diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-04-17 12:13:46 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-04-17 23:46:30 +0200 |
| commit | 61d8cae724446a5f4531d20c285e186b9ba45b6d (patch) | |
| tree | 88cf60c96bbb0e207dd122b9e45e63aecad3dae8 /lib/ext/signature.c | |
| parent | b4fb5cc26affff88970954b223215edb8df56e84 (diff) | |
| download | gnutls-61d8cae724446a5f4531d20c285e186b9ba45b6d.tar.gz | |
Combined external abstract API with internal usage of gnutls_cert.
This results to a gnutls_pcert_st struct exported in abstract.h.
This change will allow a certificate retrieval callback that
does not require gnutls to decode or encode the provided certificate.
Diffstat (limited to 'lib/ext/signature.c')
| -rw-r--r-- | lib/ext/signature.c | 37 |
1 files changed, 8 insertions, 29 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 723ebd3cca..ad8f3b8087 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -35,7 +35,7 @@ #include <gnutls_num.h> #include <gnutls_algorithms.h> #include <x509/common.h> /* dsa_q_to_hash */ -#include <gnutls_cert.h> +#include <abstract_int.h> static int _gnutls_signature_algorithm_recv_params (gnutls_session_t session, const opaque * data, @@ -250,42 +250,21 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t session, return 0; } -int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver, - gnutls_sign_algorithm_t sign) -{ - if (cert->subject_pk_algorithm == GNUTLS_PK_DSA) - { /* override */ - int hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]); - - /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */ - if (!_gnutls_version_has_selectable_sighash (ver)) - { - if (hash_algo != GNUTLS_DIG_SHA1) - return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL); - } - else - { - if (_gnutls_sign_get_hash_algorithm(sign) != hash_algo) - return GNUTLS_E_UNWANTED_ALGORITHM; - } - - } - - return 0; -} - /* Returns a requested by the peer signature algorithm that * matches the given public key algorithm. Index can be increased * to return the second choice etc. */ gnutls_sign_algorithm_t -_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert) +_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert) { unsigned i; int ret; gnutls_protocol_t ver = gnutls_protocol_get_version (session); sig_ext_st *priv; extension_priv_data_t epriv; + int cert_algo; + + cert_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL); ret = _gnutls_ext_get_session_data (session, @@ -297,14 +276,14 @@ _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert) || priv->sign_algorithms_size == 0) /* none set, allow SHA-1 only */ { - return _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, GNUTLS_DIG_SHA1); + return _gnutls_x509_pk_to_sign (cert_algo, GNUTLS_DIG_SHA1); } for (i = 0; i < priv->sign_algorithms_size; i++) { - if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == cert->subject_pk_algorithm) + if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == cert_algo) { - if (cert_compatible_with_sig(cert, ver, priv->sign_algorithms[i]) < 0) + if (_gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, priv->sign_algorithms[i]) < 0) continue; return priv->sign_algorithms[i]; |