*
* Returns: Non-zero if the provided signature algorithm is considered to be secure.
**/
-int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm)
+unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm)
+{
+ return gnutls_sign_is_secure2(algorithm, 0);
+}
+
+/**
+ * gnutls_sign_is_secure2:
+ * @algorithm: is a sign algorithm
+ * @flags: zero or %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS
+ *
+ * Returns: Non-zero if the provided signature algorithm is considered to be secure.
+ **/
+unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags)
{
gnutls_sign_algorithm_t sign = algorithm;
gnutls_digest_algorithm_t dig = GNUTLS_DIG_UNKNOWN;
/* avoid prefix */
GNUTLS_SIGN_ALG_LOOP(dig = p->hash);
- if (dig != GNUTLS_DIG_UNKNOWN)
- return _gnutls_digest_is_secure(hash_to_entry(dig));
+ if (dig != GNUTLS_DIG_UNKNOWN) {
+ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS)
+ return _gnutls_digest_is_secure_for_certs(hash_to_entry(dig));
+ else
+ return _gnutls_digest_is_secure(hash_to_entry(dig));
+ }
return 0;
}
size_t
gnutls_mac_get_key_size(gnutls_mac_algorithm_t algorithm) __GNUTLS_CONST__;
-int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) __GNUTLS_CONST__;
+unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) __GNUTLS_CONST__;
+
+/* It is possible that a signature algorithm is ok to use for short-lived
+ * data (e.g., to sign a TLS session), but not for data that are long-lived
+ * like certificates. This flag is about checking the security of the algorithm
+ * for long-lived data. */
+#define GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS 1
+unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags) __GNUTLS_CONST__;
gnutls_digest_algorithm_t
gnutls_sign_get_hash_algorithm(gnutls_sign_algorithm_t sign) __GNUTLS_CONST__;
projects / thirdparty / gnutls.git / commitdiff
