diff options
Diffstat (limited to 'meta/recipes-support/gnutls/gnutls/CVE-2015-0282-GNUTLS-SA-2015-1.patch')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2015-0282-GNUTLS-SA-2015-1.patch | 487 |
1 files changed, 487 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2015-0282-GNUTLS-SA-2015-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2015-0282-GNUTLS-SA-2015-1.patch new file mode 100644 index 0000000000..da84cbf57d --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2015-0282-GNUTLS-SA-2015-1.patch | |||
@@ -0,0 +1,487 @@ | |||
1 | From d326f81daed5a1a06476d66a81584f8c7b71141d Mon Sep 17 00:00:00 2001 | ||
2 | From: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
3 | Date: Mon, 23 Feb 2015 10:03:47 +0100 | ||
4 | Subject: [PATCH] Added fix for GNUTLS-SA-2015-1 | ||
5 | |||
6 | Fixes CVE-2015-0282. | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
10 | --- | ||
11 | lib/gnutls_algorithms.c | 8 +++++ | ||
12 | lib/gnutls_algorithms.h | 1 + | ||
13 | lib/gnutls_pubkey.c | 4 +-- | ||
14 | lib/gnutls_sig.c | 14 +++++---- | ||
15 | lib/x509/common.h | 2 +- | ||
16 | lib/x509/crq.c | 49 ++++++++++++++++++++++++++++++- | ||
17 | lib/x509/privkey.c | 3 +- | ||
18 | lib/x509/verify.c | 77 ++++++++++++++++++++++++++++++++----------------- | ||
19 | lib/x509/x509.c | 4 +-- | ||
20 | lib/x509/x509_int.h | 7 +++-- | ||
21 | 10 files changed, 127 insertions(+), 42 deletions(-) | ||
22 | |||
23 | diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c | ||
24 | index 9ce73ce..b46f6f2 100644 | ||
25 | --- a/lib/gnutls_algorithms.c | ||
26 | +++ b/lib/gnutls_algorithms.c | ||
27 | @@ -2056,6 +2056,14 @@ gnutls_sign_get_name (gnutls_sign_algorithm_t algorithm) | ||
28 | return ret; | ||
29 | } | ||
30 | |||
31 | +int | ||
32 | +_gnutls_sign_get_hash (gnutls_sign_algorithm_t algorithm) | ||
33 | +{ | ||
34 | + GNUTLS_SIGN_LOOP (if (p->id == algorithm) return p->mac); | ||
35 | + | ||
36 | + return GNUTLS_MAC_UNKNOWN; | ||
37 | +} | ||
38 | + | ||
39 | gnutls_sign_algorithm_t | ||
40 | _gnutls_x509_oid2sign_algorithm (const char *oid) | ||
41 | { | ||
42 | diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h | ||
43 | index ac2ec71..8fa0fcb 100644 | ||
44 | --- a/lib/gnutls_algorithms.h | ||
45 | +++ b/lib/gnutls_algorithms.h | ||
46 | @@ -105,6 +105,7 @@ enum encipher_type | ||
47 | enum encipher_type _gnutls_kx_encipher_type (gnutls_kx_algorithm_t algorithm); | ||
48 | |||
49 | /* Functions for sign algorithms. */ | ||
50 | +int _gnutls_sign_get_hash (gnutls_sign_algorithm_t algorithm); | ||
51 | gnutls_sign_algorithm_t _gnutls_x509_oid2sign_algorithm (const char *oid); | ||
52 | gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk, | ||
53 | gnutls_mac_algorithm_t mac); | ||
54 | diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c | ||
55 | index dc4f545..8b50647 100644 | ||
56 | --- a/lib/gnutls_pubkey.c | ||
57 | +++ b/lib/gnutls_pubkey.c | ||
58 | @@ -1048,7 +1048,7 @@ gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags, | ||
59 | return GNUTLS_E_INVALID_REQUEST; | ||
60 | } | ||
61 | |||
62 | - ret = pubkey_verify_sig( data, NULL, signature, pubkey->pk_algorithm, | ||
63 | + ret = pubkey_verify_sig(GNUTLS_MAC_UNKNOWN, data, NULL, signature, pubkey->pk_algorithm, | ||
64 | pubkey->params, pubkey->params_size); | ||
65 | if (ret < 0) | ||
66 | { | ||
67 | @@ -1086,7 +1086,7 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags, | ||
68 | } | ||
69 | |||
70 | ret = | ||
71 | - pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm, | ||
72 | + pubkey_verify_sig (GNUTLS_MAC_UNKNOWN, NULL, hash, signature, key->pk_algorithm, | ||
73 | key->params, key->params_size); | ||
74 | |||
75 | return ret; | ||
76 | diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c | ||
77 | index a2f38e5..9542925 100644 | ||
78 | --- a/lib/gnutls_sig.c | ||
79 | +++ b/lib/gnutls_sig.c | ||
80 | @@ -273,7 +273,8 @@ static int | ||
81 | verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * cert, | ||
82 | const gnutls_datum_t * hash_concat, | ||
83 | gnutls_datum_t * signature, size_t sha1pos, | ||
84 | - gnutls_pk_algorithm_t pk_algo) | ||
85 | + gnutls_pk_algorithm_t pk_algo, | ||
86 | + int hashalg) | ||
87 | { | ||
88 | int ret; | ||
89 | gnutls_datum_t vdata; | ||
90 | @@ -309,7 +310,7 @@ verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * | ||
91 | ret = _gnutls_rsa_verify (&vdata, signature, cert->params, | ||
92 | cert->params_size, 1); | ||
93 | else | ||
94 | - ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo, | ||
95 | + ret = pubkey_verify_sig(hashalg, NULL, &vdata, signature, pk_algo, | ||
96 | cert->params, cert->params_size); | ||
97 | |||
98 | if (ret < 0) | ||
99 | @@ -324,7 +325,7 @@ verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * | ||
100 | vdata.data = &hash_concat->data[sha1pos]; | ||
101 | vdata.size = hash_concat->size - sha1pos; | ||
102 | |||
103 | - ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo, | ||
104 | + ret = pubkey_verify_sig(hashalg, NULL, &vdata, signature, pk_algo, | ||
105 | cert->params, cert->params_size); | ||
106 | /* verify signature */ | ||
107 | if (ret < 0) | ||
108 | @@ -428,7 +429,8 @@ _gnutls_handshake_verify_data (gnutls_session_t session, gnutls_cert * cert, | ||
109 | ret = verify_tls_hash (session, ver, cert, &dconcat, signature, | ||
110 | dconcat.size - | ||
111 | _gnutls_hash_get_algo_len (hash_algo), | ||
112 | - _gnutls_sign_get_pk_algorithm (algo)); | ||
113 | + _gnutls_sign_get_pk_algorithm (algo), | ||
114 | + hash_algo); | ||
115 | if (ret < 0) | ||
116 | { | ||
117 | gnutls_assert (); | ||
118 | @@ -491,7 +493,7 @@ _gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t session, | ||
119 | |||
120 | ret = | ||
121 | verify_tls_hash (session, ver, cert, &dconcat, signature, 0, | ||
122 | - cert->subject_pk_algorithm); | ||
123 | + cert->subject_pk_algorithm, hash_algo); | ||
124 | if (ret < 0) | ||
125 | { | ||
126 | gnutls_assert (); | ||
127 | @@ -582,7 +584,7 @@ _gnutls_handshake_verify_cert_vrfy (gnutls_session_t session, | ||
128 | |||
129 | ret = | ||
130 | verify_tls_hash (session, ver, cert, &dconcat, signature, 16, | ||
131 | - cert->subject_pk_algorithm); | ||
132 | + cert->subject_pk_algorithm, GNUTLS_MAC_UNKNOWN); | ||
133 | if (ret < 0) | ||
134 | { | ||
135 | gnutls_assert (); | ||
136 | diff --git a/lib/x509/common.h b/lib/x509/common.h | ||
137 | index 5cc6a10..561e31c 100644 | ||
138 | --- a/lib/x509/common.h | ||
139 | +++ b/lib/x509/common.h | ||
140 | @@ -151,7 +151,7 @@ int _gnutls_get_key_id (gnutls_pk_algorithm_t pk, bigint_t * params, | ||
141 | void _asnstr_append_name (char *name, size_t name_size, const char *part1, | ||
142 | const char *part2); | ||
143 | |||
144 | -int pubkey_verify_sig (const gnutls_datum_t * tbs, | ||
145 | +int pubkey_verify_sig (int hashalg, const gnutls_datum_t * tbs, | ||
146 | const gnutls_datum_t * hash, | ||
147 | const gnutls_datum_t * signature, | ||
148 | gnutls_pk_algorithm_t pk, bigint_t * issuer_params, | ||
149 | diff --git a/lib/x509/crq.c b/lib/x509/crq.c | ||
150 | index ed0f844..e0d3346 100644 | ||
151 | --- a/lib/x509/crq.c | ||
152 | +++ b/lib/x509/crq.c | ||
153 | @@ -2540,6 +2540,7 @@ gnutls_datum data = { NULL, 0 }; | ||
154 | gnutls_datum signature = { NULL, 0 }; | ||
155 | bigint_t params[MAX_PUBLIC_PARAMS_SIZE]; | ||
156 | int ret, params_size = 0, i; | ||
157 | +int hashalg, sigalg; | ||
158 | |||
159 | ret = | ||
160 | _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data); | ||
161 | @@ -2565,7 +2566,10 @@ int ret, params_size = 0, i; | ||
162 | goto cleanup; | ||
163 | } | ||
164 | |||
165 | - ret = pubkey_verify_sig(&data, NULL, &signature, | ||
166 | + sigalg = gnutls_x509_crq_get_signature_algorithm (crq); | ||
167 | + hashalg = _gnutls_sign_get_hash(sigalg); | ||
168 | + | ||
169 | + ret = pubkey_verify_sig(hashalg, &data, NULL, &signature, | ||
170 | gnutls_x509_crq_get_pk_algorithm (crq, NULL), | ||
171 | params, params_size); | ||
172 | if (ret < 0) | ||
173 | @@ -2588,5 +2592,48 @@ cleanup: | ||
174 | return ret; | ||
175 | } | ||
176 | |||
177 | +/** | ||
178 | + * gnutls_x509_crq_get_signature_algorithm: | ||
179 | + * @crl: should contain a #gnutls_x509_crl_t structure | ||
180 | + * | ||
181 | + * This function will return a value of the #gnutls_sign_algorithm_t | ||
182 | + * enumeration that is the signature algorithm. | ||
183 | + * | ||
184 | + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a | ||
185 | + * negative error value. | ||
186 | + **/ | ||
187 | +int | ||
188 | +gnutls_x509_crq_get_signature_algorithm (gnutls_x509_crq_t crq) | ||
189 | +{ | ||
190 | + int result; | ||
191 | + gnutls_datum_t sa; | ||
192 | + | ||
193 | + if (crq == NULL) | ||
194 | + { | ||
195 | + gnutls_assert (); | ||
196 | + return GNUTLS_E_INVALID_REQUEST; | ||
197 | + } | ||
198 | + | ||
199 | + /* Read the signature algorithm. Note that parameters are not | ||
200 | + * read. They will be read from the issuer's certificate if needed. | ||
201 | + */ | ||
202 | + | ||
203 | + result = | ||
204 | + _gnutls_x509_read_value (crq->crq, "signatureAlgorithm.algorithm", | ||
205 | + &sa, 0); | ||
206 | + | ||
207 | + if (result < 0) | ||
208 | + { | ||
209 | + gnutls_assert (); | ||
210 | + return result; | ||
211 | + } | ||
212 | + | ||
213 | + result = _gnutls_x509_oid2sign_algorithm ((const char *) sa.data); | ||
214 | + | ||
215 | + _gnutls_free_datum (&sa); | ||
216 | + | ||
217 | + return result; | ||
218 | +} | ||
219 | + | ||
220 | #endif /* ENABLE_PKI */ | ||
221 | |||
222 | diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c | ||
223 | index 41e6587..7f477a1 100644 | ||
224 | --- a/lib/x509/privkey.c | ||
225 | +++ b/lib/x509/privkey.c | ||
226 | @@ -1828,7 +1828,8 @@ gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key, | ||
227 | return GNUTLS_E_INVALID_REQUEST; | ||
228 | } | ||
229 | |||
230 | - result = _gnutls_x509_privkey_verify_signature (data, signature, key); | ||
231 | + result = _gnutls_x509_privkey_verify_signature (GNUTLS_MAC_UNKNOWN, data, signature, key); | ||
232 | + | ||
233 | if (result < 0) | ||
234 | { | ||
235 | gnutls_assert (); | ||
236 | diff --git a/lib/x509/verify.c b/lib/x509/verify.c | ||
237 | index eef85a8..ba4fdcd 100644 | ||
238 | --- a/lib/x509/verify.c | ||
239 | +++ b/lib/x509/verify.c | ||
240 | @@ -332,6 +332,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, | ||
241 | gnutls_datum_t cert_signature = { NULL, 0 }; | ||
242 | gnutls_x509_crt_t issuer = NULL; | ||
243 | int issuer_version, result = 0; | ||
244 | + int sigalg, hashalg; | ||
245 | |||
246 | if (output) | ||
247 | *output = 0; | ||
248 | @@ -399,8 +400,18 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, | ||
249 | goto cleanup; | ||
250 | } | ||
251 | |||
252 | + sigalg = gnutls_x509_crt_get_signature_algorithm (cert); | ||
253 | + hashalg = _gnutls_sign_get_hash(sigalg); | ||
254 | + | ||
255 | + if (hashalg == GNUTLS_MAC_UNKNOWN) | ||
256 | + { | ||
257 | + gnutls_assert(); | ||
258 | + result = 0; | ||
259 | + goto cleanup; | ||
260 | + } | ||
261 | + | ||
262 | result = | ||
263 | - _gnutls_x509_verify_signature (&cert_signed_data, NULL, &cert_signature, | ||
264 | + _gnutls_x509_verify_signature (hashalg, &cert_signed_data, NULL, &cert_signature, | ||
265 | issuer); | ||
266 | if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) | ||
267 | { | ||
268 | @@ -423,10 +434,6 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, | ||
269 | */ | ||
270 | if (is_issuer (cert, cert) == 0) | ||
271 | { | ||
272 | - int sigalg; | ||
273 | - | ||
274 | - sigalg = gnutls_x509_crt_get_signature_algorithm (cert); | ||
275 | - | ||
276 | if (((sigalg == GNUTLS_SIGN_RSA_MD2) && | ||
277 | !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || | ||
278 | ((sigalg == GNUTLS_SIGN_RSA_MD5) && | ||
279 | @@ -750,12 +757,12 @@ decode_ber_digest_info (const gnutls_datum_t * info, | ||
280 | * params[1] is public key | ||
281 | */ | ||
282 | static int | ||
283 | -_pkcs1_rsa_verify_sig (const gnutls_datum_t * text, | ||
284 | - const gnutls_datum_t * prehash, | ||
285 | - const gnutls_datum_t * signature, bigint_t * params, | ||
286 | - int params_len) | ||
287 | +_pkcs1_rsa_verify_sig (gnutls_mac_algorithm_t hash, const gnutls_datum_t * text, | ||
288 | + const gnutls_datum_t * prehash, | ||
289 | + const gnutls_datum_t * signature, bigint_t * params, | ||
290 | + int params_len) | ||
291 | { | ||
292 | - gnutls_mac_algorithm_t hash = GNUTLS_MAC_UNKNOWN; | ||
293 | + gnutls_mac_algorithm_t phash = GNUTLS_MAC_UNKNOWN; | ||
294 | int ret; | ||
295 | opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE], *cmp; | ||
296 | int digest_size; | ||
297 | @@ -775,7 +782,7 @@ _pkcs1_rsa_verify_sig (const gnutls_datum_t * text, | ||
298 | |||
299 | digest_size = sizeof (digest); | ||
300 | if ((ret = | ||
301 | - decode_ber_digest_info (&decrypted, &hash, digest, &digest_size)) != 0) | ||
302 | + decode_ber_digest_info (&decrypted, &phash, digest, &digest_size)) != 0) | ||
303 | { | ||
304 | gnutls_assert (); | ||
305 | _gnutls_free_datum (&decrypted); | ||
306 | @@ -784,6 +791,15 @@ _pkcs1_rsa_verify_sig (const gnutls_datum_t * text, | ||
307 | |||
308 | _gnutls_free_datum (&decrypted); | ||
309 | |||
310 | + if (hash != GNUTLS_MAC_UNKNOWN && hash != phash) | ||
311 | + { | ||
312 | + gnutls_assert(); | ||
313 | + return GNUTLS_E_PK_SIG_VERIFY_FAILED; | ||
314 | + } | ||
315 | + else | ||
316 | + hash = phash; | ||
317 | + | ||
318 | + | ||
319 | if (digest_size != _gnutls_hash_get_algo_len (hash)) | ||
320 | { | ||
321 | gnutls_assert (); | ||
322 | @@ -879,11 +895,11 @@ dsa_verify_sig (const gnutls_datum_t * text, | ||
323 | * not verified, or 1 otherwise. | ||
324 | */ | ||
325 | int | ||
326 | -pubkey_verify_sig (const gnutls_datum_t * tbs, | ||
327 | - const gnutls_datum_t * hash, | ||
328 | - const gnutls_datum_t * signature, | ||
329 | - gnutls_pk_algorithm_t pk, bigint_t * issuer_params, | ||
330 | - int issuer_params_size) | ||
331 | +pubkey_verify_sig (int hashalg, const gnutls_datum_t * tbs, | ||
332 | + const gnutls_datum_t * hash, | ||
333 | + const gnutls_datum_t * signature, | ||
334 | + gnutls_pk_algorithm_t pk, bigint_t * issuer_params, | ||
335 | + int issuer_params_size) | ||
336 | { | ||
337 | |||
338 | switch (pk) | ||
339 | @@ -891,7 +907,7 @@ pubkey_verify_sig (const gnutls_datum_t * tbs, | ||
340 | case GNUTLS_PK_RSA: | ||
341 | |||
342 | if (_pkcs1_rsa_verify_sig | ||
343 | - (tbs, hash, signature, issuer_params, issuer_params_size) != 0) | ||
344 | + (hashalg, tbs, hash, signature, issuer_params, issuer_params_size) != 0) | ||
345 | { | ||
346 | gnutls_assert (); | ||
347 | return GNUTLS_E_PK_SIG_VERIFY_FAILED; | ||
348 | @@ -1022,7 +1038,7 @@ cleanup: | ||
349 | * 'signature' is the signature! | ||
350 | */ | ||
351 | int | ||
352 | -_gnutls_x509_verify_signature (const gnutls_datum_t * tbs, | ||
353 | +_gnutls_x509_verify_signature (int hashalg, const gnutls_datum_t * tbs, | ||
354 | const gnutls_datum_t * hash, | ||
355 | const gnutls_datum_t * signature, | ||
356 | gnutls_x509_crt_t issuer) | ||
357 | @@ -1042,7 +1058,7 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, | ||
358 | } | ||
359 | |||
360 | ret = | ||
361 | - pubkey_verify_sig (tbs, hash, signature, | ||
362 | + pubkey_verify_sig (hashalg, tbs, hash, signature, | ||
363 | gnutls_x509_crt_get_pk_algorithm (issuer, NULL), | ||
364 | issuer_params, issuer_params_size); | ||
365 | if (ret < 0) | ||
366 | @@ -1067,13 +1083,13 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, | ||
367 | * 'signature' is the signature! | ||
368 | */ | ||
369 | int | ||
370 | -_gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, | ||
371 | +_gnutls_x509_privkey_verify_signature (int hashalg, const gnutls_datum_t * tbs, | ||
372 | const gnutls_datum_t * signature, | ||
373 | gnutls_x509_privkey_t issuer) | ||
374 | { | ||
375 | int ret; | ||
376 | |||
377 | - ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm, | ||
378 | + ret = pubkey_verify_sig (hashalg, tbs, NULL, signature, issuer->pk_algorithm, | ||
379 | issuer->params, issuer->params_size); | ||
380 | if (ret < 0) | ||
381 | { | ||
382 | @@ -1294,6 +1310,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, | ||
383 | gnutls_datum_t crl_signature = { NULL, 0 }; | ||
384 | gnutls_x509_crt_t issuer; | ||
385 | int result; | ||
386 | + int sigalg, hashalg; | ||
387 | |||
388 | if (output) | ||
389 | *output = 0; | ||
390 | @@ -1335,6 +1352,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, | ||
391 | if (result < 0) | ||
392 | { | ||
393 | gnutls_assert (); | ||
394 | + result = 0; | ||
395 | goto cleanup; | ||
396 | } | ||
397 | |||
398 | @@ -1342,11 +1360,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, | ||
399 | if (result < 0) | ||
400 | { | ||
401 | gnutls_assert (); | ||
402 | + result = 0; | ||
403 | + goto cleanup; | ||
404 | + } | ||
405 | + | ||
406 | + sigalg = gnutls_x509_crl_get_signature_algorithm (crl); | ||
407 | + hashalg = _gnutls_sign_get_hash(sigalg); | ||
408 | + if (hashalg == GNUTLS_MAC_UNKNOWN) | ||
409 | + { | ||
410 | + gnutls_assert(); | ||
411 | + result = 0; | ||
412 | goto cleanup; | ||
413 | } | ||
414 | |||
415 | result = | ||
416 | - _gnutls_x509_verify_signature (&crl_signed_data, NULL, &crl_signature, | ||
417 | + _gnutls_x509_verify_signature (hashalg, &crl_signed_data, NULL, &crl_signature, | ||
418 | issuer); | ||
419 | if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) | ||
420 | { | ||
421 | @@ -1359,14 +1387,11 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, | ||
422 | else if (result < 0) | ||
423 | { | ||
424 | gnutls_assert (); | ||
425 | + result = 0; | ||
426 | goto cleanup; | ||
427 | } | ||
428 | |||
429 | { | ||
430 | - int sigalg; | ||
431 | - | ||
432 | - sigalg = gnutls_x509_crl_get_signature_algorithm (crl); | ||
433 | - | ||
434 | if (((sigalg == GNUTLS_SIGN_RSA_MD2) && | ||
435 | !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || | ||
436 | ((sigalg == GNUTLS_SIGN_RSA_MD5) && | ||
437 | diff --git a/lib/x509/x509.c b/lib/x509/x509.c | ||
438 | index f51ba3b..d12d44e 100644 | ||
439 | --- a/lib/x509/x509.c | ||
440 | +++ b/lib/x509/x509.c | ||
441 | @@ -2714,7 +2714,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, | ||
442 | return GNUTLS_E_INVALID_REQUEST; | ||
443 | } | ||
444 | |||
445 | - result = _gnutls_x509_verify_signature (data, NULL, signature, crt); | ||
446 | + result = _gnutls_x509_verify_signature (GNUTLS_MAC_UNKNOWN, data, NULL, signature, crt); | ||
447 | if (result < 0) | ||
448 | { | ||
449 | gnutls_assert (); | ||
450 | @@ -2752,7 +2752,7 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags, | ||
451 | return GNUTLS_E_INVALID_REQUEST; | ||
452 | } | ||
453 | |||
454 | - result = _gnutls_x509_verify_signature (NULL, hash, signature, crt); | ||
455 | + result = _gnutls_x509_verify_signature (GNUTLS_MAC_UNKNOWN, NULL, hash, signature, crt); | ||
456 | if (result < 0) | ||
457 | { | ||
458 | gnutls_assert (); | ||
459 | diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h | ||
460 | index 1b3cfe5..eed56a9 100644 | ||
461 | --- a/lib/x509/x509_int.h | ||
462 | +++ b/lib/x509/x509_int.h | ||
463 | @@ -187,11 +187,11 @@ _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash, | ||
464 | bigint_t * issuer_params, | ||
465 | unsigned int issuer_params_size); | ||
466 | |||
467 | -int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, | ||
468 | +int _gnutls_x509_verify_signature (int sigalg, const gnutls_datum_t * tbs, | ||
469 | const gnutls_datum_t * hash, | ||
470 | const gnutls_datum_t * signature, | ||
471 | gnutls_x509_crt_t issuer); | ||
472 | -int _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, | ||
473 | +int _gnutls_x509_privkey_verify_signature (int sigalg, const gnutls_datum_t * tbs, | ||
474 | const gnutls_datum_t * signature, | ||
475 | gnutls_x509_privkey_t issuer); | ||
476 | |||
477 | @@ -390,5 +390,6 @@ int _gnutls_x509_crq_set_extension (gnutls_x509_crq_t crq, | ||
478 | const char *ext_id, | ||
479 | const gnutls_datum_t * ext_data, | ||
480 | unsigned int critical); | ||
481 | - | ||
482 | +int | ||
483 | +gnutls_x509_crq_get_signature_algorithm (gnutls_x509_crq_t crq); | ||
484 | #endif | ||
485 | -- | ||
486 | 1.9.1 | ||
487 | |||