diff options
-rw-r--r-- | lib/algorithms.h | 1 | ||||
-rw-r--r-- | lib/algorithms/secparams.c | 22 | ||||
-rw-r--r-- | lib/x509/privkey.c | 2 |
3 files changed, 22 insertions, 3 deletions
diff --git a/lib/algorithms.h b/lib/algorithms.h index ca137a83ac..46f411e685 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -334,6 +334,7 @@ const sign_algorithm_st *_gnutls_sign_to_tls_aid(gnutls_sign_algorithm_t sign); unsigned int _gnutls_pk_bits_to_subgroup_bits(unsigned int pk_bits); +gnutls_digest_algorithm_t _gnutls_pk_bits_to_sha_hash(unsigned int pk_bits); bool _gnutls_pk_is_not_prehashed(gnutls_pk_algorithm_t algorithm); diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index ee65fc7a90..ec4e5e3ee4 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -131,13 +131,31 @@ unsigned int _gnutls_pk_bits_to_subgroup_bits(unsigned int pk_bits) unsigned int ret = 0; GNUTLS_SEC_PARAM_LOOP( - ret = p->subgroup_bits; + ret = p->subgroup_bits; if (p->pk_bits >= pk_bits) break; ); return ret; } +/* Returns a corresponding SHA algorithm size for the + * public key bits given. It is based on the NIST mappings. + */ +gnutls_digest_algorithm_t _gnutls_pk_bits_to_sha_hash(unsigned int pk_bits) +{ + GNUTLS_SEC_PARAM_LOOP( + if (p->pk_bits >= pk_bits) { + if (p->bits <= 128) + return GNUTLS_DIG_SHA256; + else if (p->bits <= 192) + return GNUTLS_DIG_SHA384; + else + return GNUTLS_DIG_SHA512; + } + ); + return GNUTLS_DIG_SHA256; +} + /** * gnutls_sec_param_get_name: * @param: is a security parameter @@ -155,7 +173,7 @@ const char *gnutls_sec_param_get_name(gnutls_sec_param_t param) GNUTLS_SEC_PARAM_LOOP( if (p->sec_param == param) { - ret = p->name; + ret = p->name; break; } ); diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 27bef75034..f6372e587b 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -1652,7 +1652,7 @@ gnutls_x509_privkey_generate2(gnutls_x509_privkey_t key, if (key->params.palgo != GNUTLS_DIG_UNKNOWN) key->params.spki.rsa_pss_dig = key->params.palgo; else - key->params.spki.rsa_pss_dig = GNUTLS_DIG_SHA256; + key->params.spki.rsa_pss_dig = _gnutls_pk_bits_to_sha_hash(bits); me = hash_to_entry(key->params.spki.rsa_pss_dig); if (unlikely(me == NULL)) { |