]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
When signature algorithms extension is not received allow SHA1 and SHA256.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 26 Jul 2010 15:12:19 +0000 (17:12 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 26 Jul 2010 15:12:28 +0000 (17:12 +0200)
lib/ext_signature.c

index 9d52303b60cdc990767da13a1c6fcbbb96932ffd..abc2da9088f5e9231629f229534d7f5f03cbc3d0 100644 (file)
@@ -272,22 +272,31 @@ _gnutls_session_sign_algo_requested (gnutls_session_t session,
                                     gnutls_sign_algorithm_t sig)
 {
   unsigned i;
-  int ret;
+  int ret, hash;
   gnutls_protocol_t ver = gnutls_protocol_get_version (session);
   sig_ext_st * priv;
   extension_priv_data_t epriv;
 
+  if (!_gnutls_version_has_selectable_sighash (ver))
+    {
+      return 0;
+    }
+
   ret = _gnutls_ext_get_session_data(session, GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
     &epriv);
   if (ret < 0)
     {
       gnutls_assert();
-      return ret;
+      /* extension not received allow SHA1 and SHA256 */
+      hash = _gnutls_sign_get_hash_algorithm(sig);
+      if (hash == GNUTLS_DIG_SHA1 || hash == GNUTLS_DIG_SHA256)
+        return 0;
+      else
+        return ret;
     }
   priv = epriv.ptr;
 
-  if (!_gnutls_version_has_selectable_sighash (ver)
-      || priv->sign_algorithms_size == 0)
+  if (priv->sign_algorithms_size == 0)
     /* none set, allow all */
     {
       return 0;