diff options
| author | beck <> | 2019-01-23 18:39:28 +0000 |
|---|---|---|
| committer | beck <> | 2019-01-23 18:39:28 +0000 |
| commit | 934b3985a409d7e0a88557dd4313222194a110bd (patch) | |
| tree | e5f32c31b20068e7d8674ff7ddb1ea2fe2ca16fa /src/lib/libssl/ssl_clnt.c | |
| parent | 03a77eef903481d4308502d32fca33a961c4bb3a (diff) | |
| download | openbsd-934b3985a409d7e0a88557dd4313222194a110bd.tar.gz openbsd-934b3985a409d7e0a88557dd4313222194a110bd.tar.bz2 openbsd-934b3985a409d7e0a88557dd4313222194a110bd.zip | |
Modify sigalgs extension processing to accomodate TLS 1.3.
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 26755d7c03..e9e900b643 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.54 2019/01/23 18:24:40 beck Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.55 2019/01/23 18:39:28 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1680,7 +1680,8 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1680 | SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); | 1680 | SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); |
| 1681 | goto err; | 1681 | goto err; |
| 1682 | } | 1682 | } |
| 1683 | if (!tls1_process_sigalgs(s, &sigalgs)) { | 1683 | if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs, |
| 1684 | tls12_sigalgs_len)) { | ||
| 1684 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | 1685 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
| 1685 | SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); | 1686 | SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); |
| 1686 | goto err; | 1687 | goto err; |