goto cleanup;
}
- ret = _gnutls_session_sign_algo_enabled (session,
- peer_certificate_list[j].sign_algo);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
p += len;
}
*/
/* *INDENT-OFF* */
if (session->security_parameters.cert_type == cred->cert_list[i][0].type
- && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP
- || /* FIXME: make this a check for certificate
- type capabilities */
- _gnutls_session_sign_algo_requested
- (session, cred->cert_list[i][0].sign_algo) == 0))
+ && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP))
{
idx = i;
break;
}
/* Returns a requested by the peer signature algorithm that
- * matches the given public key algorithm. Index can be increased
- * to return the second choice etc.
+ * matches the given certificate's public key algorithm.
*/
gnutls_sign_algorithm_t
_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert)
return GNUTLS_SIGN_UNKNOWN;
}
-
-/* Check if the given signature algorithm is accepted by
- * the peer. Returns 0 on success or a negative value
- * on error.
- */
-int
-_gnutls_session_sign_algo_requested (gnutls_session_t session,
- gnutls_sign_algorithm_t sig)
-{
- unsigned i;
- int ret, hash;
- gnutls_protocol_t ver = gnutls_protocol_get_version (session);
- sig_ext_st *priv;
- extension_priv_data_t epriv;
-
- if (!_gnutls_version_has_selectable_sighash (ver))
- {
- return 0;
- }
-
- ret =
- _gnutls_ext_get_session_data (session,
- GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
- &epriv);
- if (ret < 0)
- {
- gnutls_assert ();
- /* extension not received allow SHA1 and SHA256 */
- hash = _gnutls_sign_get_hash_algorithm (sig);
- if (hash == GNUTLS_DIG_SHA1 || hash == GNUTLS_DIG_SHA256)
- return 0;
- else
- return ret;
- }
- priv = epriv.ptr;
-
- if (priv->sign_algorithms_size == 0)
- /* none set, allow all */
- {
- return 0;
- }
-
- for (i = 0; i < priv->sign_algorithms_size; i++)
- {
- _gnutls_handshake_log("HSK[%p]: allowed sign algorithm: %s (%d)-- want %s (%d)\n", session,
- gnutls_sign_get_name(priv->sign_algorithms[i]), priv->sign_algorithms[i],
- gnutls_sign_get_name(sig), sig);
-
- if (priv->sign_algorithms[i] == sig)
- {
- return 0; /* ok */
- }
- }
-
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
-}
-
/* Check if the given signature algorithm is supported.
* This means that it is enabled by the priority functions,
* and in case of a server a matching certificate exists.
extern extension_entry_st ext_mod_sig;
-int _gnutls_session_sign_algo_requested (gnutls_session_t session,
- gnutls_sign_algorithm_t sig);
gnutls_sign_algorithm_t
_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert);
int _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
memset(pcert, 0, sizeof(*pcert));
pcert->type = GNUTLS_CRT_X509;
- pcert->sign_algo = gnutls_x509_crt_get_signature_algorithm(crt);
pcert->cert.data = NULL;
sz = 0;
memset(pcert, 0, sizeof(*pcert));
pcert->type = GNUTLS_CRT_OPENPGP;
- pcert->sign_algo = GNUTLS_SIGN_UNKNOWN;
pcert->cert.data = NULL;
sz = 0;
gnutls_dtls_prestate_set;
gnutls_dtls_get_data_mtu;
gnutls_cipher_set_iv;
+ gnutls_pcert_deinit;
+ gnutls_pcert_import_x509;
+ gnutls_pcert_import_x509_raw;
+ gnutls_pcert_import_openpgp;
+ gnutls_pcert_import_openpgp_raw;
+ gnutls_pubkey_get_openpgp_key_id;
} GNUTLS_2_12;
GNUTLS_PRIVATE {