diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-26 09:20:22 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-03 11:57:53 +0200 |
| commit | 44c92997f0bbc1be2641b0c83a825fb539716a74 (patch) | |
| tree | e1cde5c0179dcbcd4dfdd080c0d35f46b86bb154 /lib/pubkey.c | |
| parent | 2f0e285ad8e2762b280c4ed8163ab8f5c915d4d4 (diff) | |
| download | gnutls-44c92997f0bbc1be2641b0c83a825fb539716a74.tar.gz | |
pubkey_verify_hashed_data: simplified and made static
That also removes its ability to operate with the 'unknown'
signature algorithm, and forces the TLS 1.0 key exchange to
supply the right algorithm or flags.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/pubkey.c')
| -rw-r--r-- | lib/pubkey.c | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c index ce372dbaea..f54f9e54eb 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -38,6 +38,12 @@ #include "urls.h" #include <ecc.h> +static int +pubkey_verify_hashed_data(const gnutls_sign_entry_st *se, + const gnutls_datum_t * hash, + const gnutls_datum_t * signature, + gnutls_pk_params_st * params, + gnutls_x509_spki_st * sign_params); unsigned pubkey_to_bits(gnutls_pk_params_st * params) { @@ -1634,9 +1640,6 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key, /* we do not check for insecure algorithms with this flag */ return _gnutls_pk_verify(params.pk, hash, signature, &key->params, ¶ms); - } else if (algo == GNUTLS_SIGN_UNKNOWN) { - params.pk = key->params.algo; - me = NULL; } else { se = _gnutls_sign_to_entry(algo); if (se == NULL) @@ -1652,15 +1655,13 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key, if (ret < 0) return gnutls_assert_val(ret); - } - - ret = pubkey_verify_hashed_data(params.pk, me, - hash, signature, - &key->params, - ¶ms); - if (ret < 0) { - gnutls_assert(); - return ret; + ret = pubkey_verify_hashed_data(se, hash, signature, + &key->params, + ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } } if (algo != GNUTLS_SIGN_UNKNOWN && gnutls_sign_is_secure(algo) == 0 && _gnutls_is_broken_sig_allowed(algo, flags) == 0) { @@ -1908,19 +1909,25 @@ dsa_verify_data(gnutls_pk_algorithm_t pk, /* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if * not verified, or 1 otherwise. */ -int -pubkey_verify_hashed_data(gnutls_pk_algorithm_t pk, - const mac_entry_st *hash_algo, +static int +pubkey_verify_hashed_data(const gnutls_sign_entry_st *se, const gnutls_datum_t * hash, const gnutls_datum_t * signature, gnutls_pk_params_st * params, gnutls_x509_spki_st * sign_params) { - switch (pk) { + const mac_entry_st *me; + + me = hash_to_entry(se->hash); + + switch (se->pk) { case GNUTLS_PK_RSA: case GNUTLS_PK_RSA_PSS: + if (unlikely(me==NULL)) + return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM); + if (_pkcs1_rsa_verify_sig - (pk, hash_algo, NULL, hash, signature, params, sign_params) != 0) + (se->pk, me, NULL, hash, signature, params, sign_params) != 0) { gnutls_assert(); return GNUTLS_E_PK_SIG_VERIFY_FAILED; @@ -1931,8 +1938,11 @@ pubkey_verify_hashed_data(gnutls_pk_algorithm_t pk, case GNUTLS_PK_ECDSA: case GNUTLS_PK_DSA: + if (unlikely(me==NULL)) + return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM); + if (dsa_verify_hashed_data - (pk, hash_algo, hash, signature, params, sign_params) != 0) { + (se->pk, me, hash, signature, params, sign_params) != 0) { gnutls_assert(); return GNUTLS_E_PK_SIG_VERIFY_FAILED; } |