[gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 14 11:33:07 CEST 2019

Dmitry Eremin-Solenikov commented on a discussion on lib/tls-sig.c: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_169880482

>  		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
>  	gnutls_sign_algorithm_set_client(session, sign_algo);
> +	pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);

@nmav No, we can not change this part of the spec, as it will break backwards compatibility with existing implementations.
My initial implementation did the byteswap directly at `lib/tls-sig.c`. That way I did not have to change `gnutls_x509_spki_st`, did not add another flag, etc. But the code was local to `tls-sig.c`. Maybe that sounds better.

Note, this byteswap has to be done only for TLS VerifyCert signature. I do not know who and why have made this crazy decision. 

Regarding making LE change part of signature algorithm. I think this will require me to duplicate sig_alg entries, won't it?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_169880482
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190514/a8368c05/attachment.html>

More information about the Gnutls-devel mailing list