diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-12-05 16:33:01 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-12-05 16:44:56 +0100 |
commit | ded835266f01adedb705a26d10513e288ae73012 (patch) | |
tree | a4b692739137da5e4b26fbf0d86be4b91542da5f | |
parent | c34a21d1b9389d3e4cd4c1c607bc65d106770309 (diff) | |
download | gnutls-ded835266f01adedb705a26d10513e288ae73012.tar.gz |
Use ASN1_NULL when writing parameters for RSA signatures. This makes us comply with RFC3279. Reported by Michael Rommel.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/gnutls_sig.c | 3 | ||||
-rw-r--r-- | lib/x509/common.c | 2 | ||||
-rw-r--r-- | lib/x509/common.h | 3 | ||||
-rw-r--r-- | lib/x509/mpi.c | 5 | ||||
-rw-r--r-- | lib/x509/sign.c | 2 |
6 files changed, 14 insertions, 4 deletions
@@ -7,6 +7,9 @@ See the end for copying conditions. ** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz. +** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. +This makes us comply with RFC3279. Reported by Michael Rommel. + ** libgnutls: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 10ca29b2b8..e5f319a9e6 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -40,6 +40,7 @@ #include <libtasn1.h> #include <ext_signature.h> #include <gnutls_state.h> +#include <x509/common.h> static int _gnutls_tls_sign (gnutls_session_t session, @@ -90,7 +91,7 @@ _gnutls_rsa_encode_sig (gnutls_mac_algorithm_t algo, /* Use NULL parameters. */ if ((result = asn1_write_value (di, "digestAlgorithm.parameters", - "\x05\x00", 2)) != ASN1_SUCCESS) + ASN1_NULL, ASN1_NULL_SIZE)) != ASN1_SUCCESS) { gnutls_assert (); asn1_delete_structure (&di); diff --git a/lib/x509/common.c b/lib/x509/common.c index ce29bffaff..9d1392ea04 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1178,7 +1178,7 @@ _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst, */ _gnutls_str_cpy (name, sizeof (name), dst_name); _gnutls_str_cat (name, sizeof (name), ".algorithm.parameters"); - result = asn1_write_value (dst, name, NULL, 0); + result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE); if (result != ASN1_SUCCESS) { gnutls_assert (); diff --git a/lib/x509/common.h b/lib/x509/common.h index 53a94ef945..855640699e 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -59,6 +59,9 @@ #define SIG_GOST_R3410_94_OID "1.2.643.2.2.4" #define SIG_GOST_R3410_2001_OID "1.2.643.2.2.3" +#define ASN1_NULL "\x05\x00" +#define ASN1_NULL_SIZE 2 + int _gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim); int _gnutls_x509_decode_octet_string (const char *string_type, diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 76747f251c..c55b7a6d28 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -452,7 +452,10 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name, _gnutls_str_cpy (name, sizeof (name), dst_name); _gnutls_str_cat (name, sizeof (name), ".parameters"); - result = asn1_write_value (dst, name, NULL, 0); + if (pk_algorithm == GNUTLS_PK_RSA) + result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE); + else + result = asn1_write_value (dst, name, NULL, 0); if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { diff --git a/lib/x509/sign.c b/lib/x509/sign.c index b2fd7c2764..3734f8e825 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -83,7 +83,7 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash, Regardless of what is correct, this appears to be what most implementations do. */ result = asn1_write_value (dinfo, "digestAlgorithm.parameters", - "\x05\x00", 2); + ASN1_NULL, ASN1_NULL_SIZE); if (result != ASN1_SUCCESS) { gnutls_assert (); |