diff options
-rw-r--r-- | lib/pubkey.c | 6 | ||||
-rw-r--r-- | lib/x509/verify.c | 5 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 2 |
3 files changed, 6 insertions, 7 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c index f98734c85b..cbf7f47e0c 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -1631,10 +1631,8 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey, return ret; } - if (!(flags & GNUTLS_VERIFY_ALLOW_BROKEN)) { - if (gnutls_sign_is_secure(algo) == 0) { - return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); - } + if (gnutls_sign_is_secure(algo) == 0 && _gnutls_is_broken_sig_allowed(algo, flags) == 0) { + return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); } return 0; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index cfd79befc4..03416758dc 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -347,8 +347,7 @@ static unsigned int check_time_status(gnutls_x509_crt_t crt, time_t now) return 0; } -static -int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) +unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) { /* the first two are for backwards compatibility */ if ((sig == GNUTLS_SIGN_RSA_MD2) @@ -718,7 +717,7 @@ verify_crt(gnutls_x509_crt_t cert, * really matter. */ if (gnutls_sign_is_secure(sigalg) == 0 && - is_broken_allowed(sigalg, flags) == 0 && + _gnutls_is_broken_sig_allowed(sigalg, flags) == 0 && is_issuer(cert, cert) == 0) { MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM); } diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 85c4e17b42..b71bcf67a3 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -470,4 +470,6 @@ struct gnutls_x509_tlsfeatures_st { unsigned int size; }; +unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int flags); + #endif |