alert: map GNUTLS_E_PK_SIG_VERIFY_FAILED to GNUTLS_A_DECRYPT_ERROR

This makes server respond with GNUTLS_A_DECRYPT_ERROR on malformed signatures, which is the expected behavior. Hinted by Hubert Kario. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-05-25 16:35:18 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-05-29 08:41:21 +0200
commit: 25bf549e152f0f5a2b9a73183ac99035bdd6606f (patch)
tree: 11b8ba9f39cb2c60ac534386da9f65ce9a20d509
parent: aa9c78ed6c0c164baa4ed67679b84f94ba66f616 (diff)
download: gnutls-25bf549e152f0f5a2b9a73183ac99035bdd6606f.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/alert.c b/lib/alert.c
index 61a14a070b..d3d58888fc 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -191,6 +191,10 @@ int gnutls_error_to_alert(int err, int *level)
 	int ret, _level = -1;
 
 	switch (err) {		/* send appropriate alert */
+	case GNUTLS_E_PK_SIG_VERIFY_FAILED:
+		ret = GNUTLS_A_DECRYPT_ERROR;
+		_level = GNUTLS_AL_FATAL;
+		break;
 	case GNUTLS_E_DECRYPTION_FAILED:
 		/* GNUTLS_A_DECRYPTION_FAILED is not sent, because
 		 * it is not defined in SSL3. Note that we must
@@ -234,7 +238,6 @@ int gnutls_error_to_alert(int err, int *level)
 	case GNUTLS_E_ASN1_DER_OVERFLOW:
 	case GNUTLS_E_CERTIFICATE_ERROR:
 	case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
-	case GNUTLS_E_PK_SIG_VERIFY_FAILED:
 		ret = GNUTLS_A_BAD_CERTIFICATE;
 		_level = GNUTLS_AL_FATAL;
 		break;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-05-25 16:35:18 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-05-29 08:41:21 +0200
commit	25bf549e152f0f5a2b9a73183ac99035bdd6606f (patch)
tree	11b8ba9f39cb2c60ac534386da9f65ce9a20d509
parent	aa9c78ed6c0c164baa4ed67679b84f94ba66f616 (diff)
download	gnutls-25bf549e152f0f5a2b9a73183ac99035bdd6606f.tar.gz