diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-17 09:06:52 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-17 17:08:02 +0200 |
| commit | 30fd9938025bb8b9d52f3628cda2d1203b179533 (patch) | |
| tree | 1c9bd5aa66000170ce584246a7dc28462adb9aeb | |
| parent | 0fbf17287c10f4990f4140368149ebb2de258691 (diff) | |
| download | gnutls-30fd9938025bb8b9d52f3628cda2d1203b179533.tar.gz | |
privkey_sign_and_hash_data: in pre-hashed schemes, allow empty hash algorithm
In these schemes the hash algorithm is fixed in the signature algorithm
and thus the empty (unknown) value will act as a wildcard.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/privkey.c | 11 | ||||
| -rw-r--r-- | lib/pubkey.c | 5 |
2 files changed, 12 insertions, 4 deletions
diff --git a/lib/privkey.c b/lib/privkey.c index 51100f9812..e026ca4895 100644 --- a/lib/privkey.c +++ b/lib/privkey.c @@ -1131,11 +1131,16 @@ privkey_sign_and_hash_data(gnutls_privkey_t signer, gnutls_datum_t digest; const mac_entry_st *me; - if (gnutls_pk_to_sign(params->pk, params->dig) == GNUTLS_SIGN_UNKNOWN) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (_gnutls_pk_is_not_prehashed(signer->pk_algorithm)) { + if (params->dig != GNUTLS_DIG_UNKNOWN && + gnutls_pk_to_sign(params->pk, params->dig) == GNUTLS_SIGN_UNKNOWN) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (_gnutls_pk_is_not_prehashed(signer->pk_algorithm)) return privkey_sign_raw_data(signer, data, signature, params); + } + + if (gnutls_pk_to_sign(params->pk, params->dig) == GNUTLS_SIGN_UNKNOWN) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); me = hash_to_entry(params->dig); if (me == NULL) diff --git a/lib/pubkey.c b/lib/pubkey.c index 7a77c30741..0b16f28fba 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -1528,7 +1528,7 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey, params.pk = gnutls_sign_get_pk_algorithm(algo); params.dig = gnutls_sign_get_hash_algorithm(algo); me = hash_to_entry(params.dig); - if (me == NULL) + if (me == NULL && !_gnutls_pk_is_not_prehashed(params.pk)) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); if (params.pk != pubkey->pk_algorithm) { @@ -1780,6 +1780,9 @@ _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk, unsigned int digest_size; gnutls_datum_t d, di; + if (unlikely(me == NULL)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + digest_size = _gnutls_hash_get_algo_len(me); if (prehash) { if (prehash->data == NULL || prehash->size != digest_size) |