diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-26 14:58:17 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-08 15:19:43 +0200 |
commit | 7f901e166df45693b23eb8d592d3f0b5e150a7b3 (patch) | |
tree | 04c2eeb00ad079f6d7cd9ae926c195d3c70114ed | |
parent | 71045637fe123564747d68f8e045a9c3186f627f (diff) | |
download | gnutls-7f901e166df45693b23eb8d592d3f0b5e150a7b3.tar.gz |
algorithms/sign: no longer enable SHA224 hash in signatures
TLS 1.3 requires that SHA224 MUST NOT be used, and given the
fact that SHA224 was never widespread used in TLS 1.2, there
is no reason to keep these algorithms at all.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/algorithms/sign.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c index e920e15cc1..fe11dd9a2c 100644 --- a/lib/algorithms/sign.c +++ b/lib/algorithms/sign.c @@ -66,7 +66,7 @@ static const gnutls_sign_entry_st sign_algorithms[] = { .id = GNUTLS_SIGN_RSA_SHA224, .pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA224, - .aid = {{3, 1}}}, + .aid = TLS_SIGN_AID_UNKNOWN}, {.name = "RSA-SHA256", .oid = SIG_RSA_SHA256_OID, .id = GNUTLS_SIGN_RSA_SHA256, @@ -111,7 +111,7 @@ static const gnutls_sign_entry_st sign_algorithms[] = { .id = GNUTLS_SIGN_DSA_SHA224, .pk = GNUTLS_PK_DSA, .hash = GNUTLS_DIG_SHA224, - .aid = {{3, 2}}}, + .aid = TLS_SIGN_AID_UNKNOWN}, {.name = "DSA-SHA256", .oid = SIG_DSA_SHA256_OID, .id = GNUTLS_SIGN_DSA_SHA256, @@ -151,7 +151,7 @@ static const gnutls_sign_entry_st sign_algorithms[] = { .id = GNUTLS_SIGN_ECDSA_SHA224, .pk = GNUTLS_PK_EC, .hash = GNUTLS_DIG_SHA224, - .aid = {{3, 3}}}, + .aid = TLS_SIGN_AID_UNKNOWN}, {.name = "ECDSA-SHA256", .oid = "1.2.840.10045.4.3.2", .id = GNUTLS_SIGN_ECDSA_SHA256, @@ -302,6 +302,7 @@ static const gnutls_sign_entry_st sign_algorithms[] = { .pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA512, .aid = {{8, 6}}}, + /* The hash algorithm here is set to be SHA512, although that is * an internal detail of Ed25519; we set it, because CMS/PKCS#7 requires * that mapping. */ |