diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-21 17:59:18 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-22 11:03:35 +0200 |
commit | 6aa8c390b08a25b18c0799fbd42bd0eec703fae4 (patch) | |
tree | 49ab1c75b4a4e934bcb57777ec89a1a2d0e85f32 /lib/ext/signature.c | |
parent | e3f270cce72523674821f3f72be60b86111c631f (diff) | |
download | gnutls-6aa8c390b08a25b18c0799fbd42bd0eec703fae4.tar.gz |
On client side allow signing with the signature algorithm of our cert
That allows to sign for example with DSA-SHA1 as client even if we do not
allow DSA-SHA1 as signature algorithm for server's certificate. This allows
to use a deprecated certificate without enabling deprecated algorithms
globally.
Diffstat (limited to 'lib/ext/signature.c')
-rw-r--r-- | lib/ext/signature.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 354790b5d3..adb19845f9 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -255,10 +255,15 @@ _gnutls_signature_algorithm_send_params(gnutls_session_t session, /* Returns a requested by the peer signature algorithm that * matches the given certificate's public key algorithm. + * + * When the @client_cert flag is not set, then this function will + * also check whether the signature algorithm is allowed to be + * used in that session. Otherwise GNUTLS_SIGN_UNKNOWN is + * returned. */ gnutls_sign_algorithm_t _gnutls_session_get_sign_algo(gnutls_session_t session, - gnutls_pcert_st * cert) + gnutls_pcert_st * cert, unsigned client_cert) { unsigned i; int ret; @@ -283,7 +288,8 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, /* none set, allow SHA-1 only */ { ret = gnutls_pk_to_sign(cert_algo, GNUTLS_DIG_SHA1); - if (_gnutls_session_sign_algo_enabled(session, ret) < 0) + + if (!client_cert && _gnutls_session_sign_algo_enabled(session, ret) < 0) goto fail; return ret; } @@ -296,7 +302,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (_gnutls_session_sign_algo_enabled + if (!client_cert && _gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; |