]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3ee3508)
priority: filter out ciphersuites with prf blocked by insecure-hash
authorAlexander Sosedkin <asosedkin@redhat.com>
Wed, 20 Oct 2021 12:36:44 +0000 (14:36 +0200)
committerAlexander Sosedkin <asosedkin@redhat.com>
Thu, 21 Oct 2021 08:47:08 +0000 (10:47 +0200)
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/priority.c patch | blob | blame | history

diff --git a/lib/priority.c b/lib/priority.c
index 0530bcb9e53cf3113b6e9c3d13fb982815eeb7f3..55d68d734cff434c79b0497fa99b2c1c6ebd8f28 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1539,6 +1539,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
        unsigned have_tls13 = 0, have_srp = 0;
        unsigned have_pre_tls12 = 0, have_tls12 = 0;
        unsigned have_psk = 0, have_null = 0, have_rsa_psk = 0;
+       gnutls_digest_algorithm_t prf_digest;
 
        /* have_psk indicates that a PSK key exchange compatible
         * with TLS1.3 is enabled. */
@@ -1685,6 +1686,12 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
                        if (ce == NULL)
                                continue;
 
+                       prf_digest = MAC_TO_DIG(ce->prf);
+                       if (prf_digest == GNUTLS_DIG_UNKNOWN)
+                               continue;
+                       if (_gnutls_digest_is_insecure(prf_digest))
+                               continue;
+
                        if (priority_cache->cs.size < MAX_CIPHERSUITE_SIZE)
                                priority_cache->cs.entry[priority_cache->cs.size++] = ce;
                }
@@ -1700,6 +1707,12 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
                                if (ce == NULL)
                                        continue;
 
+                               prf_digest = MAC_TO_DIG(ce->prf);
+                               if (prf_digest == GNUTLS_DIG_UNKNOWN)
+                                       continue;
+                               if (_gnutls_digest_is_insecure(prf_digest))
+                                       continue;
+
                                if (priority_cache->cs.size == MAX_CIPHERSUITE_SIZE)
                                        continue;
                                priority_cache->cs.entry[priority_cache->cs.size++] = ce;
Mirror of https://gitlab.com/gnutls/gnutls.git