Skip to content
Permalink
Browse files
Fix GnuTLS 2.x build failure
We can move the algo calculation into a verify_signed_data() function. This
would have been a cleaner way to do it in the first place anyway.

Reported-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Feb 17, 2013
1 parent f836b97 commit d3431088edd3920cc84d716ef23e2445b09c5d43
Showing with 21 additions and 23 deletions.
  1. +18 −4 gnutls.c
  2. +2 −18 gnutls.h
  3. +1 −1 gnutls_tpm.c
@@ -864,6 +864,22 @@ static int import_openssl_pem(struct openconnect_info *vpninfo,
return ret;
}

static int verify_signed_data(gnutls_pubkey_t pubkey, gnutls_privkey_t privkey,
const gnutls_datum_t *data, const gnutls_datum_t *sig)
{
#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */

if (privkey != OPENCONNECT_TPM_PKEY)
algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
GNUTLS_DIG_SHA1);

return gnutls_pubkey_verify_data2(pubkey, algo, 0, data, sig);
#else
return gnutls_pubkey_verify_data(pubkey, 0, data, sig);
#endif
}

static int load_certificate(struct openconnect_info *vpninfo)
{
gnutls_datum_t fdata;
@@ -1333,8 +1349,6 @@ static int load_certificate(struct openconnect_info *vpninfo)
match. So sign some dummy data and then check the signature against each
of the available certificates until we find the right one. */
if (pkey) {
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; // TPM

/* The TPM code may have already signed it, to test authorisation. We
only sign here for PKCS#11 keys, in which case fdata might be
empty too so point it at dummy data. */
@@ -1344,7 +1358,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
fdata.size = 20;
}

err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig, &algo);
err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Error signing test data with private key: %s\n"),
@@ -1368,7 +1382,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
gnutls_pubkey_deinit(pubkey);
continue;
}
err = gnutls_pubkey_verify_data2(pubkey, algo, 0, &fdata, &pkey_sig);
err = verify_signed_data(pubkey, pkey, &fdata, &pkey_sig);
gnutls_pubkey_deinit(pubkey);

if (err >= 0) {
@@ -45,16 +45,6 @@ int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12, const char *password,

#endif /* !HAVE_GNUTLS_PKCS12_SIMPLE_PARSE */

#ifndef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
static inline int gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
gnutls_sign_algorithm_t algo,
unsigned int flags,
const gnutls_datum_t *data,
const gnutls_datum_t *sig)
{
return gnutls_pubkey_verify_data(pubkey, flags, data, sig);
}
#endif /* !HAVE_GNUTLS_PUBKEY_VERIFY_DATA2 */

#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
int gtls2_tpm_sign_cb(gnutls_session_t sess, void *_vpninfo,
@@ -74,18 +64,12 @@ int gtls2_tpm_sign_dummy_data(struct openconnect_info *vpninfo,
static inline int sign_dummy_data(struct openconnect_info *vpninfo,
gnutls_privkey_t pkey,
const gnutls_datum_t *data,
gnutls_datum_t *sig,
gnutls_sign_algorithm_t *algo)
gnutls_datum_t *sig)
{
#if defined (HAVE_TROUSERS) && !defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
if (pkey == OPENCONNECT_TPM_PKEY) {
if (algo)
*algo = GNUTLS_SIGN_RSA_SHA1;
if (pkey == OPENCONNECT_TPM_PKEY)
return gtls2_tpm_sign_dummy_data(vpninfo, data, sig);
}
#endif
if (algo)
*algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(pkey, NULL), GNUTLS_DIG_SHA1);
return gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, data, sig);
}

@@ -274,7 +274,7 @@ int load_tpm_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
#endif

retry_sign:
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig, NULL);
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig);
if (err == GNUTLS_E_INSUFFICIENT_CREDENTIALS) {
if (!vpninfo->tpm_key_policy) {
err = Tspi_Context_CreateObject(vpninfo->tpm_context,

0 comments on commit d343108

Please sign in to comment.