From: Nikos Mavrogiannopoulos Date: Wed, 20 Apr 2011 17:45:20 +0000 (+0200) Subject: Eliminated the need for sign_algo in gnutls_pcert_st. This means X-Git-Tag: gnutls_2_99_1~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a02ec18e9e39f82cee7f9cff74e1f1574bac472;p=thirdparty%2Fgnutls.git Eliminated the need for sign_algo in gnutls_pcert_st. This means that we don't follow RFC5246 by letter, but there wasn't any other implementation using the sign_algorithm part of the certificate selection, and this helps reduce complexity. --- diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 275e9bf40b..39cf8edbd0 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -1121,14 +1121,6 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t session, goto cleanup; } - ret = _gnutls_session_sign_algo_enabled (session, - peer_certificate_list[j].sign_algo); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - p += len; } @@ -2086,11 +2078,7 @@ _gnutls_server_select_cert (gnutls_session_t session, */ /* *INDENT-OFF* */ if (session->security_parameters.cert_type == cred->cert_list[i][0].type - && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP - || /* FIXME: make this a check for certificate - type capabilities */ - _gnutls_session_sign_algo_requested - (session, cred->cert_list[i][0].sign_algo) == 0)) + && (cred->cert_list[i][0].type == GNUTLS_CRT_OPENPGP)) { idx = i; break; diff --git a/lib/ext/signature.c b/lib/ext/signature.c index ad8f3b8087..61e33df1a9 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -251,8 +251,7 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t session, } /* Returns a requested by the peer signature algorithm that - * matches the given public key algorithm. Index can be increased - * to return the second choice etc. + * matches the given certificate's public key algorithm. */ gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert) @@ -293,63 +292,6 @@ _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert) return GNUTLS_SIGN_UNKNOWN; } - -/* Check if the given signature algorithm is accepted by - * the peer. Returns 0 on success or a negative value - * on error. - */ -int -_gnutls_session_sign_algo_requested (gnutls_session_t session, - gnutls_sign_algorithm_t sig) -{ - unsigned i; - int ret, hash; - gnutls_protocol_t ver = gnutls_protocol_get_version (session); - sig_ext_st *priv; - extension_priv_data_t epriv; - - if (!_gnutls_version_has_selectable_sighash (ver)) - { - return 0; - } - - ret = - _gnutls_ext_get_session_data (session, - GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS, - &epriv); - if (ret < 0) - { - gnutls_assert (); - /* extension not received allow SHA1 and SHA256 */ - hash = _gnutls_sign_get_hash_algorithm (sig); - if (hash == GNUTLS_DIG_SHA1 || hash == GNUTLS_DIG_SHA256) - return 0; - else - return ret; - } - priv = epriv.ptr; - - if (priv->sign_algorithms_size == 0) - /* none set, allow all */ - { - return 0; - } - - for (i = 0; i < priv->sign_algorithms_size; i++) - { - _gnutls_handshake_log("HSK[%p]: allowed sign algorithm: %s (%d)-- want %s (%d)\n", session, - gnutls_sign_get_name(priv->sign_algorithms[i]), priv->sign_algorithms[i], - gnutls_sign_get_name(sig), sig); - - if (priv->sign_algorithms[i] == sig) - { - return 0; /* ok */ - } - } - - return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM; -} - /* Check if the given signature algorithm is supported. * This means that it is enabled by the priority functions, * and in case of a server a matching certificate exists. diff --git a/lib/ext/signature.h b/lib/ext/signature.h index 89b31d7221..0c74e3e634 100644 --- a/lib/ext/signature.h +++ b/lib/ext/signature.h @@ -32,8 +32,6 @@ extern extension_entry_st ext_mod_sig; -int _gnutls_session_sign_algo_requested (gnutls_session_t session, - gnutls_sign_algorithm_t sig); gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert); int _gnutls_sign_algorithm_parse_data (gnutls_session_t session, diff --git a/lib/gnutls_pcert.c b/lib/gnutls_pcert.c index 8787058c73..555c62c1cb 100644 --- a/lib/gnutls_pcert.c +++ b/lib/gnutls_pcert.c @@ -53,7 +53,6 @@ size_t sz; memset(pcert, 0, sizeof(*pcert)); pcert->type = GNUTLS_CRT_X509; - pcert->sign_algo = gnutls_x509_crt_get_signature_algorithm(crt); pcert->cert.data = NULL; sz = 0; @@ -173,7 +172,6 @@ size_t sz; memset(pcert, 0, sizeof(*pcert)); pcert->type = GNUTLS_CRT_OPENPGP; - pcert->sign_algo = GNUTLS_SIGN_UNKNOWN; pcert->cert.data = NULL; sz = 0; diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index 33eefef83b..85a427ff41 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -156,9 +156,8 @@ int gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, /* pcert */ typedef struct gnutls_pcert_st { gnutls_pubkey_t pubkey; - gnutls_datum_t cert; + gnutls_datum_t cert; gnutls_certificate_type_t type; /* type of the certificate */ - gnutls_sign_algorithm_t sign_algo; /* sign algorithm of the certificate */ } gnutls_pcert_st; /* Do not initialize the "cert" element of diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 85b301c7e9..0b93d68549 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -702,6 +702,12 @@ GNUTLS_3_0_0 { gnutls_dtls_prestate_set; gnutls_dtls_get_data_mtu; gnutls_cipher_set_iv; + gnutls_pcert_deinit; + gnutls_pcert_import_x509; + gnutls_pcert_import_x509_raw; + gnutls_pcert_import_openpgp; + gnutls_pcert_import_openpgp_raw; + gnutls_pubkey_get_openpgp_key_id; } GNUTLS_2_12; GNUTLS_PRIVATE {