sign: convert tls13_ok to flags field

author Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Mon, 21 Oct 2019 12:55:47 +0000 (15:55 +0300)

committer Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Mon, 21 Oct 2019 20:49:54 +0000 (23:49 +0300)
author Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Mon, 21 Oct 2019 12:55:47 +0000 (15:55 +0300)
committer Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Mon, 21 Oct 2019 20:49:54 +0000 (23:49 +0300)
diff --git a/lib/algorithms.h b/lib/algorithms.h

index 7f27b2270d560a7e567a84f2f78a32313ea595d9..84271e53b882f52e9e8c043c5af6c6f3e970d524 100644 (file)
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -337,6 +337,7 @@ unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
  int _gnutls_version_mark_disabled(const char *name);
  gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
  
+#define GNUTLS_SIGN_FLAG_TLS13_OK      1 /* if it is ok to use under TLS1.3 */
  struct gnutls_sign_entry_st {
         const char *name;
         const char *oid;
@@ -353,8 +354,7 @@ struct gnutls_sign_entry_st {
         gnutls_pk_algorithm_t priv_pk;
         gnutls_pk_algorithm_t cert_pk;
  
-       /* non-zero if it is ok to use under TLS1.3 */
-       unsigned tls13_ok;
+       unsigned flags;
  
         /* if this signature algorithm is restricted to a curve
          * under TLS 1.3. */
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c

index 05bd88e3b8a318c1aef35bc63f4517763c4b5edb..6e4393b5dcb8ead27f564e8ce7dacc96f5641376 100644 (file)
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -68,7 +68,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .pk = GNUTLS_PK_RSA_PSS,
          .priv_pk = GNUTLS_PK_RSA, /* PKCS#11 doesn't separate RSA from RSA-PSS privkeys */
          .hash = GNUTLS_DIG_SHA256,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 9}, SIG_SEM_DEFAULT}},
         {.name = "RSA-PSS-RSAE-SHA256",
          .oid = PK_PKIX1_RSA_PSS_OID,
@@ -77,7 +77,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .cert_pk = GNUTLS_PK_RSA,
          .priv_pk = GNUTLS_PK_RSA,
          .hash = GNUTLS_DIG_SHA256,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 4}, SIG_SEM_DEFAULT}},
         {.name = "RSA-PSS-SHA384",
          .oid = PK_PKIX1_RSA_PSS_OID,
@@ -85,7 +85,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .pk = GNUTLS_PK_RSA_PSS,
          .priv_pk = GNUTLS_PK_RSA,
          .hash = GNUTLS_DIG_SHA384,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 0x0A}, SIG_SEM_DEFAULT}},
         {.name = "RSA-PSS-RSAE-SHA384",
          .oid = PK_PKIX1_RSA_PSS_OID,
@@ -94,7 +94,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .cert_pk = GNUTLS_PK_RSA,
          .priv_pk = GNUTLS_PK_RSA,
          .hash = GNUTLS_DIG_SHA384,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 5}, SIG_SEM_DEFAULT}},
         {.name = "RSA-PSS-SHA512",
          .oid = PK_PKIX1_RSA_PSS_OID,
@@ -102,7 +102,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .pk = GNUTLS_PK_RSA_PSS,
          .priv_pk = GNUTLS_PK_RSA,
          .hash = GNUTLS_DIG_SHA512,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 0x0B}, SIG_SEM_DEFAULT}},
         {.name = "RSA-PSS-RSAE-SHA512",
          .oid = PK_PKIX1_RSA_PSS_OID,
@@ -111,7 +111,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .cert_pk = GNUTLS_PK_RSA,
          .priv_pk = GNUTLS_PK_RSA,
          .hash = GNUTLS_DIG_SHA512,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 6}, SIG_SEM_DEFAULT}},
  
          /* Ed25519: The hash algorithm here is set to be SHA512, although that is
@@ -122,7 +122,7 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .id = GNUTLS_SIGN_EDDSA_ED25519,
          .pk = GNUTLS_PK_EDDSA_ED25519,
          .hash = GNUTLS_DIG_SHA512,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{8, 7}, SIG_SEM_DEFAULT}},
  
          /* ECDSA */
@@ -159,21 +159,21 @@ gnutls_sign_entry_st sign_algorithms[] = {
          .pk = GNUTLS_PK_ECDSA,
          .curve = GNUTLS_ECC_CURVE_SECP256R1,
          .hash = GNUTLS_DIG_SHA256,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{4, 3}, SIG_SEM_TLS13}},
         {.name = "ECDSA-SECP384R1-SHA384",
          .id = GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
          .pk = GNUTLS_PK_ECDSA,
          .curve = GNUTLS_ECC_CURVE_SECP384R1,
          .hash = GNUTLS_DIG_SHA384,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{5, 3}, SIG_SEM_TLS13}},
         {.name = "ECDSA-SECP521R1-SHA512",
          .id = GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
          .pk = GNUTLS_PK_ECDSA,
          .curve = GNUTLS_ECC_CURVE_SECP521R1,
          .hash = GNUTLS_DIG_SHA512,
-        .tls13_ok = 1,
+        .flags = GNUTLS_SIGN_FLAG_TLS13_OK,
          .aid = {{6, 3}, SIG_SEM_TLS13}},
  
          /* ECDSA-SHA3 */
@@ -763,7 +763,7 @@ const gnutls_sign_entry_st *
  _gnutls13_sign_get_compatible_with_privkey(gnutls_privkey_t privkey)
  {
         GNUTLS_SIGN_LOOP(
-               if (p->tls13_ok &&
+               if ((p->flags & GNUTLS_SIGN_FLAG_TLS13_OK) &&
                     _gnutls_privkey_compatible_with_sig(privkey, p->id)) {
                         return p;
                 }
diff --git a/lib/ext/signature.c b/lib/ext/signature.c

index 28d88c5bfcddcdcaa129bcd1d1caf7d43cc08e5b..8dba4c6ca7ce2c76b09b07c2c79cd143a2173dcb 100644 (file)
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -361,7 +361,7 @@ _gnutls_session_sign_algo_enabled(gnutls_session_t session,
                 const gnutls_sign_entry_st *se;
  
                 se = _gnutls_sign_to_entry(sig);
-               if (se == NULL || (se->tls13_ok == 0)) {
+               if (se == NULL || (se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0) {
                         gnutls_assert();
                         goto disallowed;
                 }
diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c

index 61f9d58209163e7752ffdc75156876f28109f33a..e15d8305e285f70c69cdfc218347f1d77605f046 100644 (file)
--- a/lib/tls13-sig.c
+++ b/lib/tls13-sig.c
@@ -74,7 +74,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session,
         if (ret < 0)
                 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
  
-       if (se->tls13_ok == 0) /* explicitly prohibited */
+       if ((se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0) /* explicitly prohibited */
                 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
  
         gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
@@ -152,7 +152,7 @@ _gnutls13_handshake_sign_data(gnutls_session_t session,
         gnutls_buffer_st buf;
         uint8_t tmp[MAX_HASH_SIZE];
  
-       if (unlikely(se == NULL || se->tls13_ok == 0))
+       if (unlikely(se == NULL || (se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0))
                 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
  
         if (unlikely(sign_supports_priv_pk_algorithm(se, pkey->pk_algorithm) == 0))
author	Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
	Mon, 21 Oct 2019 12:55:47 +0000 (15:55 +0300)
committer	Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
	Mon, 21 Oct 2019 20:49:54 +0000 (23:49 +0300)
lib/algorithms.h		patch \| blob \| blame \| history
lib/algorithms/sign.c		patch \| blob \| blame \| history
lib/ext/signature.c		patch \| blob \| blame \| history
lib/tls13-sig.c		patch \| blob \| blame \| history