zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow use of RSA-PSS certificates in TLS 1.2

Browse Source 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
This commit is contained in:
Dr. Stephen Henson 2017-09-14 14:48:39 +01:00
parent b46867d771
commit 6aaa29fb35
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssl/ssl_lib.c
View File

@ -3090,9 +3090,15 @@ void ssl_set_masks(SSL *s)
if (dh_tmp) if (dh_tmp)
mask_k |= SSL_kDHE; mask_k |= SSL_kDHE;
if (rsa_enc || rsa_sign) { /*
* If we only have an RSA-PSS certificate allow RSA authentication
* if TLS 1.2 and peer supports it.
*/
if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
&& pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
&& TLS1_get_version(s) == TLS1_2_VERSION))
mask_a |= SSL_aRSA; mask_a |= SSL_aRSA;
}
if (dsa_sign) { if (dsa_sign) {
mask_a |= SSL_aDSS; mask_a |= SSL_aDSS;