|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2000-2012 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2017 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifndef GNUTLS_LIB_ALGORITHMS_H
|
|
Packit Service |
4684c1 |
#define GNUTLS_LIB_ALGORITHMS_H
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "auth.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifdef DISABLE_SYSTEM_CONFIG
|
|
Packit Service |
4684c1 |
# define SYSTEM_CONFIG_OR_CONST const
|
|
Packit Service |
4684c1 |
#else
|
|
Packit Service |
4684c1 |
# define SYSTEM_CONFIG_OR_CONST
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define version_to_entry _gnutls_version_to_entry
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00
|
|
Packit Service |
4684c1 |
#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define GNUTLS_FALLBACK_SCSV_MAJOR 0x56
|
|
Packit Service |
4684c1 |
#define GNUTLS_FALLBACK_SCSV_MINOR 0x00
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define IS_GOSTEC(x) (((x)==GNUTLS_PK_GOST_01) || \
|
|
Packit Service |
4684c1 |
((x)==GNUTLS_PK_GOST_12_256)|| \
|
|
Packit Service |
4684c1 |
((x)==GNUTLS_PK_GOST_12_512))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)|| \
|
|
Packit Service |
4684c1 |
((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519)|| \
|
|
Packit Service |
4684c1 |
((x)==GNUTLS_PK_ECDH_X448)||((x)==GNUTLS_PK_EDDSA_ED448))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define SIG_SEM_PRE_TLS12 (1<<1)
|
|
Packit Service |
4684c1 |
#define SIG_SEM_TLS13 (1<<2)
|
|
Packit Service |
4684c1 |
#define SIG_SEM_DEFAULT (SIG_SEM_PRE_TLS12|SIG_SEM_TLS13)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define TLS_SIGN_AID_UNKNOWN {{255, 255}, 0}
|
|
Packit Service |
4684c1 |
#define HAVE_UNKNOWN_SIGAID(aid) ((aid)->id[0] == 255 && (aid)->id[1] == 255)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define CS_INVALID_MAJOR 0x00
|
|
Packit Service |
4684c1 |
#define CS_INVALID_MINOR 0x00
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for version handling. */
|
|
Packit Service |
4684c1 |
const version_entry_st *version_to_entry(gnutls_protocol_t version);
|
|
Packit Service |
4684c1 |
const version_entry_st *nversion_to_entry(uint8_t major, uint8_t minor);
|
|
Packit Service |
4684c1 |
const version_entry_st *_gnutls_version_lowest(gnutls_session_t session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const version_entry_st *_gnutls_legacy_version_max(gnutls_session_t session);
|
|
Packit Service |
4684c1 |
const version_entry_st *_gnutls_version_max(gnutls_session_t session);
|
|
Packit Service |
4684c1 |
int _gnutls_version_priority(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_protocol_t version);
|
|
Packit Service |
4684c1 |
int _gnutls_nversion_is_supported(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned char major, unsigned char minor);
|
|
Packit Service |
4684c1 |
gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor);
|
|
Packit Service |
4684c1 |
unsigned _gnutls_version_is_too_high(gnutls_session_t session, uint8_t major, uint8_t minor);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t *buffer, ssize_t buffer_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for feature checks */
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_figure_common_ciphersuite(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const ciphersuite_list_st *peer_clist,
|
|
Packit Service |
4684c1 |
const gnutls_cipher_suite_entry_st **ce);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int
|
|
Packit Service |
4684c1 |
_gnutls_version_has_selectable_prf(const version_entry_st * ver)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(ver == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return ver->selectable_prf;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int
|
|
Packit Service |
4684c1 |
_gnutls_version_has_selectable_sighash(const version_entry_st * ver)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(ver == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return ver->selectable_sighash;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static
|
|
Packit Service |
4684c1 |
int _gnutls_version_has_extensions(const version_entry_st * ver)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(ver == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return ver->extensions;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static
|
|
Packit Service |
4684c1 |
int _gnutls_version_has_explicit_iv(const version_entry_st * ver)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(ver == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return ver->explicit_iv;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for MACs. */
|
|
Packit Service |
4684c1 |
const mac_entry_st *_gnutls_mac_to_entry(gnutls_mac_algorithm_t c);
|
|
Packit Service |
4684c1 |
#define mac_to_entry(x) _gnutls_mac_to_entry(x)
|
|
Packit Service |
4684c1 |
#define hash_to_entry(x) mac_to_entry((gnutls_mac_algorithm_t)(x))
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_mac_is_ok(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL) || e->id == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*-
|
|
Packit Service |
4684c1 |
* _gnutls_mac_get_algo_len:
|
|
Packit Service |
4684c1 |
* @algorithm: is an encryption algorithm
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get size of MAC key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: length (in bytes) of the MAC output size, or 0 if the
|
|
Packit Service |
4684c1 |
* given MAC algorithm is invalid.
|
|
Packit Service |
4684c1 |
-*/
|
|
Packit Service |
4684c1 |
inline static size_t _gnutls_mac_get_algo_len(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return e->output_size;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static const char *_gnutls_x509_mac_to_oid(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return e->oid;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static const char *_gnutls_mac_get_name(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return e->name;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_mac_block_size(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return e->block_size;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_mac_get_key_size(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return e->key_size;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for digests. */
|
|
Packit Service |
4684c1 |
#define _gnutls_x509_digest_to_oid _gnutls_x509_mac_to_oid
|
|
Packit Service |
4684c1 |
#define _gnutls_digest_get_name _gnutls_mac_get_name
|
|
Packit Service |
4684c1 |
#define _gnutls_hash_get_algo_len _gnutls_mac_get_algo_len
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Security against pre-image attacks */
|
|
Packit Service |
4684c1 |
inline static int _gnutls_digest_is_secure(const mac_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return !(e->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for cipher suites. */
|
|
Packit Service |
4684c1 |
int _gnutls_get_client_ciphersuites(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_buffer_st * cdata, const version_entry_st *minver,
|
|
Packit Service |
4684c1 |
unsigned add_scsv);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_supported_ciphersuites(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
uint8_t * cipher_suites,
|
|
Packit Service |
4684c1 |
unsigned int max_cipher_suite_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const gnutls_cipher_suite_entry_st
|
|
Packit Service |
4684c1 |
*cipher_suite_get(gnutls_kx_algorithm_t kx_algorithm,
|
|
Packit Service |
4684c1 |
gnutls_cipher_algorithm_t cipher_algorithm,
|
|
Packit Service |
4684c1 |
gnutls_mac_algorithm_t mac_algorithm);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const char *_gnutls_cipher_suite_get_name(const uint8_t suite[2]);
|
|
Packit Service |
4684c1 |
gnutls_kx_algorithm_t _gnutls_cipher_suite_get_kx_algo(const uint8_t
|
|
Packit Service |
4684c1 |
suite[2]);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_cipher_suite_get_id(gnutls_kx_algorithm_t kx_algorithm,
|
|
Packit Service |
4684c1 |
gnutls_cipher_algorithm_t cipher_algorithm,
|
|
Packit Service |
4684c1 |
gnutls_mac_algorithm_t mac_algorithm,
|
|
Packit Service |
4684c1 |
uint8_t suite[2]);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const gnutls_cipher_suite_entry_st *ciphersuite_to_entry(const uint8_t suite[2]);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for ciphers. */
|
|
Packit Service |
4684c1 |
const cipher_entry_st *_gnutls_cipher_to_entry(gnutls_cipher_algorithm_t c);
|
|
Packit Service |
4684c1 |
#define cipher_to_entry(x) _gnutls_cipher_to_entry(x)
|
|
Packit Service |
4684c1 |
const cipher_entry_st *cipher_name_to_entry(const char *name);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static cipher_type_t _gnutls_cipher_type(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return CIPHER_AEAD; /* doesn't matter */
|
|
Packit Service |
4684c1 |
return e->type;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_cipher_get_block_size(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->blocksize;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int
|
|
Packit Service |
4684c1 |
_gnutls_cipher_get_implicit_iv_size(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->implicit_iv;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int
|
|
Packit Service |
4684c1 |
_gnutls_cipher_get_iv_size(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->cipher_iv;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int
|
|
Packit Service |
4684c1 |
_gnutls_cipher_get_explicit_iv_size(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->explicit_iv;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_cipher_get_key_size(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->keysize;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static const char *_gnutls_cipher_get_name(const cipher_entry_st *
|
|
Packit Service |
4684c1 |
e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
return e->name;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_cipher_algo_is_aead(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return (e->type == CIPHER_AEAD)?1:0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_cipher_is_ok(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL) || e->id == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _gnutls_cipher_get_tag_size(const cipher_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
size_t ret = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* non-AEAD have 0 as tag size */
|
|
Packit Service |
4684c1 |
return e->tagsize;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for key exchange. */
|
|
Packit Service |
4684c1 |
bool _gnutls_kx_needs_dh_params(gnutls_kx_algorithm_t algorithm);
|
|
Packit Service |
4684c1 |
bool _gnutls_kx_allows_false_start(gnutls_session_t session);
|
|
Packit Service |
4684c1 |
mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm);
|
|
Packit Service |
4684c1 |
int _gnutls_kx_is_ok(gnutls_kx_algorithm_t algorithm);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_kx_get_id(const char *name);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_credentials_type_t _gnutls_map_kx_get_cred(gnutls_kx_algorithm_t
|
|
Packit Service |
4684c1 |
algorithm, int server);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* KX to PK mapping. */
|
|
Packit Service |
4684c1 |
unsigned
|
|
Packit Service |
4684c1 |
_gnutls_kx_supports_pk(gnutls_kx_algorithm_t kx_algorithm,
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t pk_algorithm);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned
|
|
Packit Service |
4684c1 |
_gnutls_kx_supports_pk_usage(gnutls_kx_algorithm_t kx_algorithm,
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t pk_algorithm,
|
|
Packit Service |
4684c1 |
unsigned key_usage);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
enum encipher_type { CIPHER_ENCRYPT = 0, CIPHER_SIGN = 1, CIPHER_IGN };
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm_t
|
|
Packit Service |
4684c1 |
kx_algorithm);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions for sign algorithms. */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
typedef enum hash_security_level_t {
|
|
Packit Service |
4684c1 |
_SECURE,
|
|
Packit Service |
4684c1 |
_INSECURE_FOR_CERTS,
|
|
Packit Service |
4684c1 |
_INSECURE
|
|
Packit Service |
4684c1 |
} hash_security_level_t;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_ecc_curve_mark_disabled(const char *name);
|
|
Packit Service |
4684c1 |
int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t);
|
|
Packit Service |
4684c1 |
int _gnutls_digest_mark_insecure(const char *name);
|
|
Packit Service |
4684c1 |
unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
|
|
Packit Service |
4684c1 |
int _gnutls_version_mark_disabled(const char *name);
|
|
Packit Service |
4684c1 |
gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */
|
|
Packit Service |
4684c1 |
#define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */
|
|
Packit Service |
4684c1 |
struct gnutls_sign_entry_st {
|
|
Packit Service |
4684c1 |
const char *name;
|
|
Packit Service |
4684c1 |
const char *oid;
|
|
Packit Service |
4684c1 |
gnutls_sign_algorithm_t id;
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t pk;
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t hash;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* if non-zero it must be the algorithm of the
|
|
Packit Service |
4684c1 |
* private key used or certificate. This is for algorithms
|
|
Packit Service |
4684c1 |
* which can have a different public key type than the
|
|
Packit Service |
4684c1 |
* private key (e.g., RSA PKCS#1 1.5 certificate, but
|
|
Packit Service |
4684c1 |
* an RSA-PSS private key, or an RSA private key and
|
|
Packit Service |
4684c1 |
* an RSA-PSS certificate). */
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t priv_pk;
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t cert_pk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned flags;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* if this signature algorithm is restricted to a curve
|
|
Packit Service |
4684c1 |
* under TLS 1.3. */
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t curve;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* See RFC 5246 HashAlgorithm and SignatureAlgorithm
|
|
Packit Service |
4684c1 |
for values to use in aid struct. */
|
|
Packit Service |
4684c1 |
const sign_algorithm_st aid;
|
|
Packit Service |
4684c1 |
hash_security_level_t slevel; /* contains values of hash_security_level_t */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* 0 if it matches the predefined hash output size, otherwise
|
|
Packit Service |
4684c1 |
* it is truncated or expanded (with XOF) */
|
|
Packit Service |
4684c1 |
unsigned hash_output_size;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
typedef struct gnutls_sign_entry_st gnutls_sign_entry_st;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *_gnutls_sign_to_entry(gnutls_sign_algorithm_t sign);
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *_gnutls_pk_to_sign_entry(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash);
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *_gnutls_oid_to_sign_entry(const char *oid);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* returns true if that signature can be generated
|
|
Packit Service |
4684c1 |
* from the given private key algorithm. */
|
|
Packit Service |
4684c1 |
inline static unsigned
|
|
Packit Service |
4684c1 |
sign_supports_priv_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pk == se->pk || (se->priv_pk && se->priv_pk == pk))
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* returns true if that signature can be verified with
|
|
Packit Service |
4684c1 |
* the given public key algorithm. */
|
|
Packit Service |
4684c1 |
inline static unsigned
|
|
Packit Service |
4684c1 |
sign_supports_cert_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if ((!se->cert_pk && pk == se->pk) || (se->cert_pk && se->cert_pk == pk))
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t _gnutls_x509_sign_to_pk(gnutls_sign_algorithm_t
|
|
Packit Service |
4684c1 |
sign);
|
|
Packit Service |
4684c1 |
const char *_gnutls_x509_sign_to_oid(gnutls_pk_algorithm_t,
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t mac);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *
|
|
Packit Service |
4684c1 |
_gnutls_tls_aid_to_sign_entry(uint8_t id0, uint8_t id1, const version_entry_st *ver);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_sign_algorithm_t
|
|
Packit Service |
4684c1 |
_gnutls_tls_aid_to_sign(uint8_t id0, uint8_t id1, const version_entry_st *ver);
|
|
Packit Service |
4684c1 |
const sign_algorithm_st *_gnutls_sign_to_tls_aid(gnutls_sign_algorithm_t
|
|
Packit Service |
4684c1 |
sign);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *
|
|
Packit Service |
4684c1 |
_gnutls13_sign_get_compatible_with_privkey(gnutls_privkey_t privkey);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned int _gnutls_pk_bits_to_subgroup_bits(unsigned int pk_bits);
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t _gnutls_pk_bits_to_sha_hash(unsigned int pk_bits);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t _gnutls_hash_size_to_sha_hash(unsigned int size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
bool _gnutls_pk_is_not_prehashed(gnutls_pk_algorithm_t algorithm);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* ECC */
|
|
Packit Service |
4684c1 |
typedef struct gnutls_ecc_curve_entry_st {
|
|
Packit Service |
4684c1 |
const char *name;
|
|
Packit Service |
4684c1 |
const char *oid;
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t id;
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t pk;
|
|
Packit Service |
4684c1 |
unsigned size; /* the size in bytes */
|
|
Packit Service |
4684c1 |
unsigned sig_size; /* the size of curve signatures in bytes (EdDSA) */
|
|
Packit Service |
4684c1 |
unsigned gost_curve;
|
|
Packit Service |
4684c1 |
bool supported;
|
|
Packit Service |
4684c1 |
gnutls_group_t group;
|
|
Packit Service |
4684c1 |
} gnutls_ecc_curve_entry_st;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
const gnutls_ecc_curve_entry_st
|
|
Packit Service |
4684c1 |
*_gnutls_ecc_curve_get_params(gnutls_ecc_curve_t curve);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned _gnutls_ecc_curve_is_supported(gnutls_ecc_curve_t);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t);
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits);
|
|
Packit Service |
4684c1 |
#define MAX_ECC_CURVE_SIZE 66
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t _gnutls_oid_to_pk_and_curve(const char *oid, gnutls_ecc_curve_t *curve);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int _curve_is_eddsa(const gnutls_ecc_curve_entry_st * e)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(e == NULL))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
if (e->pk == GNUTLS_PK_EDDSA_ED25519 ||
|
|
Packit Service |
4684c1 |
e->pk == GNUTLS_PK_EDDSA_ED448)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static int curve_is_eddsa(gnutls_ecc_curve_t id)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const gnutls_ecc_curve_entry_st *e = _gnutls_ecc_curve_get_params(id);
|
|
Packit Service |
4684c1 |
return _curve_is_eddsa(e);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static inline int _gnutls_kx_is_ecc(gnutls_kx_algorithm_t kx)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA ||
|
|
Packit Service |
4684c1 |
kx == GNUTLS_KX_ANON_ECDH || kx == GNUTLS_KX_ECDHE_PSK)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static inline int _gnutls_kx_is_psk(gnutls_kx_algorithm_t kx)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK ||
|
|
Packit Service |
4684c1 |
kx == GNUTLS_KX_ECDHE_PSK || kx == GNUTLS_KX_RSA_PSK)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static inline int _gnutls_kx_is_dhe(gnutls_kx_algorithm_t kx)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS ||
|
|
Packit Service |
4684c1 |
kx == GNUTLS_KX_ANON_DH || kx == GNUTLS_KX_DHE_PSK)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static inline unsigned _gnutls_kx_is_vko_gost(gnutls_kx_algorithm_t kx)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (kx == GNUTLS_KX_VKO_GOST_12)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static inline bool
|
|
Packit Service |
4684c1 |
_sign_is_gost(const gnutls_sign_entry_st *se)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t pk = se->pk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return (pk == GNUTLS_PK_GOST_01) ||
|
|
Packit Service |
4684c1 |
(pk == GNUTLS_PK_GOST_12_256) ||
|
|
Packit Service |
4684c1 |
(pk == GNUTLS_PK_GOST_12_512);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static inline int _sig_is_ecdsa(gnutls_sign_algorithm_t sig)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (sig == GNUTLS_SIGN_ECDSA_SHA1 || sig == GNUTLS_SIGN_ECDSA_SHA224 ||
|
|
Packit Service |
4684c1 |
sig == GNUTLS_SIGN_ECDSA_SHA256 || sig == GNUTLS_SIGN_ECDSA_SHA384 ||
|
|
Packit Service |
4684c1 |
sig == GNUTLS_SIGN_ECDSA_SHA512)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
bool _gnutls_pk_are_compat(gnutls_pk_algorithm_t pk1, gnutls_pk_algorithm_t pk2);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned _gnutls_sign_get_hash_strength(gnutls_sign_algorithm_t sign);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#endif /* GNUTLS_LIB_ALGORITHMS_H */
|