From 1bec2f8c843eb6937bce4106bf9ff7fa3f7410f5 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 23 Sep 2017 08:37:50 +0200 Subject: signature: on client side, refuse to negotiate non-enabled signature schemes That amends/reverts commit 6aa8c390b08a25b18c0799fbd42bd0eec703fae4: "On client side allow signing with the signature algorithm of our cert" Previously, when we initially disabled DSA, we allowed client certificates which can do DSA-SHA1 to be utilized to ease migration from these certificates. Signed-off-by: Nikos Mavrogiannopoulos --- NEWS | 8 ++++++++ lib/ext/signature.c | 10 +++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 766336a6d0..d28bd2b2d6 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,14 @@ See the end for copying conditions. TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm in TLS 1.2. As such, no reason to keep supporting it. +** libgnutls: Refuse to use client certificates containing disallowed + algorithms for a session. That reverts a change on 3.5.5, which allowed + a client to use DSA-SHA1 due to his old DSA certificate, without requiring him + to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). + The previous approach was to allow a smooth move to client infrastructure + after the DSA algorithm became disabled by default, and is no longer necessary + as DSA is now being universally depracated. + ** p11tool: added options --sign-params and --hash. This allows testing signature with multiple algorithms, including RSA-PSS. diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 61a67b0d31..5961ffc51a 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -296,7 +296,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (!client_cert && _gnutls_session_sign_algo_enabled + if (_gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; @@ -304,6 +304,14 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, } } + /* When having a legacy client certificate which can only be signed + * using algorithms we don't always enable by default (e.g., DSA-SHA1), + * continue and sign with it. */ + if (client_cert) { + _gnutls_audit_log(session, "No shared signature schemes with peer for client certificate (%s). Is the certificate a legacy one?", + gnutls_pk_get_name(cert_algo)); + } + fail: return GNUTLS_SIGN_UNKNOWN; } -- cgit v1.2.1