diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-06-11 06:58:43 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-06-11 16:25:21 +0200 |
commit | 4af2969d5015ce15437fd9d604337fc9529d7c8c (patch) | |
tree | 9f3f5d6e748fccf1552a34a3f7a07782d1833490 /lib | |
parent | 1b83d881938b4e37d2bb6475ade716b22364b6cb (diff) | |
download | gnutls-4af2969d5015ce15437fd9d604337fc9529d7c8c.tar.gz |
priority: reflect system wide config when constructing sigalgs
Otherwise the client would advertise signature algorithms which it
cannot use and cause handshake to fail.
Reported by Philip Schaten in:
https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/priority.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/priority.c b/lib/priority.c index 8cd8a1b260..f043e9dd6f 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1737,10 +1737,13 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) { se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]); if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) { - /* if the signature algorithm semantics are not compatible with - * the protocol's, then skip. */ - if ((se->aid.tls_sem & tls_sig_sem) == 0) + /* if the signature algorithm semantics is not + * compatible with the protocol's, or the algorithm is + * marked as insecure, then skip. */ + if ((se->aid.tls_sem & tls_sig_sem) == 0 || + !_gnutls_sign_is_secure2(se, 0)) { continue; + } priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se; } } |