diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 13:12:07 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 15:10:53 +0100 |
commit | dd447ab7eb958b3473a18af57a7c6fb6c0a43b4a (patch) | |
tree | 383e239e347380dee3c90a3ccc94303c1c5f5467 | |
parent | 0630af19528b3576301b3fdda72971c1f35fad79 (diff) | |
download | gnutls-dd447ab7eb958b3473a18af57a7c6fb6c0a43b4a.tar.gz |
Use a common function to decide acceptable signatures
That is, ensure that results from all verification functions,
including gnutls_pubkey_verify_data2(), will be consistent with
SHA1 and other algorithms deprecation.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/pubkey.c | 6 | ||||
-rw-r--r-- | lib/x509/verify.c | 5 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 2 |
3 files changed, 6 insertions, 7 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c index f98734c85b..cbf7f47e0c 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -1631,10 +1631,8 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey, return ret; } - if (!(flags & GNUTLS_VERIFY_ALLOW_BROKEN)) { - if (gnutls_sign_is_secure(algo) == 0) { - return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); - } + if (gnutls_sign_is_secure(algo) == 0 && _gnutls_is_broken_sig_allowed(algo, flags) == 0) { + return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); } return 0; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 638aa1e5a2..f38a892ebf 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -387,8 +387,7 @@ static unsigned int check_time_status(gnutls_x509_crt_t crt, time_t now) return 0; } -static -int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) +unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) { gnutls_digest_algorithm_t hash; @@ -782,7 +781,7 @@ verify_crt(gnutls_x509_crt_t cert, * really matter. */ if (gnutls_sign_is_secure(sigalg) == 0 && - is_broken_allowed(sigalg, flags) == 0 && + _gnutls_is_broken_sig_allowed(sigalg, flags) == 0 && is_issuer(cert, cert) == 0) { MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM); } diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 09b169afc3..ad097653d9 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -473,4 +473,6 @@ struct gnutls_x509_tlsfeatures_st { unsigned int size; }; +unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int flags); + #endif |