diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-21 17:30:43 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-27 11:17:09 +0200 |
| commit | 02d95898f840e8ad383e198715af802a66d4b85a (patch) | |
| tree | 770953ccced75f877c9f2f65f13636c378d41b32 | |
| parent | 417a7934d66f907c1bb5a2cd285782345625b1ac (diff) | |
| download | gnutls-02d95898f840e8ad383e198715af802a66d4b85a.tar.gz | |
Terminate handshake if only unknown or disabled signatures are advertized by the peer
That is, do not attempt to proceed assuming that the peer supports SHA-1.
| -rw-r--r-- | lib/ext/signature.c | 15 | ||||
| -rw-r--r-- | lib/gnutls_alert.c | 1 |
2 files changed, 8 insertions, 8 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 5ecc76a019..487dacc560 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2002-2012 Free Software Foundation, Inc. + * Copyright (C) 2002-2016 Free Software Foundation, Inc. + * Copyright (C) 2015-2016 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -150,12 +151,12 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session, gnutls_sign_get_name(sig)); if (sig != GNUTLS_SIGN_UNKNOWN) { - priv->sign_algorithms[priv-> - sign_algorithms_size++] = - sig; if (priv->sign_algorithms_size == MAX_SIGNATURE_ALGORITHMS) break; + priv->sign_algorithms[priv-> + sign_algorithms_size++] = + sig; } } @@ -195,7 +196,7 @@ _gnutls_signature_algorithm_recv_params(gnutls_session_t session, } else { /* SERVER SIDE - we must check if the sent cert type is the right one */ - if (data_size > 2) { + if (data_size >= 2) { uint16_t len; DECR_LEN(data_size, 2); @@ -278,10 +279,8 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, &epriv); priv = epriv.ptr; - if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver) - || priv->sign_algorithms_size == 0) + if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver)) { /* none set, allow SHA-1 only */ - { ret = gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1); if (_gnutls_session_sign_algo_enabled(session, ret) < 0) goto fail; diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index 66270dc18a..9ed75c1014 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -239,6 +239,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM: case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: case GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL: + case GNUTLS_E_UNKNOWN_PK_ALGORITHM: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; |