diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-21 17:30:43 +0200 |
|---|---|---|
| committer | GitLab <gitlab@gitlab.com> | 2016-10-26 19:05:09 +0000 |
| commit | db2c84e6a8e5587fb5fe261c045ba2d3e168a248 (patch) | |
| tree | 74fb989893cfef4f75687b34ac263316777b791f | |
| parent | 23fe17ceb8e1d1d4c2a72d553a70d104b0591479 (diff) | |
| download | gnutls-db2c84e6a8e5587fb5fe261c045ba2d3e168a248.tar.gz | |
Terminate handshake if only unknown or disabled signatures are advertized by the peer
That is, do not attempt to proceed assuming that the peer supports SHA-1.
| -rw-r--r-- | lib/alert.c | 1 | ||||
| -rw-r--r-- | lib/ext/signature.c | 15 |
2 files changed, 8 insertions, 8 deletions
diff --git a/lib/alert.c b/lib/alert.c index da41d2747b..a4e30cf48c 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -242,6 +242,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM: case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: case GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL: + case GNUTLS_E_UNKNOWN_PK_ALGORITHM: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/ext/signature.c b/lib/ext/signature.c index adb19845f9..96b97cef94 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2002-2012 Free Software Foundation, Inc. + * Copyright (C) 2002-2016 Free Software Foundation, Inc. + * Copyright (C) 2015-2016 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -150,12 +151,12 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session, gnutls_sign_get_name(sig)); if (sig != GNUTLS_SIGN_UNKNOWN) { - priv->sign_algorithms[priv-> - sign_algorithms_size++] = - sig; if (priv->sign_algorithms_size == MAX_SIGNATURE_ALGORITHMS) break; + priv->sign_algorithms[priv-> + sign_algorithms_size++] = + sig; } } @@ -195,7 +196,7 @@ _gnutls_signature_algorithm_recv_params(gnutls_session_t session, } else { /* SERVER SIDE - we must check if the sent cert type is the right one */ - if (data_size > 2) { + if (data_size >= 2) { uint16_t len; DECR_LEN(data_size, 2); @@ -283,10 +284,8 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, &epriv); priv = epriv; - if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver) - || priv->sign_algorithms_size == 0) + if (ret < 0 || !_gnutls_version_has_selectable_sighash(ver)) { /* none set, allow SHA-1 only */ - { ret = gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1); if (!client_cert && _gnutls_session_sign_algo_enabled(session, ret) < 0) |