diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-21 17:59:18 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-21 18:00:38 +0200 |
| commit | dbf7013d2c6364772ca2112781fc8bb12ec4c8f0 (patch) | |
| tree | 5fe1adbb7d8ff48114de4e7d09c110a7a1593261 | |
| parent | 5b36a5cd335bca094a2a837c84724c8d36be5196 (diff) | |
| download | gnutls-tmp-enable-dsa-sigs-on-client-cert.tar.gz | |
Only client side allow signing with the signature algorithm of our certtmp-enable-dsa-sigs-on-client-cert
| -rw-r--r-- | lib/ext/signature.c | 7 | ||||
| -rw-r--r-- | lib/ext/signature.h | 2 | ||||
| -rw-r--r-- | lib/tls-sig.c | 4 |
3 files changed, 7 insertions, 6 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 29a208e367..e11f4649a6 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -258,7 +258,7 @@ _gnutls_signature_algorithm_send_params(gnutls_session_t session, */ gnutls_sign_algorithm_t _gnutls_session_get_sign_algo(gnutls_session_t session, - gnutls_pcert_st * cert) + gnutls_pcert_st * cert, unsigned our_cert) { unsigned i; int ret; @@ -283,7 +283,8 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, /* none set, allow SHA-1 only */ { ret = gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1); - if (_gnutls_session_sign_algo_enabled(session, ret) < 0) + + if (!our_cert && _gnutls_session_sign_algo_enabled(session, ret) < 0) goto fail; return ret; } @@ -296,7 +297,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (_gnutls_session_sign_algo_enabled + if (!our_cert && _gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; diff --git a/lib/ext/signature.h b/lib/ext/signature.h index 2130aa2a6b..8309d1f10d 100644 --- a/lib/ext/signature.h +++ b/lib/ext/signature.h @@ -31,7 +31,7 @@ extern const extension_entry_st ext_mod_sig; gnutls_sign_algorithm_t _gnutls_session_get_sign_algo(gnutls_session_t session, - gnutls_pcert_st * cert); + gnutls_pcert_st * cert, unsigned our_cert); int _gnutls_sign_algorithm_parse_data(gnutls_session_t session, const uint8_t * data, size_t data_size); diff --git a/lib/tls-sig.c b/lib/tls-sig.c index 492188a12f..af98fba51d 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -63,7 +63,7 @@ _gnutls_handshake_sign_data(gnutls_session_t session, const version_entry_st *ver = get_version(session); const mac_entry_st *hash_algo; - *sign_algo = _gnutls_session_get_sign_algo(session, cert); + *sign_algo = _gnutls_session_get_sign_algo(session, cert, 0); if (*sign_algo == GNUTLS_SIGN_UNKNOWN) { gnutls_assert(); return GNUTLS_E_UNKNOWN_PK_ALGORITHM; @@ -537,7 +537,7 @@ _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session, if (sign_algo == GNUTLS_SIGN_UNKNOWN || _gnutls_session_sign_algo_enabled(session, sign_algo) < 0) { - sign_algo = _gnutls_session_get_sign_algo(session, cert); + sign_algo = _gnutls_session_get_sign_algo(session, cert, 1); if (sign_algo == GNUTLS_SIGN_UNKNOWN) { gnutls_assert(); return GNUTLS_E_UNKNOWN_PK_ALGORITHM; |