status-im
/
BearSSL
mirror of https://github.com/status-im/BearSSL.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed selection of ECDHE_RSA suites for pre-1.2 TLS versions.

This commit is contained in:
Thomas Pornin 2017-07-07 00:49:58 +02:00
parent ea95d8264c
commit 57b2175020
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/ssl/ssl_scert_single_rsa.c
View File

@ -33,12 +33,17 @@ sr_choose(const br_ssl_server_policy_class **pctx,
const br_suite_translated *st;
size_t u, st_num;
unsigned hash_id;
int fh;
pc = (br_ssl_server_policy_rsa_context *)pctx;
st = br_ssl_server_get_client_suites(cc, &st_num);
hash_id = br_ssl_choose_hash(br_ssl_server_get_client_hashes(cc));
if (cc->eng.session.version < BR_TLS12) {
hash_id = 0;
fh = 1;
} else {
hash_id = br_ssl_choose_hash(
br_ssl_server_get_client_hashes(cc));
fh = (hash_id != 0);
}
choices->chain = pc->chain;
choices->chain_len = pc->chain_len;
@ -54,9 +59,7 @@ sr_choose(const br_ssl_server_policy_class **pctx,
}
break;
case BR_SSLKEYX_ECDHE_RSA:
if ((pc->allowed_usages & BR_KEYTYPE_SIGN) != 0
&& hash_id != 0)
{
if ((pc->allowed_usages & BR_KEYTYPE_SIGN) != 0 && fh) {
choices->cipher_suite = st[u][0];
choices->algo_id = hash_id + 0xFF00;
return 1;