Fix GnuTLS 2.x build failure

We can move the algo calculation into a verify_signed_data() function. This
would have been a cleaner way to do it in the first place anyway.
Reported-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

gnutls.c

@@ -864,6 +864,22 @@ static int import_openssl_pem(struct openconnect_info *vpninfo,
 	return ret;
 }
 
+static int verify_signed_data(gnutls_pubkey_t pubkey, gnutls_privkey_t privkey,
+			      const gnutls_datum_t *data, const gnutls_datum_t *sig)
+{
+#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
+	gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */
+
+	if (privkey != OPENCONNECT_TPM_PKEY)
+		algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
+					 GNUTLS_DIG_SHA1);
+
+	return gnutls_pubkey_verify_data2(pubkey, algo, 0, data, sig);
+#else
+	return gnutls_pubkey_verify_data(pubkey, 0, data, sig);
+#endif
+}
+
 static int load_certificate(struct openconnect_info *vpninfo)
 {
 	gnutls_datum_t fdata;
@@ -1333,8 +1349,6 @@ static int load_certificate(struct openconnect_info *vpninfo)
 	   match. So sign some dummy data and then check the signature against each
 	   of the available certificates until we find the right one. */
 	if (pkey) {
-		gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; // TPM
-
 		/* The TPM code may have already signed it, to test authorisation. We
 		   only sign here for PKCS#11 keys, in which case fdata might be
 		   empty too so point it at dummy data. */
@@ -1344,7 +1358,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
 				fdata.size = 20;
 			}
 
-			err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig, &algo);
+			err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig);
 			if (err) {
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Error signing test data with private key: %s\n"),
@@ -1368,7 +1382,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
 				gnutls_pubkey_deinit(pubkey);
 				continue;
 			}
-			err = gnutls_pubkey_verify_data2(pubkey, algo, 0, &fdata, &pkey_sig);
+			err = verify_signed_data(pubkey, pkey, &fdata, &pkey_sig);
 			gnutls_pubkey_deinit(pubkey);
 
 			if (err >= 0) {

gnutls.h

@@ -45,16 +45,6 @@ int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12, const char *password,
 
 #endif /* !HAVE_GNUTLS_PKCS12_SIMPLE_PARSE */
 
-#ifndef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
-static inline int gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
-					      gnutls_sign_algorithm_t algo,
-					      unsigned int flags,
-					      const gnutls_datum_t *data,
-					      const gnutls_datum_t *sig)
-{
-	return gnutls_pubkey_verify_data(pubkey, flags, data, sig);
-}
-#endif /* !HAVE_GNUTLS_PUBKEY_VERIFY_DATA2 */
 
 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
 int gtls2_tpm_sign_cb(gnutls_session_t sess, void *_vpninfo,
@@ -74,18 +64,12 @@ int gtls2_tpm_sign_dummy_data(struct openconnect_info *vpninfo,
 static inline int sign_dummy_data(struct openconnect_info *vpninfo,
 				  gnutls_privkey_t pkey,
 				  const gnutls_datum_t *data,
-				  gnutls_datum_t *sig,
-				  gnutls_sign_algorithm_t *algo)
+				  gnutls_datum_t *sig)
 {
 #if defined (HAVE_TROUSERS) && !defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
-	if (pkey == OPENCONNECT_TPM_PKEY) {
-		if (algo)
-			*algo = GNUTLS_SIGN_RSA_SHA1;
+	if (pkey == OPENCONNECT_TPM_PKEY)
 		return gtls2_tpm_sign_dummy_data(vpninfo, data, sig);
-	}
 #endif
-	if (algo)
-		*algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(pkey, NULL), GNUTLS_DIG_SHA1);
 	return gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, data, sig);
 }
 

gnutls_tpm.c

@@ -274,7 +274,7 @@ int load_tpm_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
 #endif
 
  retry_sign:
-	err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig, NULL);
+	err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig);
 	if (err == GNUTLS_E_INSUFFICIENT_CREDENTIALS) {
 		if (!vpninfo->tpm_key_policy) {
 			err = Tspi_Context_CreateObject(vpninfo->tpm_context,