Branch: Tag:

2014-09-11

2014-09-11 22:04:32 by Martin Nilsson <nilsson@opera.com>

Don't allow the GNU TLS workaround to remove all certificates.

171:    }    if (!found) return 0;    } -  } else { -  if (!(ke_mask & cp->ke_mask)) return 0; +  } else if (!(ke_mask & cp->ke_mask)) +  return 0;    -  // GNU-TLS doesn't like eg SHA being used with SHA256 certs. -  Crypto.Hash hash = [object(Crypto.Hash)]HASH_lookup[cp->sign_algs[0][0]]; -  if (!hash) return 0; -  if (hash->digest_size() > h_max) return 0; -  } -  +    #if constant(Crypto.ECC.Curve)    if (cp->key->curve) {    // Is the ECC curve supported by the client?
293:    certs = [array(CertificatePair)]    filter(certs, is_supported_cert, ke_mask, h_max, version, ecc_curves);    +  if( version<PROTOCOL_TLS_1_2 && sizeof(certs)>1 ) +  { +  // GNU-TLS doesn't like eg SHA being used with SHA256 certs. +  // FIXME: Can this be made more narrow? +  array(CertificatePair) c = [array(CertificatePair)] +  filter(certs, lambda(CertificatePair cp) +  { +  Crypto.Hash hash = [object(Crypto.Hash)] +  HASH_lookup[cp->sign_algs[0][0]]; +  return hash->digest_size() <= h_max; +  }); +  // Don't clear out the entire list though, as that makes all peers +  // fail. +  if( sizeof(c) ) +  certs = c; +  } +     SSL3_DEBUG_MSG("Client supported certificates: %O\n", certs);       // Find the set of key exchange algorithms supported by