sign/digest: separate "brokenness" of signatures and hash algorithms

That is, allow digital signatures to be marked as broken irrespective
of their used hash, and restrict hash brokenness to preimage resistance.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/pubkey.c b/lib/pubkey.c
index 0fb9b92f4f..e461195d4e 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1961,7 +1961,7 @@ pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
 
 	}
 
-	if (gnutls_sign_is_secure(se->id) == 0 && _gnutls_is_broken_sig_allowed(se->id, flags) == 0) {
+	if (_gnutls_sign_is_secure2(se, 0) == 0 && _gnutls_is_broken_sig_allowed(se, flags) == 0) {
 		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
 	}
 
@@ -2023,7 +2023,7 @@ pubkey_verify_data(const gnutls_sign_entry_st *se,
 
 	}
 
-	if (gnutls_sign_is_secure(se->id) == 0 && _gnutls_is_broken_sig_allowed(se->id, flags) == 0) {
+	if (_gnutls_sign_is_secure2(se,0) == 0 && _gnutls_is_broken_sig_allowed(se, flags) == 0) {
 		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
 	}