projects
/
BearSSL
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
ea95d82
)
Fixed selection of ECDHE_RSA suites for pre-1.2 TLS versions.
author
Thomas Pornin
<pornin@bolet.org>
Thu, 6 Jul 2017 22:49:58 +0000
(
00:49
+0200)
committer
Thomas Pornin
<pornin@bolet.org>
Thu, 6 Jul 2017 22:49:58 +0000
(
00:49
+0200)
src/ssl/ssl_scert_single_rsa.c
patch
|
blob
|
history
diff --git
a/src/ssl/ssl_scert_single_rsa.c
b/src/ssl/ssl_scert_single_rsa.c
index
879a84c
..
b2c7767
100644
(file)
--- a/
src/ssl/ssl_scert_single_rsa.c
+++ b/
src/ssl/ssl_scert_single_rsa.c
@@
-33,12
+33,17
@@
sr_choose(const br_ssl_server_policy_class **pctx,
const br_suite_translated *st;
size_t u, st_num;
unsigned hash_id;
const br_suite_translated *st;
size_t u, st_num;
unsigned hash_id;
+ int fh;
pc = (br_ssl_server_policy_rsa_context *)pctx;
st = br_ssl_server_get_client_suites(cc, &st_num);
pc = (br_ssl_server_policy_rsa_context *)pctx;
st = br_ssl_server_get_client_suites(cc, &st_num);
- hash_id = br_ssl_choose_hash(br_ssl_server_get_client_hashes(cc));
if (cc->eng.session.version < BR_TLS12) {
hash_id = 0;
if (cc->eng.session.version < BR_TLS12) {
hash_id = 0;
+ fh = 1;
+ } else {
+ hash_id = br_ssl_choose_hash(
+ br_ssl_server_get_client_hashes(cc));
+ fh = (hash_id != 0);
}
choices->chain = pc->chain;
choices->chain_len = pc->chain_len;
}
choices->chain = pc->chain;
choices->chain_len = pc->chain_len;
@@
-54,9
+59,7
@@
sr_choose(const br_ssl_server_policy_class **pctx,
}
break;
case BR_SSLKEYX_ECDHE_RSA:
}
break;
case BR_SSLKEYX_ECDHE_RSA:
- if ((pc->allowed_usages & BR_KEYTYPE_SIGN) != 0
- && hash_id != 0)
- {
+ if ((pc->allowed_usages & BR_KEYTYPE_SIGN) != 0 && fh) {
choices->cipher_suite = st[u][0];
choices->algo_id = hash_id + 0xFF00;
return 1;
choices->cipher_suite = st[u][0];
choices->algo_id = hash_id + 0xFF00;
return 1;