diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-23 08:37:50 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-24 10:34:03 +0200 |
commit | 65d13648cd88d4cd7383c0d257ef30ddcafb995b (patch) | |
tree | e58e10a9861a187f6a2b1b19f7e9a299aacc41a4 | |
parent | a9601277ae361ed060eb99397e05ba793361feae (diff) | |
download | gnutls_3_5_x-sig-fix.tar.gz |
signature: on client side, only select a non-enabled signature if none matchgnutls_3_5_x-sig-fix
That amends commit 6aa8c390b08a25b18c0799fbd42bd0eec703fae4:
"On client side allow signing with the signature algorithm of our cert
That allows to sign for example with DSA-SHA1 as client even if we do not
allow DSA-SHA1 as signature algorithm for server's certificate. This allows
to use a deprecated certificate without enabling deprecated algorithms
globally."
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | lib/ext/signature.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 96b97cef94..f7bec7c4f5 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -272,6 +272,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; unsigned int cert_algo; + gnutls_sign_algorithm_t saved_sigalgo = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_SIGN_UNKNOWN); @@ -301,7 +302,10 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (!client_cert && _gnutls_session_sign_algo_enabled + if (client_cert && !saved_sigalgo) + saved_sigalgo = priv->sign_algorithms[i]; + + if (_gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; @@ -309,6 +313,12 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, } } + /* When having a legacy client certificate which can only be signed + * using algorithms we don't always enable by default (e.g., DSA-SHA1), + * continue and sign with it. */ + if (client_cert && saved_sigalgo) + return saved_sigalgo; + fail: return GNUTLS_SIGN_UNKNOWN; } |