[gnutls-devel] GnuTLS | RFC7250 Raw public keys (!650)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Nov 22 14:29:54 CET 2018 

Tom commented on a discussion on lib/ext/client_cert_type.c:

>  	uint8_t i = 0, num_cert_types = 0;
>  	priority_st* cert_priorities;
>  	gnutls_datum_t tmp_cert_types; // For type conversion
> -	uint8_t cert_types[GNUTLS_CRT_MAX]; // The list with supported cert types
> +	uint8_t cert_types[GNUTLS_CRT_MAX]; // The list with supported cert types. Inv: 0 <= cert type Id < 256
>  	const version_entry_st* vers = get_version(session);
>  
> -	/* Only activate this extension if cert type negotiation is enabled
> -	 * and we have cert credentials set */
> -	if (!_gnutls_has_negotiate_ctypes(session) ||
> -			_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)
> +	/* Only activate this extension if we have cert credentials set */
> +	if (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)

I was referring to a couple of discussions above this one ;-). The one where you first addressed this issue. I quote my reaction here:

> We discussed this in the comments above (from your first review). we concluded that these extensions would always be enabled and that other cert types would need to be explicitly enabled via init flags. That means that in this case raw public keys are only enabled when you pass the `ENABLE_RAWPK` flag. These extensions will only negotiate enabled cert types. In case only the default is enabled then these extensions will not send anything. This is default behaviour according to the spec.
We also agreed on removed the old flag to enable these extensions explicitly because this is not needed anymore when we explicitly enable cert types via their own dedicated flags.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_119373137
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181122/84067f5c/attachment.html>

More information about the Gnutls-devel mailing list