From 65d13648cd88d4cd7383c0d257ef30ddcafb995b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 23 Sep 2017 08:37:50 +0200 Subject: signature: on client side, only select a non-enabled signature if none match That amends commit 6aa8c390b08a25b18c0799fbd42bd0eec703fae4: "On client side allow signing with the signature algorithm of our cert That allows to sign for example with DSA-SHA1 as client even if we do not allow DSA-SHA1 as signature algorithm for server's certificate. This allows to use a deprecated certificate without enabling deprecated algorithms globally." Signed-off-by: Nikos Mavrogiannopoulos --- lib/ext/signature.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 96b97cef94..f7bec7c4f5 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -272,6 +272,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; unsigned int cert_algo; + gnutls_sign_algorithm_t saved_sigalgo = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_SIGN_UNKNOWN); @@ -301,7 +302,10 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (!client_cert && _gnutls_session_sign_algo_enabled + if (client_cert && !saved_sigalgo) + saved_sigalgo = priv->sign_algorithms[i]; + + if (_gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; @@ -309,6 +313,12 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, } } + /* When having a legacy client certificate which can only be signed + * using algorithms we don't always enable by default (e.g., DSA-SHA1), + * continue and sign with it. */ + if (client_cert && saved_sigalgo) + return saved_sigalgo; + fail: return GNUTLS_SIGN_UNKNOWN; } -- cgit v1.2.1