ext/signature: use GOST signatures for GOST ciphersiuites

draft-smyshlyaev-tls12-gost-suites limits SignatureAndHash algorithms
in CertificateRequest message to GOST values if GOST cipher suite is
selected.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

diff --git a/lib/algorithms.h b/lib/algorithms.h
index a01cc9cb8cb62530ab72a9f37d7172ce363fd2ef..fadf2698713267887d87350df0164150a1360c23 100644 (file)
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -496,6 +496,16 @@ static inline unsigned _gnutls_kx_is_vko_gost(gnutls_kx_algorithm_t kx)
        return 0;
 }
 
+static inline bool
+_sign_is_gost(const gnutls_sign_entry_st *se)
+{
+       gnutls_pk_algorithm_t pk = se->pk;
+
+       return  (pk == GNUTLS_PK_GOST_01) ||
+               (pk == GNUTLS_PK_GOST_12_256) ||
+               (pk == GNUTLS_PK_GOST_12_512);
+}
+
 static inline int _sig_is_ecdsa(gnutls_sign_algorithm_t sig)
 {
        if (sig == GNUTLS_SIGN_ECDSA_SHA1 || sig == GNUTLS_SIGN_ECDSA_SHA224 ||

diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 8dba4c6ca7ce2c76b09b07c2c79cd143a2173dcb..3f3652f51e1d0890e61da7a3c2b066a87227f430 100644 (file)
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -97,6 +97,12 @@ _gnutls_sign_algorithm_write_params(gnutls_session_t session,
                if (prev && prev->id[0] == aid->id[0] && prev->id[1] == aid->id[1])
                        continue;
 
+               /* Ignore non-GOST sign types for CertReq */
+               if (session->security_parameters.cs &&
+                   _gnutls_kx_is_vko_gost(session->security_parameters.cs->kx_algorithm) &&
+                   !_sign_is_gost(session->internals.priorities->sigalg.entry[i]))
+                       continue;
+
                _gnutls_handshake_log
                    ("EXT[%p]: sent signature algo (%d.%d) %s\n", session,
                     (int)aid->id[0], (int)aid->id[1],