commit ec4a50b3c3f2f50caccfd52e939857a5d6f02fd1
author Dr. Stephen Henson <steve@openssl.org> Tue Jul 24 18:11:27 2012 +0000
committer Dr. Stephen Henson <steve@openssl.org> Tue Jul 24 18:11:27 2012 +0000
tree cb856889245aa324e613bece9db3d79f1dab91c1
parent d18b716d259d6d3b68ff7f49d154b9158b98df65

Abort handshake if signature algorithm used not supported by peer.

ssl/s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 28f3bdd..2f23f21 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3051,26 +3051,15 @@
 		{	
 		if (TLS1_get_version(s) >= TLS1_2_VERSION)
 			{
-			int sigalg = tls12_get_sigid(pkey);
-			/* Should never happen */
-			if (sigalg == -1)
+			int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
+			if (rv == -1)
 				{
-				SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
-				al=SSL_AD_INTERNAL_ERROR;
+				al = SSL_AD_INTERNAL_ERROR;
 				goto f_err;
 				}
-			/* Check key type is consistent with signature */
-			if (sigalg != (int)p[1])
+			else if (rv == 0)
 				{
-				SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE);
-				al=SSL_AD_DECODE_ERROR;
-				goto f_err;
-				}
-			md = tls12_get_hash(p[0]);
-			if (md == NULL)
-				{
-				SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST);
-				al=SSL_AD_DECODE_ERROR;
+				al = SSL_AD_DECODE_ERROR;
 				goto f_err;
 				}
 #ifdef SSL_DEBUG