| blob | edfb386cf187c2c4999c0973421becd7ace705a9 |
1 /*
2 * Copyright (C) 2002,2003,2004,2005,2009,2010,2011 Free Software
3 * Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
26 /* This file contains the code the Certificate Type TLS extension.
27 * This extension is currently gnutls specific.
28 */
33 #include <ext_signature.h>
34 #include <gnutls_state.h>
35 #include <gnutls_num.h>
36 #include <gnutls_algorithms.h>
38 #include <gnutls_cert.h>
51 extension_entry_st ext_mod_sig = {
61 };
64 {
65 /* TLS 1.2 signature algorithms */
70 /* generates a SignatureAndHashAlgorithm structure with length as prefix
71 * by using the setup priorities.
72 */
73 int
76 {
82 {
85 }
93 {
94 /* In gnutls we keep a state of SHA1 and SHA256 and thus cannot
95 * use anything else.
96 */
101 aid =
109 aid->sign_algorithm, gnutls_sign_get_name(session->internals.priorities.sign_algo.priority[j]));
111 p++;
113 p++;
115 }
120 }
123 /* Parses the Signature Algorithm structure and stores data into
124 * session->security_parameters.extensions.
125 */
126 int
129 {
132 extension_priv_data_t epriv;
136 {
139 }
142 {
143 sign_algorithm_st aid;
154 {
158 }
159 }
166 }
168 /*
169 * In case of a server: if a SIGNATURE_ALGORITHMS extension type is
170 * received then it stores into the session security parameters the
171 * new value.
172 *
173 * In case of a client: If a signature_algorithms have been specified
174 * then it is an error;
175 */
177 static int
181 {
186 {
187 /* nothing for now */
189 /* Although TLS 1.2 mandates that we must not accept reply
190 * to this message, there are good reasons to just ignore it. Check
191 * http://www.ietf.org/mail-archive/web/tls/current/msg03880.html
192 */
193 /* return GNUTLS_E_UNEXPECTED_PACKET; */
194 }
195 else
196 {
197 /* SERVER SIDE - we must check if the sent cert type is the right one
198 */
200 {
209 {
212 }
213 }
214 }
217 }
219 /* returns data_size or a negative number on failure
220 */
221 static int
224 {
228 /* this function sends the client extension data */
231 {
233 {
234 ret =
237 {
240 }
242 }
243 }
245 /* if we are here it means we don't send the extension */
247 }
250 gnutls_sign_algorithm_t sign)
251 {
256 /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
258 {
261 }
262 else
263 {
266 }
268 }
271 }
273 /* Returns a requested by the peer signature algorithm that
274 * matches the given public key algorithm. Index can be increased
275 * to return the second choice etc.
276 */
277 gnutls_sign_algorithm_t
279 {
284 extension_priv_data_t epriv;
286 ret =
288 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
294 /* none set, allow SHA-1 only */
295 {
297 }
300 {
302 {
307 }
308 }
311 }
314 /* Check if the given signature algorithm is accepted by
315 * the peer. Returns 0 on success or a negative value
316 * on error.
317 */
318 int
320 gnutls_sign_algorithm_t sig)
321 {
326 extension_priv_data_t epriv;
329 {
331 }
333 ret =
335 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
338 {
340 /* extension not received allow SHA1 and SHA256 */
344 else
346 }
350 /* none set, allow all */
351 {
353 }
356 {
358 {
360 }
361 }
364 }
366 /* Check if the given signature algorithm is supported.
367 * This means that it is enabled by the priority functions,
368 * and in case of a server a matching certificate exists.
369 */
370 int
372 gnutls_sign_algorithm_t sig)
373 {
378 extension_priv_data_t epriv;
380 ret =
382 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
385 {
388 }
393 /* none set, allow all */
394 {
396 }
399 {
401 {
403 }
404 }
407 }
409 static void
411 {
413 }
415 static int
417 {
423 {
425 }
427 }
429 static int
432 {
435 extension_priv_data_t epriv;
439 {
442 }
446 {
448 }
455 error:
458 }
462 /**
463 * gnutls_sign_algorithm_get_requested:
464 * @session: is a #gnutls_session_t structure.
465 * @indx: is an index of the signature algorithm to return
466 * @algo: the returned certificate type will be stored there
467 *
468 * Returns the signature algorithm specified by index that was
469 * requested by the peer. If the specified index has no data available
470 * this function returns %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE. If
471 * the negotiated TLS version does not support signature algorithms
472 * then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned even
473 * for the first index. The first index is 0.
474 *
475 * This function is useful in the certificate callback functions
476 * to assist in selecting the correct certificate.
477 *
478 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
479 * an error code is returned.
480 *
481 * Since: 2.10.0
482 **/
483 int
487 {
490 extension_priv_data_t epriv;
493 ret =
495 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
498 {
501 }
506 {
508 }
511 {
514 }
515 else
517 }