diff options
author | Matt Caswell <matt@openssl.org> | 2015-10-26 23:11:44 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-10-30 08:39:47 +0000 |
commit | b7fa1f989d0059ad7b992c11797f37f095d61204 (patch) | |
tree | 356b00fb0e793ebe6a43c184598b99c318751dc2 /ssl | |
parent | bb3e20cf8c5e733c16fe68ce41f67eea5a2a520e (diff) | |
download | openssl-b7fa1f989d0059ad7b992c11797f37f095d61204.tar.gz |
Add SRP and PSK to disallowed CertificateRequest ciphersuites
There was a discrepancy between what ciphersuites we allowed to send a
CertificateRequest, and what ciphersuites we allowed to receive one. So
add PSK and SRP to the disallowed ones.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_clnt.c | 5 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 2 |
2 files changed, 4 insertions, 3 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 2ad41f5276..c9d760f00e 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -182,8 +182,9 @@ static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, static inline int cert_req_allowed(SSL *s) { /* TLS does not like anon-DH with client cert */ - if (s->version > SSL3_VERSION - && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) + if ((s->version > SSL3_VERSION + && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) + || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) return 0; return 1; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index a4bc0e380d..6f51d5dc76 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -391,7 +391,7 @@ static int send_certificate_request(SSL *s) * With normal PSK Certificates and Certificate Requests * are omitted */ - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { + && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) { return 1; } |