From: Nikos Mavrogiannopoulos Date: Sat, 19 Mar 2011 11:07:51 +0000 (+0100) Subject: Return a special error code if DSA keys with over 1024 are being used with TLS 1... X-Git-Tag: gnutls_2_99_0~97 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=294f4e9fc882f5ef541a4e7fc169b23f9db50646;p=thirdparty%2Fgnutls.git Return a special error code if DSA keys with over 1024 are being used with TLS 1.x, x<2. --- diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index b173057daf..0663669d59 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -206,6 +206,7 @@ gnutls_error_to_alert (int err, int *level) case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: case GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM: case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: + case GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index fada304654..3ba8a1a67a 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -94,6 +94,8 @@ static const gnutls_error_entry error_algorithms[] = { GNUTLS_E_ERROR_IN_FINISHED_PACKET, 1), ERROR_ENTRY (N_("The peer did not send any certificate."), GNUTLS_E_NO_CERTIFICATE_FOUND, 1), + ERROR_ENTRY (N_("The given DSA key is incompatible with the selected TLS protocol."), + GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL, 1), ERROR_ENTRY (N_("There is already a crypto algorithm with lower priority."), GNUTLS_E_CRYPTO_ALREADY_REGISTERED, 1), diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index fdfd5954ce..ef44cca4a6 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -65,16 +65,15 @@ int ret; if (cert->subject_pk_algorithm == GNUTLS_PK_DSA) { /* override */ - if (!_gnutls_version_has_selectable_sighash (version)) - *hash_algo = GNUTLS_DIG_SHA1; - else - { - *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]); + *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]); - ret = _gnutls_session_sign_algo_requested(session, _gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo)); - if (ret < 0) - return gnutls_assert_val(ret); - } + /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */ + if (!_gnutls_version_has_selectable_sighash (version) && *hash_algo != GNUTLS_DIG_SHA1) + return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL); + + ret = _gnutls_session_sign_algo_requested(session, _gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo)); + if (ret < 0) + return gnutls_assert_val(ret); } else { diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 13b3e4fc8a..cc64d6290a 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1715,6 +1715,7 @@ extern "C" #define GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE -213 #define GNUTLS_E_BAD_COOKIE -214 #define GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR -215 +#define GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL -216 /* PKCS11 related */ #define GNUTLS_E_PKCS11_ERROR -300