From 169bfb46102ceb254e180e0b8265382aab7ef7f0 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Tue, 1 Mar 2016 11:30:01 +0100
Subject: libsec: fix verifyDHparams() for version <= TLS1.1

for version <= TLS1.1, there is no sigalg field in the ServerKeyExchange
message and the signature digest algorithm is fixed to md5+sha1 and we
only support RSA signatures (TLS1.1 doesnt know about ECDSA).
---
 sys/src/libsec/port/tlshand.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/src/libsec/port/tlshand.c b/sys/src/libsec/port/tlshand.c
index 582a43f0a..9606ed0be 100644
--- a/sys/src/libsec/port/tlshand.c
+++ b/sys/src/libsec/port/tlshand.c
@@ -1035,6 +1035,7 @@ verifyDHparams(TlsConnection *c, Bytes *par, Bytes *sig, int sigalg)
 		digestlen = MD5dlen + SHA1dlen;
 		md5(blob->data, blob->len, digest, nil);
 		sha1(blob->data, blob->len, digest+MD5dlen, nil);
+		sigalg = 1; // only RSA signatures supported for version <= TLS1.1
 	} else {
 		int hashalg = (sigalg>>8) & 0xFF;
 		digestlen = -1;
-- 
cgit v1.2.3