1 files changed, 15 insertions, 32 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 497515f9ec..a3c9309488 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1830,7 +1830,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #endif
        X509 *x = NULL;
        EVP_PKEY *ecc_pkey = NULL;
-        int signature_nid = 0;
+        int signature_nid = 0, pk_nid = 0, md_nid = 0;
        if (c == NULL) return;
@@ -1960,18 +1960,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                    EVP_PKEY_bits(ecc_pkey) : 0;
                EVP_PKEY_free(ecc_pkey);
                if ((x->sig_alg) && (x->sig_alg->algorithm))
+                        {
                        signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+                        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+                        }
 #ifndef OPENSSL_NO_ECDH
                if (ecdh_ok)
                        {
-                        const char *sig = OBJ_nid2ln(signature_nid);
-                        if (sig == NULL)
+                        if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
-                                {
-                                ERR_clear_error();
-                                sig = "unknown";
-                                }
-                                
-                        if (strstr(sig, "WithRSA"))
                                {
                                mask_k|=SSL_kECDHr;
                                mask_a|=SSL_aECDH;
@@ -1982,7 +1979,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                                        }
                                }
-                        if (signature_nid == NID_ecdsa_with_SHA1)
+                        if (pk_nid == NID_X9_62_id_ecPublicKey)
                                {
                                mask_k|=SSL_kECDHe;
                                mask_a|=SSL_aECDH;
@@ -2036,7 +2033,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
        unsigned long alg_k, alg_a;
        EVP_PKEY *pkey = NULL;
        int keysize = 0;
-        int signature_nid = 0;
+        int signature_nid = 0, md_nid = 0, pk_nid = 0;
        alg_k = cs->algorithm_mkey;
        alg_a = cs->algorithm_auth;
@@ -2054,7 +2051,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
        /* This call populates the ex_flags field correctly */
        X509_check_purpose(x, -1, 0);
        if ((x->sig_alg) && (x->sig_alg->algorithm))
+                {
                signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+                OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+                }
        if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
                {
                /* key usage, if present, must allow key agreement */
@@ -2066,7 +2066,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                if (alg_k & SSL_kECDHe)
                        {
                        /* signature alg must be ECDSA */
-                        if (signature_nid != NID_ecdsa_with_SHA1)
+                        if (pk_nid != NID_X9_62_id_ecPublicKey)
                                {
                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
                                return 0;
@@ -2076,13 +2076,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                        {
                        /* signature alg must be RSA */
-                        const char *sig = OBJ_nid2ln(signature_nid);
+                        if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
-                        if (sig == NULL)
-                                {
-                                ERR_clear_error();
-                                sig = "unknown";
-                                }
-                        if (strstr(sig, "WithRSA") == NULL)
                                {
                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
                                return 0;
@@ -2107,23 +2101,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
        {
-        unsigned long alg_k,alg_a,mask_k,mask_a;
+        unsigned long alg_k,alg_a;
        CERT *c;
-        int i,is_export;
+        int i;
        c=s->cert;
        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-        if (is_export)
-                {
-                mask_k = c->export_mask_k;
-                mask_a = c->export_mask_a;
-                }
-        else
-                {
-                mask_k = c->mask_k;
-                mask_a = c->mask_a;
-                }
        
        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 497515f9ec..a3c9309488 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1830,7 +1830,7 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1830	#endif	1830	#endif
1831	X509 *x = NULL;	1831	X509 *x = NULL;
1832	EVP_PKEY *ecc_pkey = NULL;	1832	EVP_PKEY *ecc_pkey = NULL;
1833	int signature_nid = 0;	1833	int signature_nid = 0, pk_nid = 0, md_nid = 0;
1834		1834
1835	if (c == NULL) return;	1835	if (c == NULL) return;
1836		1836
@@ -1960,18 +1960,15 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1960	EVP_PKEY_bits(ecc_pkey) : 0;	1960	EVP_PKEY_bits(ecc_pkey) : 0;
1961	EVP_PKEY_free(ecc_pkey);	1961	EVP_PKEY_free(ecc_pkey);
1962	if ((x->sig_alg) && (x->sig_alg->algorithm))	1962	if ((x->sig_alg) && (x->sig_alg->algorithm))
		1963	{
1963	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);	1964	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
		1965	OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
		1966	}
1964	#ifndef OPENSSL_NO_ECDH	1967	#ifndef OPENSSL_NO_ECDH
1965	if (ecdh_ok)	1968	if (ecdh_ok)
1966	{	1969	{
1967	const char *sig = OBJ_nid2ln(signature_nid);	1970
1968	if (sig == NULL)	1971	if (pk_nid == NID_rsaEncryption \|\| pk_nid == NID_rsa)
1969	{
1970	ERR_clear_error();
1971	sig = "unknown";
1972	}
1973
1974	if (strstr(sig, "WithRSA"))
1975	{	1972	{
1976	mask_k\|=SSL_kECDHr;	1973	mask_k\|=SSL_kECDHr;
1977	mask_a\|=SSL_aECDH;	1974	mask_a\|=SSL_aECDH;
@@ -1982,7 +1979,7 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
1982	}	1979	}
1983	}	1980	}
1984		1981
1985	if (signature_nid == NID_ecdsa_with_SHA1)	1982	if (pk_nid == NID_X9_62_id_ecPublicKey)
1986	{	1983	{
1987	mask_k\|=SSL_kECDHe;	1984	mask_k\|=SSL_kECDHe;
1988	mask_a\|=SSL_aECDH;	1985	mask_a\|=SSL_aECDH;
@@ -2036,7 +2033,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2036	unsigned long alg_k, alg_a;	2033	unsigned long alg_k, alg_a;
2037	EVP_PKEY *pkey = NULL;	2034	EVP_PKEY *pkey = NULL;
2038	int keysize = 0;	2035	int keysize = 0;
2039	int signature_nid = 0;	2036	int signature_nid = 0, md_nid = 0, pk_nid = 0;
2040		2037
2041	alg_k = cs->algorithm_mkey;	2038	alg_k = cs->algorithm_mkey;
2042	alg_a = cs->algorithm_auth;	2039	alg_a = cs->algorithm_auth;
@@ -2054,7 +2051,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2054	/* This call populates the ex_flags field correctly */	2051	/* This call populates the ex_flags field correctly */
2055	X509_check_purpose(x, -1, 0);	2052	X509_check_purpose(x, -1, 0);
2056	if ((x->sig_alg) && (x->sig_alg->algorithm))	2053	if ((x->sig_alg) && (x->sig_alg->algorithm))
		2054	{
2057	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);	2055	signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
		2056	OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
		2057	}
2058	if (alg_k & SSL_kECDHe \|\| alg_k & SSL_kECDHr)	2058	if (alg_k & SSL_kECDHe \|\| alg_k & SSL_kECDHr)
2059	{	2059	{
2060	/* key usage, if present, must allow key agreement */	2060	/* key usage, if present, must allow key agreement */
@@ -2066,7 +2066,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2066	if (alg_k & SSL_kECDHe)	2066	if (alg_k & SSL_kECDHe)
2067	{	2067	{
2068	/* signature alg must be ECDSA */	2068	/* signature alg must be ECDSA */
2069	if (signature_nid != NID_ecdsa_with_SHA1)	2069	if (pk_nid != NID_X9_62_id_ecPublicKey)
2070	{	2070	{
2071	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);	2071	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2072	return 0;	2072	return 0;
@@ -2076,13 +2076,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2076	{	2076	{
2077	/* signature alg must be RSA */	2077	/* signature alg must be RSA */
2078		2078
2079	const char *sig = OBJ_nid2ln(signature_nid);	2079	if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
2080	if (sig == NULL)
2081	{
2082	ERR_clear_error();
2083	sig = "unknown";
2084	}
2085	if (strstr(sig, "WithRSA") == NULL)
2086	{	2080	{
2087	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);	2081	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2088	return 0;	2082	return 0;
@@ -2107,23 +2101,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2107	/* THIS NEEDS CLEANING UP */	2101	/* THIS NEEDS CLEANING UP */
2108	X509 ssl_get_server_send_cert(SSL s)	2102	X509 ssl_get_server_send_cert(SSL s)
2109	{	2103	{
2110	unsigned long alg_k,alg_a,mask_k,mask_a;	2104	unsigned long alg_k,alg_a;
2111	CERT *c;	2105	CERT *c;
2112	int i,is_export;	2106	int i;
2113		2107
2114	c=s->cert;	2108	c=s->cert;
2115	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);	2109	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2116	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
2117	if (is_export)
2118	{
2119	mask_k = c->export_mask_k;
2120	mask_a = c->export_mask_a;
2121	}
2122	else
2123	{
2124	mask_k = c->mask_k;
2125	mask_a = c->mask_a;
2126	}
2127		2110
2128	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;	2111	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2129	alg_a = s->s3->tmp.new_cipher->algorithm_auth;	2112	alg_a = s->s3->tmp.new_cipher->algorithm_auth;