mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Change tls_choose_sigalg so it can set errors and alerts.

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
This commit is contained in:
Dr. Stephen Henson 2017-02-13 15:50:43 +00:00
parent 4020c0b33b
commit 4a419f6018
5 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/openssl/ssl.h
View File

@ -2259,6 +2259,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_TLS1_PRF 284 # define SSL_F_TLS1_PRF 284
# define SSL_F_TLS1_SETUP_KEY_BLOCK 211 # define SSL_F_TLS1_SETUP_KEY_BLOCK 211
# define SSL_F_TLS1_SET_SERVER_SIGALGS 335 # define SSL_F_TLS1_SET_SERVER_SIGALGS 335
# define SSL_F_TLS_CHOOSE_SIGALG 510
# define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 354 # define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 354
# define SSL_F_TLS_COLLECT_EXTENSIONS 435 # define SSL_F_TLS_COLLECT_EXTENSIONS 435
# define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 372 # define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 372

1
ssl/ssl_err.c
View File

@ -261,6 +261,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_PRF"}, {ERR_FUNC(SSL_F_TLS1_PRF), "tls1_PRF"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"},
{ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS), "tls1_set_server_sigalgs"}, {ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS), "tls1_set_server_sigalgs"},
{ERR_FUNC(SSL_F_TLS_CHOOSE_SIGALG), "tls_choose_sigalg"},
{ERR_FUNC(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK), {ERR_FUNC(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK),
"tls_client_key_exchange_post_work"}, "tls_client_key_exchange_post_work"},
{ERR_FUNC(SSL_F_TLS_COLLECT_EXTENSIONS), "tls_collect_extensions"}, {ERR_FUNC(SSL_F_TLS_COLLECT_EXTENSIONS), "tls_collect_extensions"},

2
ssl/ssl_locl.h
View File

@ -2280,7 +2280,7 @@ __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
__owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,
int vfy); int vfy);
int tls_choose_sigalg(SSL *s); int tls_choose_sigalg(SSL *s, int *al);
__owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
void ssl_clear_hash_ctx(EVP_MD_CTX **hash); void ssl_clear_hash_ctx(EVP_MD_CTX **hash);

6
ssl/statem/statem_srvr.c
View File

@ -1822,12 +1822,8 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
goto f_err; goto f_err;
} }
s->s3->tmp.new_cipher = cipher; s->s3->tmp.new_cipher = cipher;
if (!tls_choose_sigalg(s)) { if (!tls_choose_sigalg(s, &al))
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
goto f_err; goto f_err;
}
/* check whether we should disable session resumption */ /* check whether we should disable session resumption */
if (s->not_resumable_session_cb != NULL) if (s->not_resumable_session_cb != NULL)
s->session->not_resumable = s->session->not_resumable =

4
ssl/t1_lib.c
View File

@ -2268,7 +2268,7 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
* Choose an appropriate signature algorithm based on available certificates * Choose an appropriate signature algorithm based on available certificates
* Set current certificate and digest to match chosen algorithm. * Set current certificate and digest to match chosen algorithm.
*/ */
int tls_choose_sigalg(SSL *s) int tls_choose_sigalg(SSL *s, int *al)
{ {
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
size_t i; size_t i;
@ -2312,6 +2312,8 @@ int tls_choose_sigalg(SSL *s)
s->cert->key = s->cert->pkeys + idx; s->cert->key = s->cert->pkeys + idx;
return 1; return 1;
} }
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CHOOSE_SIGALG, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0; return 0;
} }
/* /*