| blob | dca222f8bb0b83ccebbf3aa207365f4d59784c12 |
1 /*
2 * Copyright (C) 2002,2003,2004,2005,2009,2010,2011 Free Software
3 * Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
26 /* This file contains the code the Certificate Type TLS extension.
27 * This extension is currently gnutls specific.
28 */
33 #include <ext_signature.h>
34 #include <gnutls_state.h>
35 #include <gnutls_num.h>
36 #include <gnutls_algorithms.h>
38 #include <gnutls_cert.h>
51 extension_entry_st ext_mod_sig = {
61 };
64 {
65 /* TLS 1.2 signature algorithms */
70 /* generates a SignatureAndHashAlgorithm structure with length as prefix
71 * by using the setup priorities.
72 */
73 int
76 {
82 {
85 }
93 {
94 /* In gnutls we keep a state of SHA1 and SHA256 and thus cannot
95 * use anything else.
96 */
101 aid =
109 aid->sign_algorithm, gnutls_sign_get_name(session->internals.priorities.sign_algo.priority[j]));
111 p++;
113 p++;
115 }
120 }
123 /* Parses the Signature Algorithm structure and stores data into
124 * session->security_parameters.extensions.
125 */
126 int
129 {
132 extension_priv_data_t epriv;
136 {
139 }
142 {
143 sign_algorithm_st aid;
155 {
163 }
164 }
171 }
173 /*
174 * In case of a server: if a SIGNATURE_ALGORITHMS extension type is
175 * received then it stores into the session security parameters the
176 * new value.
177 *
178 * In case of a client: If a signature_algorithms have been specified
179 * then it is an error;
180 */
182 static int
186 {
191 {
192 /* nothing for now */
194 /* Although TLS 1.2 mandates that we must not accept reply
195 * to this message, there are good reasons to just ignore it. Check
196 * http://www.ietf.org/mail-archive/web/tls/current/msg03880.html
197 */
198 /* return GNUTLS_E_UNEXPECTED_PACKET; */
199 }
200 else
201 {
202 /* SERVER SIDE - we must check if the sent cert type is the right one
203 */
205 {
214 {
217 }
218 }
219 }
222 }
224 /* returns data_size or a negative number on failure
225 */
226 static int
229 {
233 /* this function sends the client extension data */
236 {
238 {
239 ret =
242 {
245 }
247 }
248 }
250 /* if we are here it means we don't send the extension */
252 }
255 gnutls_sign_algorithm_t sign)
256 {
263 /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
265 {
268 }
269 else
270 {
273 }
275 }
278 }
280 /* Returns a requested by the peer signature algorithm that
281 * matches the given public key algorithm. Index can be increased
282 * to return the second choice etc.
283 */
284 gnutls_sign_algorithm_t
286 {
291 extension_priv_data_t epriv;
293 ret =
295 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
301 /* none set, allow SHA-1 only */
302 {
304 }
307 {
309 {
314 }
315 }
318 }
321 /* Check if the given signature algorithm is accepted by
322 * the peer. Returns 0 on success or a negative value
323 * on error.
324 */
325 int
327 gnutls_sign_algorithm_t sig)
328 {
333 extension_priv_data_t epriv;
336 {
338 }
340 ret =
342 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
345 {
347 /* extension not received allow SHA1 and SHA256 */
351 else
353 }
357 /* none set, allow all */
358 {
360 }
363 {
365 {
367 }
368 }
371 }
373 /* Check if the given signature algorithm is supported.
374 * This means that it is enabled by the priority functions,
375 * and in case of a server a matching certificate exists.
376 */
377 int
379 gnutls_sign_algorithm_t sig)
380 {
385 extension_priv_data_t epriv;
387 ret =
389 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
392 {
395 }
400 /* none set, allow all */
401 {
403 }
406 {
408 {
410 }
411 }
414 }
416 static void
418 {
420 }
422 static int
424 {
430 {
432 }
434 }
436 static int
439 {
442 extension_priv_data_t epriv;
446 {
449 }
453 {
455 }
462 error:
465 }
469 /**
470 * gnutls_sign_algorithm_get_requested:
471 * @session: is a #gnutls_session_t structure.
472 * @indx: is an index of the signature algorithm to return
473 * @algo: the returned certificate type will be stored there
474 *
475 * Returns the signature algorithm specified by index that was
476 * requested by the peer. If the specified index has no data available
477 * this function returns %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE. If
478 * the negotiated TLS version does not support signature algorithms
479 * then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned even
480 * for the first index. The first index is 0.
481 *
482 * This function is useful in the certificate callback functions
483 * to assist in selecting the correct certificate.
484 *
485 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
486 * an error code is returned.
487 *
488 * Since: 2.10.0
489 **/
490 int
494 {
497 extension_priv_data_t epriv;
500 ret =
502 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
505 {
508 }
513 {
515 }
518 {
521 }
522 else
524 }