| blob | 48eb5358e3000e1497bb6b94a4faf088da7ca5d1 |
1 /*
2 * Copyright (C) 2002,2003,2004,2005,2009,2010,2011 Free Software
3 * Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
26 /* This file contains the code the Certificate Type TLS extension.
27 * This extension is currently gnutls specific.
28 */
33 #include <ext_signature.h>
34 #include <gnutls_state.h>
35 #include <gnutls_num.h>
36 #include <gnutls_algorithms.h>
38 #include <gnutls_cert.h>
51 extension_entry_st ext_mod_sig = {
61 };
64 {
65 /* TLS 1.2 signature algorithms */
70 /* generates a SignatureAndHashAlgorithm structure with length as prefix
71 * by using the setup priorities.
72 */
73 int
76 {
82 {
85 }
93 {
94 /* In gnutls we keep a state of SHA1 and SHA256 and thus cannot
95 * use anything else.
96 */
101 aid =
109 aid->sign_algorithm, gnutls_sign_get_name(session->internals.priorities.sign_algo.priority[j]));
111 p++;
113 p++;
115 }
120 }
123 /* Parses the Signature Algorithm structure and stores data into
124 * session->security_parameters.extensions.
125 */
126 int
129 {
132 extension_priv_data_t epriv;
136 {
139 }
142 {
143 sign_algorithm_st aid;
154 {
158 }
159 }
166 }
168 /*
169 * In case of a server: if a SIGNATURE_ALGORITHMS extension type is
170 * received then it stores into the session security parameters the
171 * new value.
172 *
173 * In case of a client: If a signature_algorithms have been specified
174 * then it is an error;
175 */
177 static int
181 {
186 {
187 /* nothing for now */
189 /* Although TLS 1.2 mandates that we must not accept reply
190 * to this message, there are good reasons to just ignore it. Check
191 * http://www.ietf.org/mail-archive/web/tls/current/msg03880.html
192 */
193 /* return GNUTLS_E_UNEXPECTED_PACKET; */
194 }
195 else
196 {
197 /* SERVER SIDE - we must check if the sent cert type is the right one
198 */
200 {
209 {
212 }
213 }
214 }
217 }
219 /* returns data_size or a negative number on failure
220 */
221 static int
224 {
228 /* this function sends the client extension data */
231 {
233 {
234 ret =
237 {
240 }
242 }
243 }
245 /* if we are here it means we don't send the extension */
247 }
250 gnutls_sign_algorithm_t sign)
251 {
258 /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
260 {
263 }
264 else
265 {
268 }
270 }
273 }
275 /* Returns a requested by the peer signature algorithm that
276 * matches the given public key algorithm. Index can be increased
277 * to return the second choice etc.
278 */
279 gnutls_sign_algorithm_t
281 {
286 extension_priv_data_t epriv;
288 ret =
290 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
296 /* none set, allow SHA-1 only */
297 {
299 }
302 {
304 {
309 }
310 }
313 }
316 /* Check if the given signature algorithm is accepted by
317 * the peer. Returns 0 on success or a negative value
318 * on error.
319 */
320 int
322 gnutls_sign_algorithm_t sig)
323 {
328 extension_priv_data_t epriv;
331 {
333 }
335 ret =
337 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
340 {
342 /* extension not received allow SHA1 and SHA256 */
346 else
348 }
352 /* none set, allow all */
353 {
355 }
358 {
360 {
362 }
363 }
366 }
368 /* Check if the given signature algorithm is supported.
369 * This means that it is enabled by the priority functions,
370 * and in case of a server a matching certificate exists.
371 */
372 int
374 gnutls_sign_algorithm_t sig)
375 {
380 extension_priv_data_t epriv;
382 ret =
384 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
387 {
390 }
395 /* none set, allow all */
396 {
398 }
401 {
403 {
405 }
406 }
409 }
411 static void
413 {
415 }
417 static int
419 {
425 {
427 }
429 }
431 static int
434 {
437 extension_priv_data_t epriv;
441 {
444 }
448 {
450 }
457 error:
460 }
464 /**
465 * gnutls_sign_algorithm_get_requested:
466 * @session: is a #gnutls_session_t structure.
467 * @indx: is an index of the signature algorithm to return
468 * @algo: the returned certificate type will be stored there
469 *
470 * Returns the signature algorithm specified by index that was
471 * requested by the peer. If the specified index has no data available
472 * this function returns %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE. If
473 * the negotiated TLS version does not support signature algorithms
474 * then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned even
475 * for the first index. The first index is 0.
476 *
477 * This function is useful in the certificate callback functions
478 * to assist in selecting the correct certificate.
479 *
480 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
481 * an error code is returned.
482 *
483 * Since: 2.10.0
484 **/
485 int
489 {
492 extension_priv_data_t epriv;
495 ret =
497 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
500 {
503 }
508 {
510 }
513 {
516 }
517 else
519 }