[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_7-33-g4d5f721
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_7-33-g4d5f721 |
|
Date: |
Sun, 01 Nov 2009 09:41:28 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=4d5f721b3735743a60e9e6af6a605d9ce4c9e6c3
The branch, master has been updated
via 4d5f721b3735743a60e9e6af6a605d9ce4c9e6c3 (commit)
from 6773d2ddb01d86fa283ce154b419e989916ab3f7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4d5f721b3735743a60e9e6af6a605d9ce4c9e6c3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Nov 1 11:19:23 2009 +0200
Final touch on signature algorithms in TLS 1.2 support. Added function
gnutls_session_sign_algorithm_get_requested()
for callbacks to be able to verify they return a correct certificate as
well as documentation for its usage.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +
doc/examples/ex-cert-select.c | 38 ++++++++++++++++
doc/gnutls.texi | 5 ++
lib/auth_cert.c | 19 ++++++---
lib/ext_cert_type.c | 1 +
lib/ext_cert_type.h | 1 +
lib/ext_signature.c | 92 ++++++++++++++++++++++++++++++++++-----
lib/ext_signature.h | 12 +++--
lib/gnutls_alert.c | 1 +
lib/gnutls_sig.c | 2 +-
lib/gnutls_state.c | 54 -----------------------
lib/gnutls_state.h | 2 -
lib/includes/gnutls/gnutls.h.in | 3 +
lib/libgnutls.map | 1 +
src/cli.c | 36 +++++++++++++++
15 files changed, 191 insertions(+), 79 deletions(-)
diff --git a/NEWS b/NEWS
index 644c2e9..fcda3d1 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
* Version 2.9.8 (unreleased)
+** libgnutls: addition of support for TLS 1.2 signature algorithms
+extension and certificate verify field.
+
** libgnutls: In server side when resuming a session do not overwrite the
initial session data with the resumed session data.
diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c
index 5e422a0..714bdfe 100644
--- a/doc/examples/ex-cert-select.c
+++ b/doc/examples/ex-cert-select.c
@@ -259,6 +259,44 @@ cert_callback (gnutls_session_t session,
type = gnutls_certificate_type_get (session);
if (type == GNUTLS_CRT_X509)
{
+ /* check if the certificate we are sending is signed
+ * with an algorithm that the server accepts */
+ gnutls_sign_algorithm_t cert_algo, req_algo;
+ int i, match = 0;
+
+ ret = gnutls_x509_crt_get_signature_algorithm(crt);
+ if (ret < 0)
+ {
+ /* error reading signature algorithm
+ */
+ return -1;
+ }
+ cert_algo = ret;
+
+ i=0;
+ do {
+ ret = gnutls_session_sign_algorithm_get_requested(session, i,
&req_algo);
+ if (ret >= 0 && cert_algo == req_algo)
+ {
+ match = 1;
+ break;
+ }
+
+ /* server has not requested anything specific */
+ if (i==0 && ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ {
+ match = 1;
+ break;
+ }
+ i++;
+ } while(ret >= 0);
+
+ if (match == 0)
+ {
+ printf("- Could not find a suitable certificate to send to
server\n");
+ return -1;
+ }
+
st->type = type;
st->ncerts = 1;
diff --git a/doc/gnutls.texi b/doc/gnutls.texi
index 5f168c5..422be26 100644
--- a/doc/gnutls.texi
+++ b/doc/gnutls.texi
@@ -1314,6 +1314,11 @@ callback can be set using the functions:
@end itemize
+Clients and servers that will select certificates using callback
+functions should select a certificate according the peer's signature
+algorithm preferences. To get those preferences use
address@hidden
+
Certificate verification is possible by loading the trusted
authorities into the credentials structure by using
@ref{gnutls_certificate_set_x509_trust_file} or
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 3affa32..5bd767e 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1028,7 +1028,7 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t
session,
}
/* check if signature algorithm is supported */
- ret = _gnutls_session_sign_algo_supported(session,
peer_certificate_list[j].sign_algo, 0);
+ ret = _gnutls_session_sign_algo_enabled(session,
peer_certificate_list[j].sign_algo);
if (ret < 0)
{
gnutls_assert();
@@ -1369,7 +1369,7 @@ _gnutls_proc_cert_cert_req (gnutls_session_t session,
opaque * data,
p += 2;
DECR_LEN (dsize, hash_num);
- ret = _gnutls_sign_algo_parse_data( session, p, hash_num);
+ ret = _gnutls_sign_algorithm_parse_data( session, p, hash_num);
if (ret < 0)
{
gnutls_assert();
@@ -1471,8 +1471,8 @@ _gnutls_gen_cert_client_cert_vrfy (gnutls_session_t
session, opaque ** data)
if (_gnutls_version_has_selectable_sighash(ver))
{
/* error checking is not needed here since we have used those algorithms
*/
- p[0] =
_gnutls_sign_algo_hash2num(_gnutls_sign_get_hash_algorithm(sign_algo));
- p[1] =
_gnutls_sign_algo_pk2num(_gnutls_sign_get_pk_algorithm(sign_algo));
+ p[0] =
_gnutls_sign_algorithm_hash2num(_gnutls_sign_get_hash_algorithm(sign_algo));
+ p[1] =
_gnutls_sign_algorithm_pk2num(_gnutls_sign_get_pk_algorithm(sign_algo));
p+=2;
}
@@ -1510,7 +1510,7 @@ _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t
session,
if (_gnutls_version_has_selectable_sighash(ver))
{
DECR_LEN (dsize, 2);
- sign_algo = _gnutls_sign_algo_num2sig (pdata[0], pdata[1]);
+ sign_algo = _gnutls_sign_algorithm_num2sig (pdata[0], pdata[1]);
if (sign_algo == GNUTLS_PK_UNKNOWN)
{
gnutls_assert();
@@ -1519,6 +1519,13 @@ _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t
session,
pdata+=2;
}
+ ret = _gnutls_session_sign_algo_enabled (session, sign_algo);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
+ }
+
DECR_LEN (dsize, 2);
size = _gnutls_read_uint16 (pdata);
pdata += 2;
@@ -1601,7 +1608,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, opaque ** data)
if (_gnutls_version_has_selectable_sighash(ver))
{
- ret = _gnutls_sign_algo_write_params(session, pdata, signalgosize);
+ ret = _gnutls_sign_algorithm_write_params(session, pdata, signalgosize);
if (ret < 0)
{
gnutls_assert();
diff --git a/lib/ext_cert_type.c b/lib/ext_cert_type.c
index c5a5a35..60fd2a0 100644
--- a/lib/ext_cert_type.c
+++ b/lib/ext_cert_type.c
@@ -242,3 +242,4 @@ _gnutls_cert_type2num (int cert_type)
}
}
+
diff --git a/lib/ext_cert_type.h b/lib/ext_cert_type.h
index ea7cf21..8c99a51 100644
--- a/lib/ext_cert_type.h
+++ b/lib/ext_cert_type.h
@@ -29,3 +29,4 @@ int _gnutls_cert_type_recv_params (gnutls_session_t session,
const opaque * data, size_t data_size);
int _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data,
size_t);
+
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index 5231174..828c006 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -34,7 +34,7 @@
#include <gnutls_num.h>
#include <gnutls_algorithms.h>
-int _gnutls_sign_algo_pk2num (gnutls_pk_algorithm_t pk)
+int _gnutls_sign_algorithm_pk2num (gnutls_pk_algorithm_t pk)
{
switch (pk)
{
@@ -48,7 +48,7 @@ int _gnutls_sign_algo_pk2num (gnutls_pk_algorithm_t pk)
}
}
-int _gnutls_sign_algo_hash2num (gnutls_digest_algorithm_t hash)
+int _gnutls_sign_algorithm_hash2num (gnutls_digest_algorithm_t hash)
{
switch (hash)
{
@@ -71,7 +71,7 @@ int _gnutls_sign_algo_hash2num (gnutls_digest_algorithm_t
hash)
}
gnutls_sign_algorithm_t
-_gnutls_sign_algo_num2sig (int hash, int sig)
+_gnutls_sign_algorithm_num2sig (int hash, int sig)
{
if (sig == 1) /* rsa */
{
@@ -109,7 +109,7 @@ _gnutls_sign_algo_num2sig (int hash, int sig)
/* generates a SignatureAndHashAlgorithm structure with length as prefix
* by using the setup priorities.
*/
-int _gnutls_sign_algo_write_params(gnutls_session_t session, opaque *data,
size_t max_data_size)
+int _gnutls_sign_algorithm_write_params(gnutls_session_t session, opaque
*data, size_t max_data_size)
{
opaque* p = data;
int len, i ,j;
@@ -144,7 +144,7 @@ int ret, hash, pk;
gnutls_assert ();
return GNUTLS_E_INTERNAL_ERROR;
}
- ret = _gnutls_sign_algo_hash2num (hash);
+ ret = _gnutls_sign_algorithm_hash2num (hash);
if (ret < 0)
{
gnutls_assert ();
@@ -153,7 +153,7 @@ int ret, hash, pk;
*p = ret;
p++;
- ret = _gnutls_sign_algo_pk2num (pk);
+ ret = _gnutls_sign_algorithm_pk2num (pk);
if (ret < 0)
{
gnutls_assert ();
@@ -171,7 +171,7 @@ int ret, hash, pk;
* session->security_parameters.extensions.
*/
int
-_gnutls_sign_algo_parse_data (gnutls_session_t session, const opaque * data,
+_gnutls_sign_algorithm_parse_data (gnutls_session_t session, const opaque *
data,
size_t data_size)
{
int sig, i;
@@ -180,7 +180,7 @@ _gnutls_sign_algo_parse_data (gnutls_session_t session,
const opaque * data,
for (i = 0; i < data_size; i += 2)
{
- sig = _gnutls_sign_algo_num2sig (data[i], data[i + 1]);
+ sig = _gnutls_sign_algorithm_num2sig (data[i], data[i + 1]);
if (sig != GNUTLS_SIGN_UNKNOWN)
{
session->security_parameters.extensions.sign_algorithms[session->
@@ -210,6 +210,7 @@ _gnutls_signature_algorithm_recv_params (gnutls_session_t
session,
size_t _data_size)
{
ssize_t data_size = _data_size;
+ int ret;
if (session->security_parameters.entity == GNUTLS_CLIENT)
{
@@ -230,8 +231,12 @@ _gnutls_signature_algorithm_recv_params (gnutls_session_t
session,
len = _gnutls_read_uint16 (data);
DECR_LEN (data_size, len);
- _gnutls_sign_algo_parse_data (session, data + 2, len);
-
+ ret = _gnutls_sign_algorithm_parse_data (session, data + 2, len);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ return ret;
+ }
}
}
@@ -254,7 +259,7 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
if (session->internals.priorities.sign_algo.algorithms > 0)
{
- ret = _gnutls_sign_algo_write_params(session, data, data_size);
+ ret = _gnutls_sign_algorithm_write_params(session, data, data_size);
if (ret < 0)
{
gnutls_assert();
@@ -330,3 +335,68 @@ _gnutls_session_sign_algo_requested (gnutls_session_t
session,
return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
}
+
+/* Check if the given signature algorithm is supported.
+ * This means that it is enabled by the priority functions,
+ * and in case of a server a matching certificate exists.
+ */
+int
+_gnutls_session_sign_algo_enabled (gnutls_session_t session,
+ gnutls_sign_algorithm_t sig)
+{
+ unsigned i;
+ gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+
+ if (!_gnutls_version_has_selectable_sighash (ver) ||
session->security_parameters.extensions.sign_algorithms_size == 0) /*
none set, allow all */
+ {
+ return 0;
+ }
+
+ for (i = 0; i < session->internals.priorities.sign_algo.algorithms; i++)
+ {
+ if (session->internals.priorities.sign_algo.priority[i] == sig)
+ {
+ return 0; /* ok */
+ }
+ }
+
+ return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
+}
+
+/**
+ * gnutls_session_sign_algorithm_get - Returns the signature algorithms
requested by peer
+ * @session: is a #gnutls_session_t structure.
+ * @indx: is an index of the signature algorithm to return
+ * @algo: the returned certificate type will be stored there
+ *
+ * Returns the signature algorithm specified by index that was requested
+ * by the peer. If the specified index has no data available
+ * this function returns %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
+ * If the negotiated TLS version does not support signature algorithms
+ * then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned even
+ * for the first index.
+ *
+ * This function is usefull in the certificate callback functions
+ * to assist in selecting the correct certificate.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
+ * an error code is returned.
+ **/
+int gnutls_session_sign_algorithm_get_requested (gnutls_session_t session,
+ int indx, gnutls_sign_algorithm_t *algo)
+{
+ gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+
+ if (!_gnutls_version_has_selectable_sighash (ver) ||
session->security_parameters.extensions.sign_algorithms_size == 0)
+ {
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ }
+
+ if (indx < session->security_parameters.extensions.sign_algorithms_size)
+ {
+ *algo = session->security_parameters.extensions.sign_algorithms[indx];
+ return 0;
+ }
+ else
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+}
diff --git a/lib/ext_signature.h b/lib/ext_signature.h
index 46b6154..f3fb53f 100644
--- a/lib/ext_signature.h
+++ b/lib/ext_signature.h
@@ -31,8 +31,10 @@ int _gnutls_signature_algorithm_send_params
(gnutls_session_t session, opaque *
int _gnutls_session_sign_algo_requested (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t
session, gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t *hash);
-int _gnutls_sign_algo_parse_data(gnutls_session_t session, const opaque* data,
size_t data_size);
-int _gnutls_sign_algo_write_params(gnutls_session_t session, opaque *data,
size_t max_data_size);
-int _gnutls_sign_algo_pk2num (gnutls_pk_algorithm_t pk);
-int _gnutls_sign_algo_hash2num (gnutls_digest_algorithm_t hash);
-gnutls_sign_algorithm_t _gnutls_sign_algo_num2sig (int hash, int sig);
+int _gnutls_sign_algorithm_parse_data(gnutls_session_t session, const opaque*
data, size_t data_size);
+int _gnutls_sign_algorithm_write_params(gnutls_session_t session, opaque
*data, size_t max_data_size);
+int _gnutls_sign_algorithm_pk2num (gnutls_pk_algorithm_t pk);
+int _gnutls_sign_algorithm_hash2num (gnutls_digest_algorithm_t hash);
+gnutls_sign_algorithm_t _gnutls_sign_algorithm_num2sig (int hash, int sig);
+int _gnutls_session_sign_algo_enabled (gnutls_session_t session,
+ gnutls_sign_algorithm_t sig);
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index 5ee80bb..0bb90a1 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -199,6 +199,7 @@ gnutls_error_to_alert (int err, int *level)
case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
case GNUTLS_E_NO_CIPHER_SUITES:
case GNUTLS_E_NO_COMPRESSION_ALGORITHMS:
+ case GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM:
ret = GNUTLS_A_HANDSHAKE_FAILURE;
_level = GNUTLS_AL_FATAL;
break;
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 76e1f6d..3a8b14d 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -392,7 +392,7 @@ _gnutls_verify_sig_params (gnutls_session_t session,
gnutls_cert * cert,
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
gnutls_digest_algorithm_t hash_algo = GNUTLS_DIG_SHA1;
- ret = _gnutls_session_sign_algo_supported(session, algo, 0);
+ ret = _gnutls_session_sign_algo_enabled(session, algo);
if (ret < 0)
{
gnutls_assert();
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 912cc60..3ecca89 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -189,60 +189,6 @@ _gnutls_session_cert_type_supported (gnutls_session_t
session,
return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
}
-/* Check if the given signature algorithm is supported.
- * This means that it is enabled by the priority functions,
- * and in case of a server a matching certificate exists.
- */
-int
-_gnutls_session_sign_algo_supported (gnutls_session_t session,
- gnutls_sign_algorithm_t sig, int
check_certs)
-{
- unsigned i;
- unsigned cert_found = 0;
- gnutls_certificate_credentials_t cred;
-
- if (check_certs != 0 && session->security_parameters.entity == GNUTLS_SERVER)
- {
- cred = (gnutls_certificate_credentials_t)
- _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
-
- if (cred == NULL)
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
-
- if (cred->server_get_cert_callback == NULL)
- {
- for (i = 0; i < cred->ncerts; i++)
- {
- if (cred->cert_list[i][0].sign_algo == sig)
- {
- cert_found = 1;
- break;
- }
- }
-
- if (cert_found == 0)
- /* no certificate is of that type.
- */
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
- }
- }
-
- if (session->internals.priorities.sign_algo.algorithms == 0) /* none set,
allow all */
- {
- gnutls_assert();
- return 0;
- }
-
- for (i = 0; i < session->internals.priorities.sign_algo.algorithms; i++)
- {
- if (session->internals.priorities.sign_algo.priority[i] == sig)
- {
- return 0; /* ok */
- }
- }
-
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
-}
/* this function deinitializes all the internal parameters stored
* in a session struct.
diff --git a/lib/gnutls_state.h b/lib/gnutls_state.h
index bff0022..dc73e8d 100644
--- a/lib/gnutls_state.h
+++ b/lib/gnutls_state.h
@@ -41,8 +41,6 @@ void _gnutls_session_cert_type_set (gnutls_session_t session,
int _gnutls_session_cert_type_supported (gnutls_session_t,
gnutls_certificate_type_t);
-int _gnutls_session_sign_algo_supported (gnutls_session_t session,
- gnutls_sign_algorithm_t sig, int
check_certs);
int _gnutls_dh_set_secret_bits (gnutls_session_t session, unsigned bits);
int _gnutls_dh_set_peer_public (gnutls_session_t session, bigint_t public);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 26e6d86..e038a5d 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -336,6 +336,7 @@ extern "C" {
const char *
gnutls_sign_algorithm_get_name (gnutls_sign_algorithm_t sign);
+
/* If you want to change this, then also change the define in
* gnutls_int.h, and recompile.
*/
@@ -402,6 +403,8 @@ extern "C" {
gnutls_compression_get (gnutls_session_t session);
gnutls_certificate_type_t
gnutls_certificate_type_get (gnutls_session_t session);
+ int gnutls_session_sign_algorithm_get_requested (gnutls_session_t session,
+ int indx, gnutls_sign_algorithm_t *algo);
size_t gnutls_cipher_get_key_size (gnutls_cipher_algorithm_t algorithm);
size_t gnutls_mac_get_key_size (gnutls_mac_algorithm_t algorithm);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 89474be..3c9b727 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -579,6 +579,7 @@ GNUTLS_2_10
gnutls_x509_crt_get_issuer_alt_name2;
gnutls_x509_crt_get_issuer_alt_name;
gnutls_x509_crt_get_issuer_alt_othername_oid;
+ gnutls_session_sign_algorithm_get_requested;
} GNUTLS_2_8;
GNUTLS_PRIVATE {
diff --git a/src/cli.c b/src/cli.c
index d2b5457..b0e5d0d 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -365,10 +365,46 @@ cert_callback (gnutls_session_t session,
st->type = gnutls_certificate_type_get (session);
+
st->ncerts = 0;
if (st->type == GNUTLS_CRT_X509)
{
+ gnutls_sign_algorithm_t cert_algo, req_algo;
+ int i, match = 0;
+
+ ret = gnutls_x509_crt_get_signature_algorithm(x509_crt[0]);
+ if (ret < 0)
+ {
+ /* error reading signature algorithm */
+ return -1;
+ }
+ cert_algo = ret;
+
+ i=0;
+ do {
+ ret = gnutls_session_sign_algorithm_get_requested(session, i,
&req_algo);
+ if (ret >= 0 && cert_algo == req_algo)
+ {
+ match = 1;
+ break;
+ }
+
+ /* server has not requested anything specific */
+ if (i==0 && ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ {
+ match = 1;
+ break;
+ }
+ i++;
+ } while(ret >= 0);
+
+ if (match == 0)
+ {
+ printf("- Could not find a suitable certificate to send to
server\n");
+ return -1;
+ }
+
if (x509_crt != NULL && x509_key != NULL)
{
st->ncerts = x509_crt_size;
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_7-33-g4d5f721,
Nikos Mavrogiannopoulos <=