updates in certificate verification.

5 files changed, 48 insertions, 7 deletions

diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c
index c5fab22fe6..f07616c667 100644
--- a/lib/gnutls_mpi.c
+++ b/lib/gnutls_mpi.c
@@ -197,6 +197,49 @@ _gnutls_mpi_dprint (const mpi_t a, gnutls_datum_t * dest)
   return 0;
 }
 
+/* This function will copy the mpi data into a datum,
+ * but will set minimum size to 'size'. That means that
+ * the output value is left padded with zeros.
+ */
+int
+_gnutls_mpi_dprint_size (const mpi_t a, gnutls_datum_t * dest, size_t size)
+{
+  int ret;
+  opaque *buf = NULL;
+  size_t bytes = 0;
+  unsigned int i;
+
+  if (dest == NULL || a == NULL)
+    return GNUTLS_E_INVALID_REQUEST;
+
+  _gnutls_mpi_print (a, NULL, &bytes);
+  if (bytes != 0)
+    buf = gnutls_malloc (MAX(size, bytes));
+  if (buf == NULL)
+    return GNUTLS_E_MEMORY_ERROR;
+
+  dest->size = MAX(size, bytes);
+
+  if (bytes <= size) {
+      size_t diff = size - bytes;
+      for (i=0;i<diff;i++)
+        buf[i] = 0;
+      ret = _gnutls_mpi_print(a, &buf[diff], &bytes);
+    } else {
+      ret = _gnutls_mpi_print(a, buf, &bytes);
+    }
+
+  if (ret < 0)
+    {
+      gnutls_free (buf);
+      return ret;
+    }
+
+  dest->data = buf;
+  dest->size = MAX(size, bytes);
+  return 0;
+}
+
 /* this function reads an integer
  * from asn1 structs. Combines the read and mpi_scan
  * steps.
diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h
index 7dbf4df098..ef3c3abe11 100644
--- a/lib/gnutls_mpi.h
+++ b/lib/gnutls_mpi.h
@@ -68,6 +68,7 @@ int _gnutls_mpi_scan_nz (mpi_t * ret_mpi, const void * buffer, size_t nbytes);
 
 int _gnutls_mpi_dprint_lz ( const mpi_t a, gnutls_datum_t * dest);
 int _gnutls_mpi_dprint ( const mpi_t a, gnutls_datum_t * dest);
+int _gnutls_mpi_dprint_size (const mpi_t a, gnutls_datum_t * dest, size_t size);
 
 #define _gnutls_mpi_generate_group( gg, bits) gnutls_mpi_ops.bigint_generate_group( gg, bits)
 
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index 7823551a2b..ead75f18d8 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -234,12 +234,10 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
    */
   if (btype == 2)
     {
-//      pk_params.flags = GNUTLS_PK_FLAG_PKCS1_TYPE2;
       ret = _gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
     }
   else
     {
-//      pk_params.flags = GNUTLS_PK_FLAG_PKCS1_TYPE1;
       ret = _gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
     }
 
@@ -257,7 +255,6 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
    * "Chosen Ciphertext Attacks against Protocols Based on RSA
    * Encryption Standard PKCS #1".
    */
-
   if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
     {
       gnutls_assert ();
diff --git a/lib/pk-libgcrypt.c b/lib/pk-libgcrypt.c
index 834160ff09..7345f9ee06 100644
--- a/lib/pk-libgcrypt.c
+++ b/lib/pk-libgcrypt.c
@@ -43,7 +43,6 @@
 /* this is based on code from old versions of libgcrypt (centuries ago)
  */
 
-
 int (*generate) (gnutls_pk_algorithm_t, unsigned int level /*bits */ ,
 		 gnutls_pk_params_st *);
 
@@ -123,7 +122,7 @@ _wrap_gcry_pk_encrypt(gnutls_pk_algorithm_t algo,
       goto cleanup;
     }
 
-    ret = _gnutls_mpi_dprint(ciphertext, res);
+    ret = _gnutls_mpi_dprint_size(res, ciphertext, plaintext->size);
     _gnutls_mpi_release(&res);
 
     if (ret < 0) {
@@ -213,7 +212,7 @@ _wrap_gcry_pk_decrypt(gnutls_pk_algorithm_t algo,
       goto cleanup;
     }
 
-    ret = _gnutls_mpi_dprint(plaintext, res);
+    ret = _gnutls_mpi_dprint_size(res, plaintext, ciphertext->size);
     _gnutls_mpi_release(&res);
 
     if (ret < 0) {
diff --git a/lib/x509/crl.c b/lib/x509/crl.c
index 5f130c1ec0..9bfc284508 100644
--- a/lib/x509/crl.c
+++ b/lib/x509/crl.c
@@ -326,7 +326,8 @@ gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl,
 			       char *sig, size_t *sizeof_sig)
 {
   int result;
-  int bits, len;
+  int bits;
+  unsigned int len;
 
   if (crl == NULL)
     {