]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Return a special error code if DSA keys with over 1024 are being used with TLS 1...
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 19 Mar 2011 11:07:51 +0000 (12:07 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 19 Mar 2011 11:07:51 +0000 (12:07 +0100)
lib/gnutls_alert.c
lib/gnutls_errors.c
lib/gnutls_sig.c
lib/includes/gnutls/gnutls.h.in

index b173057dafe1c36981d614add6095b61035d5479..0663669d59a6d82abbdf28dd52b0c7ec45a8db9e 100644 (file)
@@ -206,6 +206,7 @@ gnutls_error_to_alert (int err, int *level)
     case GNUTLS_E_NO_COMPRESSION_ALGORITHMS:
     case GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM:
     case GNUTLS_E_SAFE_RENEGOTIATION_FAILED:
+    case GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL:
       ret = GNUTLS_A_HANDSHAKE_FAILURE;
       _level = GNUTLS_AL_FATAL;
       break;
index fada304654a7d6a8db190f99b2093497f80022b6..3ba8a1a67a9eeb8e723a24e567e7d8fb31388e1b 100644 (file)
@@ -94,6 +94,8 @@ static const gnutls_error_entry error_algorithms[] = {
                GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1),
   ERROR_ENTRY (N_("The peer did not send any certificate."),
                GNUTLS_E_NO_CERTIFICATE_FOUND, 1),
+  ERROR_ENTRY (N_("The given DSA key is incompatible with the selected TLS protocol."),
+               GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL, 1),
 
   ERROR_ENTRY (N_("There is already a crypto algorithm with lower priority."),
                GNUTLS_E_CRYPTO_ALREADY_REGISTERED, 1),
index fdfd5954cecb24028cb5dbbda0e5d5a4616fd412..ef44cca4a6f23142ea9551b839076fc43f6da671 100644 (file)
@@ -65,16 +65,15 @@ int ret;
 
   if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
     { /* override */
-      if (!_gnutls_version_has_selectable_sighash (version))
-        *hash_algo = GNUTLS_DIG_SHA1;
-      else
-        {
-          *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+      *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
 
-          ret = _gnutls_session_sign_algo_requested(session, _gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo));
-          if (ret < 0)
-            return gnutls_assert_val(ret);
-        }
+      /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
+      if (!_gnutls_version_has_selectable_sighash (version) && *hash_algo != GNUTLS_DIG_SHA1)
+        return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+
+      ret = _gnutls_session_sign_algo_requested(session, _gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo));
+      if (ret < 0)
+        return gnutls_assert_val(ret);
     }
   else
     {
index 13b3e4fc8a146708e4021bb440d266f443289654..cc64d6290a8f54bf98c8521274c0d0b44a7272cc 100644 (file)
@@ -1715,6 +1715,7 @@ extern "C"
 #define GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE -213
 #define GNUTLS_E_BAD_COOKIE -214
 #define GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR -215
+#define GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL -216
 
 /* PKCS11 related */
 #define GNUTLS_E_PKCS11_ERROR -300