Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix GnuTLS 2.x build failure
We can move the algo calculation into a verify_signed_data() function. This
would have been a cleaner way to do it in the first place anyway.

Reported-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Feb 17, 2013
1 parent f836b97 commit d343108
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 23 deletions.
22 changes: 18 additions & 4 deletions gnutls.c
Expand Up @@ -864,6 +864,22 @@ static int import_openssl_pem(struct openconnect_info *vpninfo,
return ret;
}

static int verify_signed_data(gnutls_pubkey_t pubkey, gnutls_privkey_t privkey,
const gnutls_datum_t *data, const gnutls_datum_t *sig)
{
#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */

if (privkey != OPENCONNECT_TPM_PKEY)
algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
GNUTLS_DIG_SHA1);

return gnutls_pubkey_verify_data2(pubkey, algo, 0, data, sig);
#else
return gnutls_pubkey_verify_data(pubkey, 0, data, sig);
#endif
}

static int load_certificate(struct openconnect_info *vpninfo)
{
gnutls_datum_t fdata;
Expand Down Expand Up @@ -1333,8 +1349,6 @@ static int load_certificate(struct openconnect_info *vpninfo)
match. So sign some dummy data and then check the signature against each
of the available certificates until we find the right one. */
if (pkey) {
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; // TPM

/* The TPM code may have already signed it, to test authorisation. We
only sign here for PKCS#11 keys, in which case fdata might be
empty too so point it at dummy data. */
Expand All @@ -1344,7 +1358,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
fdata.size = 20;
}

err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig, &algo);
err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Error signing test data with private key: %s\n"),
Expand All @@ -1368,7 +1382,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
gnutls_pubkey_deinit(pubkey);
continue;
}
err = gnutls_pubkey_verify_data2(pubkey, algo, 0, &fdata, &pkey_sig);
err = verify_signed_data(pubkey, pkey, &fdata, &pkey_sig);
gnutls_pubkey_deinit(pubkey);

if (err >= 0) {
Expand Down
20 changes: 2 additions & 18 deletions gnutls.h
Expand Up @@ -45,16 +45,6 @@ int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12, const char *password,

#endif /* !HAVE_GNUTLS_PKCS12_SIMPLE_PARSE */

#ifndef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
static inline int gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
gnutls_sign_algorithm_t algo,
unsigned int flags,
const gnutls_datum_t *data,
const gnutls_datum_t *sig)
{
return gnutls_pubkey_verify_data(pubkey, flags, data, sig);
}
#endif /* !HAVE_GNUTLS_PUBKEY_VERIFY_DATA2 */

#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
int gtls2_tpm_sign_cb(gnutls_session_t sess, void *_vpninfo,
Expand All @@ -74,18 +64,12 @@ int gtls2_tpm_sign_dummy_data(struct openconnect_info *vpninfo,
static inline int sign_dummy_data(struct openconnect_info *vpninfo,
gnutls_privkey_t pkey,
const gnutls_datum_t *data,
gnutls_datum_t *sig,
gnutls_sign_algorithm_t *algo)
gnutls_datum_t *sig)
{
#if defined (HAVE_TROUSERS) && !defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
if (pkey == OPENCONNECT_TPM_PKEY) {
if (algo)
*algo = GNUTLS_SIGN_RSA_SHA1;
if (pkey == OPENCONNECT_TPM_PKEY)
return gtls2_tpm_sign_dummy_data(vpninfo, data, sig);
}
#endif
if (algo)
*algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(pkey, NULL), GNUTLS_DIG_SHA1);
return gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, data, sig);
}

Expand Down
2 changes: 1 addition & 1 deletion gnutls_tpm.c
Expand Up @@ -274,7 +274,7 @@ int load_tpm_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
#endif

retry_sign:
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig, NULL);
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig);
if (err == GNUTLS_E_INSUFFICIENT_CREDENTIALS) {
if (!vpninfo->tpm_key_policy) {
err = Tspi_Context_CreateObject(vpninfo->tpm_context,
Expand Down

0 comments on commit d343108

Please sign in to comment.