diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-23 08:37:50 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-24 12:22:50 +0200 |
commit | 9807200e33612b401c63e71d3ee357e23b6f7735 (patch) | |
tree | 7ec6a2813580b0d6af517d196fdcc50ada6d92fd | |
parent | 092b4500c900f047b04487ddbe943630e03c9aed (diff) | |
download | gnutls-9807200e33612b401c63e71d3ee357e23b6f7735.tar.gz |
signature: on client side, only select a non-enabled signature if none match
That amends commit 6aa8c390b08a25b18c0799fbd42bd0eec703fae4:
"On client side allow signing with the signature algorithm of our cert
That allows to sign for example with DSA-SHA1 as client even if we do not
allow DSA-SHA1 as signature algorithm for server's certificate. This allows
to use a deprecated certificate without enabling deprecated algorithms
globally."
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | lib/ext/signature.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 96b97cef94..f7bec7c4f5 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -272,6 +272,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; unsigned int cert_algo; + gnutls_sign_algorithm_t saved_sigalgo = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_SIGN_UNKNOWN); @@ -301,7 +302,10 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (!client_cert && _gnutls_session_sign_algo_enabled + if (client_cert && !saved_sigalgo) + saved_sigalgo = priv->sign_algorithms[i]; + + if (_gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; @@ -309,6 +313,12 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, } } + /* When having a legacy client certificate which can only be signed + * using algorithms we don't always enable by default (e.g., DSA-SHA1), + * continue and sign with it. */ + if (client_cert && saved_sigalgo) + return saved_sigalgo; + fail: return GNUTLS_SIGN_UNKNOWN; } |