QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 19:24:37 +00:00
Code Issues Projects Releases Wiki Activity

Don't check certificate type against ciphersuite for TLS 1.3

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
This commit is contained in:
Dr. Stephen Henson 2017-01-30 15:34:25 +00:00
parent 8f88cb53dd
commit 05b8486e47
1 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ssl/statem/statem_clnt.c
View File

@ -1562,17 +1562,23 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
SSL_R_UNKNOWN_CERTIFICATE_TYPE); SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto f_err; goto f_err;
} }
/*
exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); * Check certificate type is consistent with ciphersuite. For TLS 1.3
if (exp_idx >= 0 && i != exp_idx * skip check since TLS 1.3 ciphersuites can be used with any certificate
&& (exp_idx != SSL_PKEY_GOST_EC || * type.
(i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256 */
&& i != SSL_PKEY_GOST01))) { if (!SSL_IS_TLS13(s)) {
x = NULL; exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
al = SSL_AD_ILLEGAL_PARAMETER; if (exp_idx >= 0 && i != exp_idx
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, && (exp_idx != SSL_PKEY_GOST_EC ||
SSL_R_WRONG_CERTIFICATE_TYPE); (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
goto f_err; && i != SSL_PKEY_GOST01))) {
x = NULL;
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_WRONG_CERTIFICATE_TYPE);
goto f_err;
}
} }
s->session->peer_type = i; s->session->peer_type = i;