diff options
Diffstat (limited to 'lib/x509/verify.c')
-rw-r--r-- | lib/x509/verify.c | 97 |
1 files changed, 53 insertions, 44 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 9c047ccecd..c9ac8b1fd7 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -58,7 +58,8 @@ static int check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) { gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = - {NULL, 0}; + { + NULL, 0}; int result; opaque serial1[128], serial2[128]; size_t serial1_size, serial2_size; @@ -79,7 +80,8 @@ check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) goto cmp; } - if (serial2_size != serial1_size || memcmp(serial1, serial2, serial1_size) != 0) + if (serial2_size != serial1_size + || memcmp (serial1, serial2, serial1_size) != 0) { return 1; } @@ -496,36 +498,35 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, * self-signed E but already removed above), and we trust B, remove * B, C and D. */ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) - i = 0; /* also replace the first one */ + i = 0; /* also replace the first one */ else - i = 1; /* do not replace the first one */ - + i = 1; /* do not replace the first one */ + for (; i < clist_size; i++) { int j; for (j = 0; j < tcas_size; j++) - { - if (check_if_same_cert (certificate_list[i], - trusted_cas[j]) == 0) + { + if (check_if_same_cert (certificate_list[i], trusted_cas[j]) == 0) { /* explicity time check for trusted CA that we remove from * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS */ if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) - && !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) - { - status |= check_time (trusted_cas[j], now); - if (status != 0) - { - return status; - } + && !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) + { + status |= check_time (trusted_cas[j], now); + if (status != 0) + { + return status; + } } - clist_size = i; + clist_size = i; break; } - } - /* clist_size may have been changed which gets out of loop */ + } + /* clist_size may have been changed which gets out of loop */ } if (clist_size == 0) @@ -827,10 +828,10 @@ dsa_verify_sig (const gnutls_datum_t * text, */ int pubkey_verify_sig (const gnutls_datum_t * tbs, - const gnutls_datum_t * hash, - const gnutls_datum_t * signature, - gnutls_pk_algorithm_t pk, bigint_t * issuer_params, - int issuer_params_size) + const gnutls_datum_t * hash, + const gnutls_datum_t * signature, + gnutls_pk_algorithm_t pk, bigint_t * issuer_params, + int issuer_params_size) { switch (pk) @@ -864,17 +865,23 @@ pubkey_verify_sig (const gnutls_datum_t * tbs, } } -gnutls_digest_algorithm_t _gnutls_dsa_q_to_hash(bigint_t q) +gnutls_digest_algorithm_t +_gnutls_dsa_q_to_hash (bigint_t q) { - int bits = _gnutls_mpi_get_nbits(q); - - if (bits <= 160) { - return GNUTLS_DIG_SHA1; - } else if (bits <= 224) { - return GNUTLS_DIG_SHA224; - } else { - return GNUTLS_DIG_SHA256; - } + int bits = _gnutls_mpi_get_nbits (q); + + if (bits <= 160) + { + return GNUTLS_DIG_SHA1; + } + else if (bits <= 224) + { + return GNUTLS_DIG_SHA224; + } + else + { + return GNUTLS_DIG_SHA256; + } } /* This will return the appropriate hash to verify the given signature. @@ -885,28 +892,30 @@ int _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash, const gnutls_datum_t * signature, gnutls_pk_algorithm pk, - bigint_t* issuer_params, unsigned int issuer_params_size) + bigint_t * issuer_params, + unsigned int issuer_params_size) { opaque digest[MAX_HASH_SIZE]; gnutls_datum_t decrypted; int digest_size; int ret; - switch(pk) + switch (pk) { case GNUTLS_PK_DSA: - + if (hash) - *hash = _gnutls_dsa_q_to_hash(issuer_params[1]); + *hash = _gnutls_dsa_q_to_hash (issuer_params[1]); ret = 0; break; case GNUTLS_PK_RSA: - if (signature == NULL) {/* return a sensible algorithm */ - if (hash) - *hash = GNUTLS_DIG_SHA256; - return 0; - } + if (signature == NULL) + { /* return a sensible algorithm */ + if (hash) + *hash = GNUTLS_DIG_SHA256; + return 0; + } ret = _gnutls_pkcs1_rsa_decrypt (&decrypted, signature, @@ -979,8 +988,8 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, ret = pubkey_verify_sig (tbs, hash, signature, - gnutls_x509_crt_get_pk_algorithm (issuer, NULL), - issuer_params, issuer_params_size); + gnutls_x509_crt_get_pk_algorithm (issuer, NULL), + issuer_params, issuer_params_size); if (ret < 0) { gnutls_assert (); @@ -1010,7 +1019,7 @@ _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, int ret; ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm, - issuer->params, issuer->params_size); + issuer->params, issuer->params_size); if (ret < 0) { gnutls_assert (); |