Commit b7fa1f98 authored Oct 26, 2015 by Matt Caswell

Add SRP and PSK to disallowed CertificateRequest ciphersuites



There was a discrepancy between what ciphersuites we allowed to send a
CertificateRequest, and what ciphersuites we allowed to receive one. So
add PSK and SRP to the disallowed ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

parent bb3e20cf

ssl/statem/statem_clnt.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -182,8 +182,9 @@ static int ssl_cipher_list_to_bytes(SSL s, STACK_OF(SSL_CIPHER) sk,
		static inline int cert_req_allowed(SSL *s)
		{
		/* TLS does not like anon-DH with client cert */
		if (s->version > SSL3_VERSION
		if ((s->version > SSL3_VERSION
		&& (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
		\|\| (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP \| SSL_aPSK)))
		return 0;

		return 1;

ssl/statem/statem_srvr.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -391,7 +391,7 @@ static int send_certificate_request(SSL *s)
		* With normal PSK Certificates and Certificate Requests
		* are omitted
		*/
		&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
		&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
		return 1;
		}