diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-10 16:43:51 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:33 +0100 |
| commit | be73ba13e61a04d992a06e80faab2c1340278ccb (patch) | |
| tree | e21c21569a28b06242c24aacc206e2ec888b073f /lib/priority.c | |
| parent | f544bc3e0d272b69171ca917ba1b80c44cf5d706 (diff) | |
| download | gnutls-be73ba13e61a04d992a06e80faab2c1340278ccb.tar.gz | |
ext/signature: added TLS 1.3 signature algorithm negotiation
That patch adds the signature algorithms:
- GNUTLS_SIGN_ECDSA_SECP256R1_SHA256
- GNUTLS_SIGN_ECDSA_SECP384R1_SHA384
- GNUTLS_SIGN_ECDSA_SECP521R1_SHA512
and enables them for the default TLS priority strings.
In addition it allows negotiating signature algorithms sharing
the same TLS IDs, but which have different semantics between TLS
versions (e.g., 6,4 maps to GNUTLS_SIGN_ECDSA_SHA512 under TLS 1.2
but to GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 under TLS 1.3).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/priority.c')
| -rw-r--r-- | lib/priority.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/lib/priority.c b/lib/priority.c index 5a00c3aa7d..f8135aa7c0 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -367,15 +367,16 @@ static const int* cipher_priority_secure192 = _cipher_priority_secure192; static const int _sign_priority_default[] = { GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_ECDSA_SHA256, + GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_RSA_SHA384, GNUTLS_SIGN_ECDSA_SHA384, + GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, GNUTLS_SIGN_RSA_SHA512, - GNUTLS_SIGN_ECDSA_SHA512, - GNUTLS_SIGN_RSA_SHA224, - GNUTLS_SIGN_ECDSA_SHA224, + GNUTLS_SIGN_ECDSA_SHA512, + GNUTLS_SIGN_ECDSA_SECP521R1_SHA512, GNUTLS_SIGN_RSA_SHA1, GNUTLS_SIGN_ECDSA_SHA1, @@ -392,13 +393,16 @@ static const int* sign_priority_default = _sign_priority_default; static const int _sign_priority_suiteb128[] = { GNUTLS_SIGN_ECDSA_SHA256, + GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_ECDSA_SHA384, + GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, 0 }; static const int* sign_priority_suiteb128 = _sign_priority_suiteb128; static const int _sign_priority_suiteb192[] = { GNUTLS_SIGN_ECDSA_SHA384, + GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, 0 }; static const int* sign_priority_suiteb192 = _sign_priority_suiteb192; @@ -406,10 +410,13 @@ static const int* sign_priority_suiteb192 = _sign_priority_suiteb192; static const int _sign_priority_secure128[] = { GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_ECDSA_SHA256, + GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_RSA_SHA384, GNUTLS_SIGN_ECDSA_SHA384, + GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, GNUTLS_SIGN_RSA_SHA512, GNUTLS_SIGN_ECDSA_SHA512, + GNUTLS_SIGN_ECDSA_SECP521R1_SHA512, /* added on the final position for compatibility purposes */ GNUTLS_SIGN_RSA_PSS_SHA256, @@ -424,8 +431,10 @@ static const int* sign_priority_secure128 = _sign_priority_secure128; static const int _sign_priority_secure192[] = { GNUTLS_SIGN_RSA_SHA384, GNUTLS_SIGN_ECDSA_SHA384, + GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, GNUTLS_SIGN_RSA_SHA512, GNUTLS_SIGN_ECDSA_SHA512, + GNUTLS_SIGN_ECDSA_SECP521R1_SHA512, /* added on the final position for compatibility purposes */ GNUTLS_SIGN_RSA_PSS_SHA384, |