Use a common function to decide acceptable signatures

That is, ensure that results from all verification functions,
including gnutls_pubkey_verify_data2(), will be consistent with
SHA1 and other algorithms deprecation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3 files changed, 6 insertions, 7 deletions

diff --git a/lib/pubkey.c b/lib/pubkey.c
index f98734c85b..cbf7f47e0c 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1631,10 +1631,8 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
 		return ret;
 	}
 
-	if (!(flags & GNUTLS_VERIFY_ALLOW_BROKEN)) {
-		if (gnutls_sign_is_secure(algo) == 0) {
-			return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
-		}
+	if (gnutls_sign_is_secure(algo) == 0 && _gnutls_is_broken_sig_allowed(algo, flags) == 0) {
+		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
 	}
 
 	return 0;
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index cfd79befc4..03416758dc 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -347,8 +347,7 @@ static unsigned int check_time_status(gnutls_x509_crt_t crt, time_t now)
 	return 0;
 }
 
-static
-int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags)
+unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int flags)
 {
 	/* the first two are for backwards compatibility */
 	if ((sig == GNUTLS_SIGN_RSA_MD2)
@@ -718,7 +717,7 @@ verify_crt(gnutls_x509_crt_t cert,
 		 * really matter.
 		 */
 		if (gnutls_sign_is_secure(sigalg) == 0 &&
-		    is_broken_allowed(sigalg, flags) == 0 &&
+		    _gnutls_is_broken_sig_allowed(sigalg, flags) == 0 &&
 		    is_issuer(cert, cert) == 0) {
 			MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
 		}
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 85c4e17b42..b71bcf67a3 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -470,4 +470,6 @@ struct gnutls_x509_tlsfeatures_st {
 	unsigned int size;
 };
 
+unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int flags);
+
 #endif