summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/pubkey.c6
-rw-r--r--tests/sign-verify-data-newapi.c13
-rw-r--r--tests/sign-verify-newapi.c17
3 files changed, 23 insertions, 13 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c
index f1a0302fca..2dfe5d56ec 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1678,8 +1678,6 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
}
-#define OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA 1
-
/* Updates the gnutls_x509_spki_st parameters based on the signature
* information, and reports any incompatibilities between the existing
* parameters (if any) with the signature algorithm */
@@ -1758,7 +1756,7 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey,
return GNUTLS_E_INVALID_REQUEST;
}
- if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA)
+ if (flags & GNUTLS_VERIFY_USE_TLS1_RSA)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
memcpy(&params, &pubkey->params.spki, sizeof(gnutls_x509_spki_st));
@@ -1830,7 +1828,7 @@ gnutls_pubkey_verify_hash2(gnutls_pubkey_t key,
memcpy(&params, &key->params.spki, sizeof(gnutls_x509_spki_st));
- if (flags & OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA || flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
+ if (flags & GNUTLS_VERIFY_USE_TLS1_RSA) {
if (!GNUTLS_PK_IS_RSA(key->params.algo))
return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
params.pk = GNUTLS_PK_RSA;
diff --git a/tests/sign-verify-data-newapi.c b/tests/sign-verify-data-newapi.c
index 5bc3f3088b..eca18974ee 100644
--- a/tests/sign-verify-data-newapi.c
+++ b/tests/sign-verify-data-newapi.c
@@ -15,9 +15,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ *
*/
#ifdef HAVE_CONFIG_H
@@ -126,6 +126,13 @@ void doit(void)
if (ret < 0)
testfail("gnutls_x509_pubkey_verify_data2\n");
+ /* Test functionality of GNUTLS_VERIFY_DISABLE_CA_SIGN flag (see issue #754) */
+ ret =
+ gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_DISABLE_CA_SIGN, &raw_data,
+ &signature);
+ if (ret < 0)
+ testfail("gnutls_x509_pubkey_verify_data2\n");
+
/* should fail */
ret =
gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0,
diff --git a/tests/sign-verify-newapi.c b/tests/sign-verify-newapi.c
index 47ac3d983d..aa284006aa 100644
--- a/tests/sign-verify-newapi.c
+++ b/tests/sign-verify-newapi.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004-2012 Free Software Foundation, Inc.
- * Copyright (C) 2017 Red Hat, Inc.
+ * Copyright (C) 2017-2019 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos, Simon Josefsson
*
@@ -16,13 +16,11 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ *
*/
-/* Parts copied from GnuTLS example programs. */
-
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
@@ -172,6 +170,13 @@ void doit(void)
if (ret < 0)
testfail("gnutls_x509_pubkey_verify_hash2\n");
+ /* Test functionality of GNUTLS_VERIFY_DISABLE_CA_SIGN (see issue #754) */
+ ret =
+ gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_DISABLE_CA_SIGN, hash_data,
+ &signature);
+ if (ret < 0)
+ testfail("gnutls_x509_pubkey_verify_hash2 with GNUTLS_VERIFY_DISABLE_CA_SIGN\n");
+
ret =
gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data,
&signature2);