diff options
| -rw-r--r-- | lib/algorithms/sign.c | 22 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 9 | ||||
| -rw-r--r-- | lib/libgnutls.map | 1 |
3 files changed, 28 insertions, 4 deletions
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c index 55be3d9bdc..062d926fcf 100644 --- a/lib/algorithms/sign.c +++ b/lib/algorithms/sign.c @@ -171,7 +171,19 @@ const char *gnutls_sign_get_name(gnutls_sign_algorithm_t algorithm) * * Returns: Non-zero if the provided signature algorithm is considered to be secure. **/ -int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) +unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) +{ + return gnutls_sign_is_secure2(algorithm, 0); +} + +/** + * gnutls_sign_is_secure2: + * @algorithm: is a sign algorithm + * @flags: zero or %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS + * + * Returns: Non-zero if the provided signature algorithm is considered to be secure. + **/ +unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags) { gnutls_sign_algorithm_t sign = algorithm; gnutls_digest_algorithm_t dig = GNUTLS_DIG_UNKNOWN; @@ -179,8 +191,12 @@ int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) /* avoid prefix */ GNUTLS_SIGN_ALG_LOOP(dig = p->hash); - if (dig != GNUTLS_DIG_UNKNOWN) - return _gnutls_digest_is_secure(hash_to_entry(dig)); + if (dig != GNUTLS_DIG_UNKNOWN) { + if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) + return _gnutls_digest_is_secure_for_certs(hash_to_entry(dig)); + else + return _gnutls_digest_is_secure(hash_to_entry(dig)); + } return 0; } diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 9bc89ca420..6c1012f175 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1010,7 +1010,14 @@ size_t size_t gnutls_mac_get_key_size(gnutls_mac_algorithm_t algorithm) __GNUTLS_CONST__; -int gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) __GNUTLS_CONST__; +unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) __GNUTLS_CONST__; + +/* It is possible that a signature algorithm is ok to use for short-lived + * data (e.g., to sign a TLS session), but not for data that are long-lived + * like certificates. This flag is about checking the security of the algorithm + * for long-lived data. */ +#define GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS 1 +unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags) __GNUTLS_CONST__; gnutls_digest_algorithm_t gnutls_sign_get_hash_algorithm(gnutls_sign_algorithm_t sign) __GNUTLS_CONST__; diff --git a/lib/libgnutls.map b/lib/libgnutls.map index e1152059f7..8121f40773 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1165,6 +1165,7 @@ GNUTLS_3_4 gnutls_privkey_sign_hash2; gnutls_privkey_sign_data2; gnutls_priority_set2; + gnutls_sign_is_secure2; local: *; }; |