diff options
author | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2019-10-23 12:22:57 +0000 |
---|---|---|
committer | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2019-10-23 12:22:57 +0000 |
commit | d4eaf6da6d7c3a1f11a43d9fcb11904e7dc7df3d (patch) | |
tree | 0faee55575e59f81268e19a4ea1f7d50bd371629 | |
parent | c6b6f3130d4b9c88a5471ff7f7b113be8e8c8411 (diff) | |
parent | 975e1e81f78490baf9e4da220f892b13708aee66 (diff) | |
download | gnutls-d4eaf6da6d7c3a1f11a43d9fcb11904e7dc7df3d.tar.gz |
Merge branch 'key-compat' into 'master'
lib: pubkey vs TLS signature compatibility for GOST algorithms
See merge request gnutls/gnutls!1101
-rw-r--r-- | lib/pubkey.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c index 74d19d8b39..3b4d7f9003 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -1972,6 +1972,19 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session, hash_size); } + } else if (pubkey->params.algo == GNUTLS_PK_GOST_01 || + pubkey->params.algo == GNUTLS_PK_GOST_12_256 || + pubkey->params.algo == GNUTLS_PK_GOST_12_512) { + if (_gnutls_version_has_selectable_sighash(ver) + && se != NULL) { + if (_gnutls_gost_digest(pubkey->params.algo) != se->hash) { + _gnutls_audit_log(session, + "The hash algo used in signature (%u) is not expected (%u)\n", + se->hash, _gnutls_gost_digest(pubkey->params.algo)); + return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR); + } + } + } else if (pubkey->params.algo == GNUTLS_PK_RSA_PSS) { if (!_gnutls_version_has_selectable_sighash(ver)) /* this should not have happened */ |