Commit d3431088 authored by David Woodhouse's avatar David Woodhouse

Fix GnuTLS 2.x build failure

We can move the algo calculation into a verify_signed_data() function. This
would have been a cleaner way to do it in the first place anyway.
Reported-by: default avatarMike Miller <mtmiller@ieee.org>
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent f836b973
......@@ -864,6 +864,22 @@ static int import_openssl_pem(struct openconnect_info *vpninfo,
return ret;
}
static int verify_signed_data(gnutls_pubkey_t pubkey, gnutls_privkey_t privkey,
const gnutls_datum_t *data, const gnutls_datum_t *sig)
{
#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */
if (privkey != OPENCONNECT_TPM_PKEY)
algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
GNUTLS_DIG_SHA1);
return gnutls_pubkey_verify_data2(pubkey, algo, 0, data, sig);
#else
return gnutls_pubkey_verify_data(pubkey, 0, data, sig);
#endif
}
static int load_certificate(struct openconnect_info *vpninfo)
{
gnutls_datum_t fdata;
......@@ -1333,8 +1349,6 @@ static int load_certificate(struct openconnect_info *vpninfo)
match. So sign some dummy data and then check the signature against each
of the available certificates until we find the right one. */
if (pkey) {
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; // TPM
/* The TPM code may have already signed it, to test authorisation. We
only sign here for PKCS#11 keys, in which case fdata might be
empty too so point it at dummy data. */
......@@ -1344,7 +1358,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
fdata.size = 20;
}
err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig, &algo);
err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Error signing test data with private key: %s\n"),
......@@ -1368,7 +1382,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
gnutls_pubkey_deinit(pubkey);
continue;
}
err = gnutls_pubkey_verify_data2(pubkey, algo, 0, &fdata, &pkey_sig);
err = verify_signed_data(pubkey, pkey, &fdata, &pkey_sig);
gnutls_pubkey_deinit(pubkey);
if (err >= 0) {
......
......@@ -45,16 +45,6 @@ int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12, const char *password,
#endif /* !HAVE_GNUTLS_PKCS12_SIMPLE_PARSE */
#ifndef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
static inline int gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
gnutls_sign_algorithm_t algo,
unsigned int flags,
const gnutls_datum_t *data,
const gnutls_datum_t *sig)
{
return gnutls_pubkey_verify_data(pubkey, flags, data, sig);
}
#endif /* !HAVE_GNUTLS_PUBKEY_VERIFY_DATA2 */
#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
int gtls2_tpm_sign_cb(gnutls_session_t sess, void *_vpninfo,
......@@ -74,18 +64,12 @@ int gtls2_tpm_sign_dummy_data(struct openconnect_info *vpninfo,
static inline int sign_dummy_data(struct openconnect_info *vpninfo,
gnutls_privkey_t pkey,
const gnutls_datum_t *data,
gnutls_datum_t *sig,
gnutls_sign_algorithm_t *algo)
gnutls_datum_t *sig)
{
#if defined (HAVE_TROUSERS) && !defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
if (pkey == OPENCONNECT_TPM_PKEY) {
if (algo)
*algo = GNUTLS_SIGN_RSA_SHA1;
if (pkey == OPENCONNECT_TPM_PKEY)
return gtls2_tpm_sign_dummy_data(vpninfo, data, sig);
}
#endif
if (algo)
*algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(pkey, NULL), GNUTLS_DIG_SHA1);
return gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, data, sig);
}
......
......@@ -274,7 +274,7 @@ int load_tpm_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
#endif
retry_sign:
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig, NULL);
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig);
if (err == GNUTLS_E_INSUFFICIENT_CREDENTIALS) {
if (!vpninfo->tpm_key_policy) {
err = Tspi_Context_CreateObject(vpninfo->tpm_context,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment