Merge branch 'key-compat' into 'master'

lib: pubkey vs TLS signature compatibility for GOST algorithms See merge request gnutls/gnutls!1101
author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> 2019-10-23 12:22:57 +0000
committer: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> 2019-10-23 12:22:57 +0000
commit: d4eaf6da6d7c3a1f11a43d9fcb11904e7dc7df3d (patch)
tree: 0faee55575e59f81268e19a4ea1f7d50bd371629
parent: c6b6f3130d4b9c88a5471ff7f7b113be8e8c8411 (diff)
parent: 975e1e81f78490baf9e4da220f892b13708aee66 (diff)
download: gnutls-d4eaf6da6d7c3a1f11a43d9fcb11904e7dc7df3d.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/lib/pubkey.c b/lib/pubkey.c
index 74d19d8b39..3b4d7f9003 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1972,6 +1972,19 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
 						  hash_size);
 		}
 
+	} else if (pubkey->params.algo == GNUTLS_PK_GOST_01 ||
+		   pubkey->params.algo == GNUTLS_PK_GOST_12_256 ||
+		   pubkey->params.algo == GNUTLS_PK_GOST_12_512) {
+		if (_gnutls_version_has_selectable_sighash(ver)
+		    && se != NULL) {
+			if (_gnutls_gost_digest(pubkey->params.algo) != se->hash) {
+				_gnutls_audit_log(session,
+						  "The hash algo used in signature (%u) is not expected (%u)\n",
+						  se->hash, _gnutls_gost_digest(pubkey->params.algo));
+				return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
+			}
+		}
+
 	} else if (pubkey->params.algo == GNUTLS_PK_RSA_PSS) {
 		if (!_gnutls_version_has_selectable_sighash(ver))
 			/* this should not have happened */
author	Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>	2019-10-23 12:22:57 +0000
committer	Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>	2019-10-23 12:22:57 +0000
commit	d4eaf6da6d7c3a1f11a43d9fcb11904e7dc7df3d (patch)
tree	0faee55575e59f81268e19a4ea1f7d50bd371629
parent	c6b6f3130d4b9c88a5471ff7f7b113be8e8c8411 (diff)
parent	975e1e81f78490baf9e4da220f892b13708aee66 (diff)
download	gnutls-d4eaf6da6d7c3a1f11a43d9fcb11904e7dc7df3d.tar.gz