diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-30 10:13:16 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-31 10:33:47 +0200 |
commit | 7586209b70da3ad3eb8d64cdfba361d19024d5cf (patch) | |
tree | 4fb16a93bb64055e08ee104012099c87817aad0a | |
parent | 2f71bc636a1a7e294d1bd3bb4f33389fd2be6235 (diff) | |
download | gnutls-7586209b70da3ad3eb8d64cdfba361d19024d5cf.tar.gz |
gnutls_pubkey_verify_data2: do not utilize GNUTLS_VERIFY_USE_RSA_PSS
This flag is not required for verification since the signature algorithm
is sufficient to detect RSA-PSS without requiring any flags.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/includes/gnutls/abstract.h | 1 | ||||
-rw-r--r-- | lib/includes/gnutls/x509.h | 3 | ||||
-rw-r--r-- | lib/pubkey.c | 14 |
3 files changed, 12 insertions, 6 deletions
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index dec5db4e3f..2182a96597 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -52,7 +52,6 @@ typedef enum gnutls_pubkey_flags { } gnutls_pubkey_flags_t; #define GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA GNUTLS_VERIFY_USE_TLS1_RSA -#define GNUTLS_PUBKEY_VERIFY_FLAG_RSA_PSS GNUTLS_VERIFY_USE_RSA_PSS typedef int (*gnutls_privkey_sign_func) (gnutls_privkey_t key, void *userdata, diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index cc30a5fd6c..b67e7c0271 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -964,8 +964,7 @@ typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12, GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13, GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS = 1 << 14, - GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 = 1 << 15, - GNUTLS_VERIFY_USE_RSA_PSS = 1 << 16 + GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 = 1 << 15 /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */ } gnutls_certificate_verify_flags; diff --git a/lib/pubkey.c b/lib/pubkey.c index e7ad16d60c..f3d72a807a 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -1626,13 +1626,22 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey, memcpy(¶ms, &pubkey->params.sign, sizeof(gnutls_x509_spki_st)); - params.pk = pubkey->pk_algorithm; + params.pk = gnutls_sign_get_pk_algorithm(algo); params.dig = gnutls_sign_get_hash_algorithm(algo); me = hash_to_entry(params.dig); if (me == NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (flags & GNUTLS_VERIFY_USE_RSA_PSS) { + if (params.pk != pubkey->pk_algorithm) { + if (!gnutls_sign_supports_pk_algorithm(algo, pubkey->pk_algorithm)) { + _gnutls_debug_log("have key: %s/%d, with sign %s/%d\n", + gnutls_pk_get_name(pubkey->pk_algorithm), pubkey->pk_algorithm, + gnutls_sign_get_name(algo), algo); + return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); + } + } + + if (params.pk == GNUTLS_PK_RSA_PSS) { unsigned bits; if (!GNUTLS_PK_IS_RSA(pubkey->pk_algorithm)) @@ -1645,7 +1654,6 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey, gnutls_pubkey_get_pk_algorithm(pubkey, &bits); params.salt_size = _gnutls_find_rsa_pss_salt_size(bits, me, 0); } - params.pk = GNUTLS_PK_RSA_PSS; } ret = pubkey_verify_data(params.pk, me, data, signature, &pubkey->params, |