]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Eliminated the need for sign_algo in gnutls_pcert_st. This means
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 20 Apr 2011 17:45:20 +0000 (19:45 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 20 Apr 2011 17:45:20 +0000 (19:45 +0200)
that we don't follow RFC5246 by letter, but there wasn't any other
implementation using the sign_algorithm part of the certificate
selection, and this helps reduce complexity.

lib/auth/cert.c
lib/ext/signature.c
lib/ext/signature.h
lib/gnutls_pcert.c
lib/includes/gnutls/abstract.h
lib/libgnutls.map

index 275e9bf40b2da15fc23648024e85e86a82cb9b29..39cf8edbd033734a4592860cdcd6760fe72fffd4 100644 (file)
@@ -1121,14 +1121,6 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t session,
           goto cleanup;
         }
 
-       ret = _gnutls_session_sign_algo_enabled (session,
-                             peer_certificate_list[j].sign_algo);
-      if (ret < 0)
-        {
-          gnutls_assert ();
-          goto cleanup;
-        }
-       
       p += len;
     }
 
@@ -2086,11 +2078,7 @@ _gnutls_server_select_cert (gnutls_session_t session,
            */
          /* *INDENT-OFF* */
          if (session->security_parameters.cert_type == cred->cert_list[i][0].type
-             && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP
-                 ||    /* FIXME: make this a check for certificate
-                          type capabilities */
-                 _gnutls_session_sign_algo_requested
-                 (session, cred->cert_list[i][0].sign_algo) == 0))
+             && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP))
            {
              idx = i;
              break;
index ad8f3b80876edfc58ff455b4d2259f0fba245372..61e33df1a967953294bd982acba43957b8df9662 100644 (file)
@@ -251,8 +251,7 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t session,
 }
 
 /* Returns a requested by the peer signature algorithm that
- * matches the given public key algorithm. Index can be increased
- * to return the second choice etc.
+ * matches the given certificate's public key algorithm. 
  */
 gnutls_sign_algorithm_t
 _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert)
@@ -293,63 +292,6 @@ _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert)
   return GNUTLS_SIGN_UNKNOWN;
 }
 
-
-/* Check if the given signature algorithm is accepted by
- * the peer. Returns 0 on success or a negative value
- * on error.
- */
-int
-_gnutls_session_sign_algo_requested (gnutls_session_t session,
-                                     gnutls_sign_algorithm_t sig)
-{
-  unsigned i;
-  int ret, hash;
-  gnutls_protocol_t ver = gnutls_protocol_get_version (session);
-  sig_ext_st *priv;
-  extension_priv_data_t epriv;
-
-  if (!_gnutls_version_has_selectable_sighash (ver))
-    {
-      return 0;
-    }
-
-  ret =
-    _gnutls_ext_get_session_data (session,
-                                  GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
-                                  &epriv);
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      /* extension not received allow SHA1 and SHA256 */
-      hash = _gnutls_sign_get_hash_algorithm (sig);
-      if (hash == GNUTLS_DIG_SHA1 || hash == GNUTLS_DIG_SHA256)
-        return 0;
-      else
-        return ret;
-    }
-  priv = epriv.ptr;
-
-  if (priv->sign_algorithms_size == 0)
-    /* none set, allow all */
-    {
-      return 0;
-    }
-
-  for (i = 0; i < priv->sign_algorithms_size; i++)
-    {
-      _gnutls_handshake_log("HSK[%p]: allowed sign algorithm: %s (%d)-- want %s (%d)\n", session,
-            gnutls_sign_get_name(priv->sign_algorithms[i]), priv->sign_algorithms[i],
-            gnutls_sign_get_name(sig), sig);
-            
-      if (priv->sign_algorithms[i] == sig)
-        {
-          return 0;             /* ok */
-        }
-    }
-
-  return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
-}
-
 /* Check if the given signature algorithm is supported.
  * This means that it is enabled by the priority functions,
  * and in case of a server a matching certificate exists.
index 89b31d7221abf72cd70fb9990ed1029ef8d6d9d1..0c74e3e634f1bd4d729fea823fec4ca3d88aa8b9 100644 (file)
@@ -32,8 +32,6 @@
 
 extern extension_entry_st ext_mod_sig;
 
-int _gnutls_session_sign_algo_requested (gnutls_session_t session,
-                                         gnutls_sign_algorithm_t sig);
 gnutls_sign_algorithm_t
 _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert);
 int _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
index 8787058c73419217e0204112c4cb44c022242fe0..555c62c1cb771b878cfb9a1eaf2cfa7aa9b29e4f 100644 (file)
@@ -53,7 +53,6 @@ size_t sz;
   memset(pcert, 0, sizeof(*pcert));
 
   pcert->type = GNUTLS_CRT_X509;
-  pcert->sign_algo = gnutls_x509_crt_get_signature_algorithm(crt);
   pcert->cert.data = NULL;
 
   sz = 0;
@@ -173,7 +172,6 @@ size_t sz;
   memset(pcert, 0, sizeof(*pcert));
 
   pcert->type = GNUTLS_CRT_OPENPGP;
-  pcert->sign_algo = GNUTLS_SIGN_UNKNOWN;
   pcert->cert.data = NULL;
 
   sz = 0;
index 33eefef83b2118394bb2e3de1b16d501e43d231a..85a427ff414c8cd62161f894cf03cb8206d57ce1 100644 (file)
@@ -156,9 +156,8 @@ int gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,
 /* pcert */
 typedef struct gnutls_pcert_st {
        gnutls_pubkey_t pubkey;
-  gnutls_datum_t cert;
+       gnutls_datum_t cert;
        gnutls_certificate_type_t type;    /* type of the certificate */
-       gnutls_sign_algorithm_t sign_algo; /* sign algorithm of the certificate */
 } gnutls_pcert_st;
 
 /* Do not initialize the "cert" element of
index 85b301c7e9e58169561d52ed34226bce7a28545d..0b93d685494a369fbe6efc9591cc637ddc182164 100644 (file)
@@ -702,6 +702,12 @@ GNUTLS_3_0_0 {
        gnutls_dtls_prestate_set;
        gnutls_dtls_get_data_mtu;
        gnutls_cipher_set_iv;
+       gnutls_pcert_deinit;
+       gnutls_pcert_import_x509;
+       gnutls_pcert_import_x509_raw;
+       gnutls_pcert_import_openpgp;
+       gnutls_pcert_import_openpgp_raw;
+       gnutls_pubkey_get_openpgp_key_id;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {