diff options
author | Alexander Sosedkin <asosedkin@redhat.com> | 2021-10-20 14:36:44 +0200 |
---|---|---|
committer | Alexander Sosedkin <asosedkin@redhat.com> | 2021-10-21 10:47:08 +0200 |
commit | 32562e79c75d67daa81f761fa55fd8c65bc70814 (patch) | |
tree | cf9064398106a6f4b0a397435e7e4ab63a302b7e | |
parent | 3ee3508a123a87dbaafd65882dd98381bc2cc0f1 (diff) | |
download | gnutls-32562e79c75d67daa81f761fa55fd8c65bc70814.tar.gz |
priority: filter out ciphersuites with prf blocked by insecure-hash
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
-rw-r--r-- | lib/priority.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/lib/priority.c b/lib/priority.c index 0530bcb9e5..55d68d734c 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1539,6 +1539,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) unsigned have_tls13 = 0, have_srp = 0; unsigned have_pre_tls12 = 0, have_tls12 = 0; unsigned have_psk = 0, have_null = 0, have_rsa_psk = 0; + gnutls_digest_algorithm_t prf_digest; /* have_psk indicates that a PSK key exchange compatible * with TLS1.3 is enabled. */ @@ -1685,6 +1686,12 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) if (ce == NULL) continue; + prf_digest = MAC_TO_DIG(ce->prf); + if (prf_digest == GNUTLS_DIG_UNKNOWN) + continue; + if (_gnutls_digest_is_insecure(prf_digest)) + continue; + if (priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) priority_cache->cs.entry[priority_cache->cs.size++] = ce; } @@ -1700,6 +1707,12 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) if (ce == NULL) continue; + prf_digest = MAC_TO_DIG(ce->prf); + if (prf_digest == GNUTLS_DIG_UNKNOWN) + continue; + if (_gnutls_digest_is_insecure(prf_digest)) + continue; + if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE) continue; priority_cache->cs.entry[priority_cache->cs.size++] = ce; |