *s) { - unsigned long alg_k, alg_a; - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) - { - /* we don't need to look at SSL_kEECDH - * since no certificate is needed for - * anon ECDH and for authenticated - * EECDH, the check for the auth - * algorithm will set i correctly - * NOTE: For ECDH-RSA, we need an ECC - * not an RSA cert but for EECDH-RSA - * we need an RSA cert. Placing the - * checks for SSL_kECDH before RSA - * checks ensures the correct cert is chosen. - */ - return SSL_PKEY_ECC; - } - else if (alg_a & SSL_aECDSA) - return SSL_PKEY_ECC; - else if (alg_k & SSL_kDHr) - return SSL_PKEY_DH_RSA; - else if (alg_k & SSL_kDHd) - return SSL_PKEY_DH_DSA; - else if (alg_a & SSL_aDSS) - return SSL_PKEY_DSA_SIGN; - else if (alg_a & SSL_aRSA) - { - if (s->cert->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) - return SSL_PKEY_RSA_SIGN; - else - return SSL_PKEY_RSA_ENC; - } - else if (alg_a & SSL_aKRB5) - /* VRS something else here? */ - return -1; - else if (alg_a & SSL_aGOST94) - return SSL_PKEY_GOST94; - else if (alg_a & SSL_aGOST01) - return SSL_PKEY_GOST01; - else /* if (alg_a & SSL_aNULL) */ - { + int idx; + idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); + if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509) + idx = SSL_PKEY_RSA_SIGN; + if (idx == -1) SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX,ERR_R_INTERNAL_ERROR); - return -1; - } + return idx; } CERT_PKEY *ssl_get_server_send_pkey(SSL *s) |