diff options
-rw-r--r-- | lib/algorithms.h | 4 | ||||
-rw-r--r-- | lib/algorithms/sign.c | 22 | ||||
-rw-r--r-- | lib/ext/signature.c | 2 | ||||
-rw-r--r-- | lib/tls13-sig.c | 4 |
4 files changed, 16 insertions, 16 deletions
diff --git a/lib/algorithms.h b/lib/algorithms.h index 7f27b2270d..84271e53b8 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -337,6 +337,7 @@ unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig); int _gnutls_version_mark_disabled(const char *name); gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name); +#define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */ struct gnutls_sign_entry_st { const char *name; const char *oid; @@ -353,8 +354,7 @@ struct gnutls_sign_entry_st { gnutls_pk_algorithm_t priv_pk; gnutls_pk_algorithm_t cert_pk; - /* non-zero if it is ok to use under TLS1.3 */ - unsigned tls13_ok; + unsigned flags; /* if this signature algorithm is restricted to a curve * under TLS 1.3. */ diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c index 05bd88e3b8..6e4393b5dc 100644 --- a/lib/algorithms/sign.c +++ b/lib/algorithms/sign.c @@ -68,7 +68,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .pk = GNUTLS_PK_RSA_PSS, .priv_pk = GNUTLS_PK_RSA, /* PKCS#11 doesn't separate RSA from RSA-PSS privkeys */ .hash = GNUTLS_DIG_SHA256, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 9}, SIG_SEM_DEFAULT}}, {.name = "RSA-PSS-RSAE-SHA256", .oid = PK_PKIX1_RSA_PSS_OID, @@ -77,7 +77,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .cert_pk = GNUTLS_PK_RSA, .priv_pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA256, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 4}, SIG_SEM_DEFAULT}}, {.name = "RSA-PSS-SHA384", .oid = PK_PKIX1_RSA_PSS_OID, @@ -85,7 +85,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .pk = GNUTLS_PK_RSA_PSS, .priv_pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA384, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 0x0A}, SIG_SEM_DEFAULT}}, {.name = "RSA-PSS-RSAE-SHA384", .oid = PK_PKIX1_RSA_PSS_OID, @@ -94,7 +94,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .cert_pk = GNUTLS_PK_RSA, .priv_pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA384, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 5}, SIG_SEM_DEFAULT}}, {.name = "RSA-PSS-SHA512", .oid = PK_PKIX1_RSA_PSS_OID, @@ -102,7 +102,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .pk = GNUTLS_PK_RSA_PSS, .priv_pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA512, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 0x0B}, SIG_SEM_DEFAULT}}, {.name = "RSA-PSS-RSAE-SHA512", .oid = PK_PKIX1_RSA_PSS_OID, @@ -111,7 +111,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .cert_pk = GNUTLS_PK_RSA, .priv_pk = GNUTLS_PK_RSA, .hash = GNUTLS_DIG_SHA512, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 6}, SIG_SEM_DEFAULT}}, /* Ed25519: The hash algorithm here is set to be SHA512, although that is @@ -122,7 +122,7 @@ gnutls_sign_entry_st sign_algorithms[] = { .id = GNUTLS_SIGN_EDDSA_ED25519, .pk = GNUTLS_PK_EDDSA_ED25519, .hash = GNUTLS_DIG_SHA512, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{8, 7}, SIG_SEM_DEFAULT}}, /* ECDSA */ @@ -159,21 +159,21 @@ gnutls_sign_entry_st sign_algorithms[] = { .pk = GNUTLS_PK_ECDSA, .curve = GNUTLS_ECC_CURVE_SECP256R1, .hash = GNUTLS_DIG_SHA256, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{4, 3}, SIG_SEM_TLS13}}, {.name = "ECDSA-SECP384R1-SHA384", .id = GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, .pk = GNUTLS_PK_ECDSA, .curve = GNUTLS_ECC_CURVE_SECP384R1, .hash = GNUTLS_DIG_SHA384, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{5, 3}, SIG_SEM_TLS13}}, {.name = "ECDSA-SECP521R1-SHA512", .id = GNUTLS_SIGN_ECDSA_SECP521R1_SHA512, .pk = GNUTLS_PK_ECDSA, .curve = GNUTLS_ECC_CURVE_SECP521R1, .hash = GNUTLS_DIG_SHA512, - .tls13_ok = 1, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, .aid = {{6, 3}, SIG_SEM_TLS13}}, /* ECDSA-SHA3 */ @@ -763,7 +763,7 @@ const gnutls_sign_entry_st * _gnutls13_sign_get_compatible_with_privkey(gnutls_privkey_t privkey) { GNUTLS_SIGN_LOOP( - if (p->tls13_ok && + if ((p->flags & GNUTLS_SIGN_FLAG_TLS13_OK) && _gnutls_privkey_compatible_with_sig(privkey, p->id)) { return p; } diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 28d88c5bfc..8dba4c6ca7 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -361,7 +361,7 @@ _gnutls_session_sign_algo_enabled(gnutls_session_t session, const gnutls_sign_entry_st *se; se = _gnutls_sign_to_entry(sig); - if (se == NULL || (se->tls13_ok == 0)) { + if (se == NULL || (se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0) { gnutls_assert(); goto disallowed; } diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c index 61f9d58209..e15d8305e2 100644 --- a/lib/tls13-sig.c +++ b/lib/tls13-sig.c @@ -74,7 +74,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - if (se->tls13_ok == 0) /* explicitly prohibited */ + if ((se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0) /* explicitly prohibited */ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage); @@ -152,7 +152,7 @@ _gnutls13_handshake_sign_data(gnutls_session_t session, gnutls_buffer_st buf; uint8_t tmp[MAX_HASH_SIZE]; - if (unlikely(se == NULL || se->tls13_ok == 0)) + if (unlikely(se == NULL || (se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0)) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); if (unlikely(sign_supports_priv_pk_algorithm(se, pkey->pk_algorithm) == 0)) |