diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-08-20 19:20:12 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-08-20 19:20:12 +0000 |
commit | a46e3d3a3aab8957934b949d05177ed1503b5f5e (patch) | |
tree | 0b9d13b9ad394477d566f01ba8e279c33711cc7c /lib/auth/rsa.c | |
parent | a42db538c3f01aa76e2c1a2affc39237840c2522 (diff) | |
parent | 07180a416731749883234f931ac18831ff38abbb (diff) | |
download | gnutls-a46e3d3a3aab8957934b949d05177ed1503b5f5e.tar.gz |
Merge branch 'rfc7250_cert-types' into 'master'
RFC7250 certificate type negotiation
See merge request gnutls/gnutls!498
Diffstat (limited to 'lib/auth/rsa.c')
-rw-r--r-- | lib/auth/rsa.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c index f2e36bbe22..6afc91ae67 100644 --- a/lib/auth/rsa.c +++ b/lib/auth/rsa.c @@ -82,6 +82,18 @@ int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage) } /* This function reads the RSA parameters from peer's certificate; + * + * IMPORTANT: + * Currently this function gets only called on the client side + * during generation of the client kx msg. This function + * retrieves the RSA params from the peer's certificate. That is in + * this case the server's certificate. As of GNUTLS version 3.6.4 it is + * possible to negotiate different certificate types for client and + * server. Therefore the correct cert type needs to be retrieved to be + * used for the _gnutls_get_auth_info_pcert call. If this + * function is to be called on the server side in the future, extra + * checks need to be build in order to retrieve te correct + * certificate type. */ int _gnutls_get_public_rsa_params(gnutls_session_t session, @@ -91,6 +103,9 @@ _gnutls_get_public_rsa_params(gnutls_session_t session, cert_auth_info_t info; unsigned key_usage; gnutls_pcert_st peer_cert; + gnutls_certificate_type_t cert_type; + + assert(!IS_SERVER(session)); /* normal non export case */ @@ -101,10 +116,10 @@ _gnutls_get_public_rsa_params(gnutls_session_t session, return GNUTLS_E_INTERNAL_ERROR; } - ret = - _gnutls_get_auth_info_pcert(&peer_cert, - session->security_parameters. - cert_type, info); + // Get the negotiated server certificate type + cert_type = gnutls_certificate_type_get2(session, GNUTLS_CTYPE_SERVER); + + ret = _gnutls_get_auth_info_pcert(&peer_cert, cert_type, info); if (ret < 0) { gnutls_assert(); |