diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-04-20 19:45:20 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-04-20 19:45:20 +0200 |
commit | 1a02ec18e9e39f82cee7f9cff74e1f1574bac472 (patch) | |
tree | 34ac890b66df56a45e7c16bb2861b7bc860c1068 /lib/ext | |
parent | 8d328d1a17fc98073a55d94b7de17e55987494ef (diff) | |
download | gnutls-1a02ec18e9e39f82cee7f9cff74e1f1574bac472.tar.gz |
Eliminated the need for sign_algo in gnutls_pcert_st. This means
that we don't follow RFC5246 by letter, but there wasn't any other
implementation using the sign_algorithm part of the certificate
selection, and this helps reduce complexity.
Diffstat (limited to 'lib/ext')
-rw-r--r-- | lib/ext/signature.c | 60 | ||||
-rw-r--r-- | lib/ext/signature.h | 2 |
2 files changed, 1 insertions, 61 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index ad8f3b8087..61e33df1a9 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -251,8 +251,7 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t session, } /* Returns a requested by the peer signature algorithm that - * matches the given public key algorithm. Index can be increased - * to return the second choice etc. + * matches the given certificate's public key algorithm. */ gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert) @@ -293,63 +292,6 @@ _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert) return GNUTLS_SIGN_UNKNOWN; } - -/* Check if the given signature algorithm is accepted by - * the peer. Returns 0 on success or a negative value - * on error. - */ -int -_gnutls_session_sign_algo_requested (gnutls_session_t session, - gnutls_sign_algorithm_t sig) -{ - unsigned i; - int ret, hash; - gnutls_protocol_t ver = gnutls_protocol_get_version (session); - sig_ext_st *priv; - extension_priv_data_t epriv; - - if (!_gnutls_version_has_selectable_sighash (ver)) - { - return 0; - } - - ret = - _gnutls_ext_get_session_data (session, - GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS, - &epriv); - if (ret < 0) - { - gnutls_assert (); - /* extension not received allow SHA1 and SHA256 */ - hash = _gnutls_sign_get_hash_algorithm (sig); - if (hash == GNUTLS_DIG_SHA1 || hash == GNUTLS_DIG_SHA256) - return 0; - else - return ret; - } - priv = epriv.ptr; - - if (priv->sign_algorithms_size == 0) - /* none set, allow all */ - { - return 0; - } - - for (i = 0; i < priv->sign_algorithms_size; i++) - { - _gnutls_handshake_log("HSK[%p]: allowed sign algorithm: %s (%d)-- want %s (%d)\n", session, - gnutls_sign_get_name(priv->sign_algorithms[i]), priv->sign_algorithms[i], - gnutls_sign_get_name(sig), sig); - - if (priv->sign_algorithms[i] == sig) - { - return 0; /* ok */ - } - } - - return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM; -} - /* Check if the given signature algorithm is supported. * This means that it is enabled by the priority functions, * and in case of a server a matching certificate exists. diff --git a/lib/ext/signature.h b/lib/ext/signature.h index 89b31d7221..0c74e3e634 100644 --- a/lib/ext/signature.h +++ b/lib/ext/signature.h @@ -32,8 +32,6 @@ extern extension_entry_st ext_mod_sig; -int _gnutls_session_sign_algo_requested (gnutls_session_t session, - gnutls_sign_algorithm_t sig); gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_pcert_st* cert); int _gnutls_sign_algorithm_parse_data (gnutls_session_t session, |