diff options
author | Daiki Ueno <ueno@gnu.org> | 2019-01-09 06:47:05 +0000 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2019-01-09 06:47:05 +0000 |
commit | 42d5844c33aa27fd3eb107c3bdbe45e7c7d0df7b (patch) | |
tree | 85b5511ead8eeeb070d31a1b58faf2aaffe30889 /lib/tls-sig.c | |
parent | 37b72cb8bf28067fa52722a54c23c77937e60b8c (diff) | |
parent | 14958c77578b1d8cad6044e08b04be654c27c263 (diff) | |
download | gnutls-42d5844c33aa27fd3eb107c3bdbe45e7c7d0df7b.tar.gz |
Merge branch 'tmp-rsa-pss-tls12' into 'master'
tls-sig: check RSA-PSS signature key compatibility also in TLS 1.2
Closes #659 and #645
See merge request gnutls/gnutls!854
Diffstat (limited to 'lib/tls-sig.c')
-rw-r--r-- | lib/tls-sig.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/lib/tls-sig.c b/lib/tls-sig.c index 75f88e5fbd..19357c06a1 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -271,10 +271,11 @@ _gnutls_handshake_verify_data12(gnutls_session_t session, gnutls_datum_t dconcat; int ret; const version_entry_st *ver = get_version(session); + const gnutls_sign_entry_st *se = _gnutls_sign_to_entry(sign_algo); _gnutls_handshake_log ("HSK[%p]: verify TLS 1.2 handshake data: using %s\n", session, - gnutls_sign_algorithm_get_name(sign_algo)); + se->name); ret = _gnutls_pubkey_compatible_with_sig(session, @@ -283,6 +284,12 @@ _gnutls_handshake_verify_data12(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); + if (unlikely(sign_supports_cert_pk_algorithm(se, cert->pubkey->params.algo) == 0)) { + _gnutls_handshake_log("HSK[%p]: certificate of %s cannot be combined with %s sig\n", + session, gnutls_pk_get_name(cert->pubkey->params.algo), se->name); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + } + ret = _gnutls_session_sign_algo_enabled(session, sign_algo); if (ret < 0) @@ -356,11 +363,18 @@ _gnutls_handshake_verify_crt_vrfy12(gnutls_session_t session, { int ret; gnutls_datum_t dconcat; + const gnutls_sign_entry_st *se = _gnutls_sign_to_entry(sign_algo); ret = _gnutls_session_sign_algo_enabled(session, sign_algo); if (ret < 0) return gnutls_assert_val(ret); + if (unlikely(sign_supports_cert_pk_algorithm(se, cert->pubkey->params.algo) == 0)) { + _gnutls_handshake_log("HSK[%p]: certificate of %s cannot be combined with %s sig\n", + session, gnutls_pk_get_name(cert->pubkey->params.algo), se->name); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + } + dconcat.data = session->internals.handshake_hash_buffer.data; dconcat.size = session->internals.handshake_hash_buffer_prev_len; @@ -567,6 +581,9 @@ _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session, gnutls_sign_algorithm_set_client(session, sign_algo); + if (unlikely(gnutls_sign_supports_pk_algorithm(sign_algo, pkey->pk_algorithm) == 0)) + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + _gnutls_debug_log("sign handshake cert vrfy: picked %s\n", gnutls_sign_algorithm_get_name(sign_algo)); |