diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-25 09:28:45 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-11-14 15:00:32 +0100 |
commit | 315f1a7777d1de5ab1f343289a228d62da87e757 (patch) | |
tree | 0476fa1acbd4b65cb4532705009be39c3fea1cfe | |
parent | 4042e69b04abc958c13be556063b3b081d40728f (diff) | |
download | gnutls-315f1a7777d1de5ab1f343289a228d62da87e757.tar.gz |
ext/signature: explicitly prevent RSA/DSA and SHA1 signatures on TLS1.3
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/ext/signature.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 68b667a960..70bf36c476 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -354,6 +354,16 @@ _gnutls_session_sign_algo_enabled(gnutls_session_t session, return 0; } + if (ver->tls13_sem) { + /* disallow RSA, DSA, and SHA1 */ + const gnutls_sign_entry_st *se; + se = _gnutls_sign_to_entry(sig); + if (se == NULL || se->pk == GNUTLS_PK_RSA || se->pk == GNUTLS_PK_DSA || se->hash == GNUTLS_DIG_SHA1) { + gnutls_assert(); + goto disallowed; + } + } + for (i = 0; i < session->internals.priorities->sigalg.size; i++) { if (session->internals.priorities->sigalg.entry[i]->id == @@ -362,6 +372,7 @@ _gnutls_session_sign_algo_enabled(gnutls_session_t session, } } + disallowed: _gnutls_handshake_log("signature algorithm %s is not enabled\n", gnutls_sign_algorithm_get_name(sig)); return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM; } |