aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_policy.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-08-31 19:09:22 -0400
committerJack Lloyd <[email protected]>2017-08-31 19:20:10 -0400
commitd42bbd3540f09dd154123e97032f5bfc0b110c4e (patch)
tree0f3676a25963544b06d7c6c339f9828d95f36363 /src/lib/tls/tls_policy.cpp
parentc53cfda7b5e2f57927041c67be9db10b18b2ba8a (diff)
Enforce signature hash policy properly
Previously if the client did not send signature_algorithms, or if it only included algos not in the policy, we would just fallback to the hardcoded SHA-1 default of TLS v1.2 Instead check the policy before accepting anything.
Diffstat (limited to 'src/lib/tls/tls_policy.cpp')
-rw-r--r--src/lib/tls/tls_policy.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 60f8957c0..ac71024ee 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -93,6 +93,11 @@ bool Policy::allowed_signature_method(const std::string& sig_method) const
return value_exists(allowed_signature_methods(), sig_method);
}
+bool Policy::allowed_signature_hash(const std::string& sig_hash) const
+ {
+ return value_exists(allowed_signature_hashes(), sig_hash);
+ }
+
std::vector<std::string> Policy::allowed_ecc_curves() const
{
// Default list is ordered by performance