Add SRP and PSK to disallowed CertificateRequest ciphersuites

There was a discrepancy between what ciphersuites we allowed to send a CertificateRequest, and what ciphersuites we allowed to receive one. So add PSK and SRP to the disallowed ones. Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Richard Levitte <levitte@openssl.org>

Add SRP and PSK to disallowed CertificateRequest ciphersuites
There was a discrepancy between what ciphersuites we allowed to send a CertificateRequest, and what ciphersuites we allowed to receive one. So add PSK and SRP to the disallowed ones. Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Richard Levitte <levitte@openssl.org>
b7fa1f98 · Matt Caswell · bb3e20cf · b7fa1f98 · b7fa1f98
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

ssl/statem/statem_clnt.c ssl/statem/statem_clnt.c +3 -2

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +1 -1

未找到文件。
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -182,8 +182,9 @@ static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
 static inline int cert_req_allowed(SSL *s)
 {
    /* TLS does not like anon-DH with client cert */
-    if (s->version > SSL3_VERSION
-            && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+    if ((s->version > SSL3_VERSION
+                && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+            || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
        return 0;

    return 1;

--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -391,7 +391,7 @@ static int send_certificate_request(SSL *s)
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
-           && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
+           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
        return 1;
    }