diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-07 09:50:29 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-17 17:08:01 +0200 |
| commit | 3761340bf38d151439f8155039a3a367fc51a283 (patch) | |
| tree | bd6775f6b9a20db5f3e5e31ce0eaef7432b8792c | |
| parent | d3b07f1a2700cc19c82dc7671cdbde112cc4b00e (diff) | |
| download | gnutls-3761340bf38d151439f8155039a3a367fc51a283.tar.gz | |
handshake: return better error code on unwanted algorithm
That is, when a signature algorithm is available which was not
asked by the peer, then return GNUTLS_E_UNWANTED_ALGORITHM
instead of the UNKNOWN_ALGORITHM.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/alert.c | 1 | ||||
| -rw-r--r-- | lib/tls-sig.c | 4 | ||||
| -rw-r--r-- | tests/server_ecdsa_key.c | 2 |
3 files changed, 4 insertions, 3 deletions
diff --git a/lib/alert.c b/lib/alert.c index d3d58888fc..0aa3a69aa8 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -250,6 +250,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: case GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL: case GNUTLS_E_UNKNOWN_PK_ALGORITHM: + case GNUTLS_E_UNWANTED_ALGORITHM: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/tls-sig.c b/lib/tls-sig.c index 6425c508c7..378ed3e1a3 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -178,7 +178,7 @@ _gnutls_handshake_sign_data(gnutls_session_t session, *sign_algo = _gnutls_session_get_sign_algo(session, cert, 0); if (*sign_algo == GNUTLS_SIGN_UNKNOWN) { gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + return GNUTLS_E_UNWANTED_ALGORITHM; } gnutls_sign_algorithm_set_server(session, *sign_algo); @@ -552,7 +552,7 @@ _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session, sign_algo = _gnutls_session_get_sign_algo(session, cert, 1); if (sign_algo == GNUTLS_SIGN_UNKNOWN) { gnutls_assert(); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + return GNUTLS_E_UNWANTED_ALGORITHM; } } diff --git a/tests/server_ecdsa_key.c b/tests/server_ecdsa_key.c index 3a8848f90c..d2c400208f 100644 --- a/tests/server_ecdsa_key.c +++ b/tests/server_ecdsa_key.c @@ -89,7 +89,7 @@ void doit(void) } test_cli_serv_expect(serv_cred, cli_cred, "NORMAL", "NORMAL:-SIGN-ALL", NULL, GNUTLS_E_AGAIN, GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); - test_cli_serv_expect(serv_cred, cli_cred, "NORMAL", "NORMAL:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA1:-SIGN-ECDSA-SHA256:-SIGN-ECDSA-SHA384:-SIGN-ECDSA-SHA512", NULL, GNUTLS_E_UNKNOWN_PK_ALGORITHM, GNUTLS_E_AGAIN); + test_cli_serv_expect(serv_cred, cli_cred, "NORMAL", "NORMAL:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA1:-SIGN-ECDSA-SHA256:-SIGN-ECDSA-SHA384:-SIGN-ECDSA-SHA512", NULL, GNUTLS_E_UNWANTED_ALGORITHM, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(serv_cred); gnutls_certificate_free_credentials(cli_cred); |