summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2012-01-05 14:58:16 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2012-01-05 14:58:16 +0100
commit555766063e08fc675b88e06560f79456c4ba4f24 (patch)
treedd7a58b86f55df35938dd0e919bb8b1586c688f4
parentcd9596adfd9348b4fab60e8613586597af4c9722 (diff)
downloadgnutls-555766063e08fc675b88e06560f79456c4ba4f24.tar.gz
Disable signature algorithms that are not supported for client certificate verification.
Diffstat
-rw-r--r--NEWS3
-rw-r--r--lib/ext_signature.c6
2 files changed, 8 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 182a0cd0c6..0638a51c85 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
Version 2.12.15 (unreleased)
+** libgnutls: Disable signature algorithms that are not supported
+for client certificate verification.
+
** libgnutls: Optimized DH generation process (ported from 3.0.x)
** API and ABI modifications:
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index 48eb5358e3..e8d8560d39 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -127,7 +127,7 @@ int
_gnutls_sign_algorithm_parse_data (gnutls_session_t session,
const opaque * data, size_t data_size)
{
- int sig, i;
+ int sig, i, hash;
sig_ext_st *priv;
extension_priv_data_t epriv;
@@ -150,6 +150,10 @@ _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
_gnutls_debug_log ("EXT[SIGA]: rcvd signature algo (%d.%d) %s\n", aid.hash_algorithm,
aid.sign_algorithm, gnutls_sign_get_name(sig));
+ hash = _gnutls_sign_get_hash_algorithm(sig);
+ if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA256)
+ continue;
+
if (sig != GNUTLS_SIGN_UNKNOWN)
{
priv->sign_algorithms[priv->sign_algorithms_size++] = sig;
View Lorry Controller Status