From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 27 Mar 2013 16:05:10 +0000 (+0000)
Subject: Update fixed DH requirements.
X-Git-Tag: OpenSSL_1_0_2-beta1~266
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=919834dc847d0652c58da641f867fe21ad2774ac;p=oweals%2Fopenssl.git

Update fixed DH requirements.

The relaxed signing requirements for fixed DH certificates apply to DTLS 1.2
too.
(cherry picked from commit fbbaaccaca32742f09dfb02e5e28dcd20f64a17f)
---

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e9c716ff95..fea40acefb 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3404,14 +3404,14 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
 		goto f_err;
 		}
-	else if ((alg_k & SSL_kDHr) && (TLS1_get_version(s) < TLS1_2_VERSION) &&
+	else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
 		!has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
 		{
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
 		goto f_err;
 		}
 #ifndef OPENSSL_NO_DSA
-	else if ((alg_k & SSL_kDHd) && (TLS1_get_version(s) < TLS1_2_VERSION) &&
+	else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
 		!has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
 		{
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);