]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Use ASN1_NULL when writing parameters for RSA signatures. This makes us comply with...
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 5 Dec 2010 15:33:01 +0000 (16:33 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 5 Dec 2010 16:05:54 +0000 (17:05 +0100)
NEWS
lib/gnutls_sig.c
lib/x509/common.c
lib/x509/common.h
lib/x509/mpi.c
lib/x509/sign.c
lib/x509/verify.c

diff --git a/NEWS b/NEWS
index 3bdd35c5a19813bf1c239ca961076e4ec59743d4..132af9d08ec1fa36abb92cfe707fa2c4f1358ab8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
 
 * Version 2.11.6 (unreleased)
 
+** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. 
+This makes us comply with RFC3279. Reported by Michael Rommel.
+
 ** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
 
 ** API and ABI modifications:
index 13ad46aa0746b7cdafee16cb5cc1534cd8e76bae..165a6dc03a93b4a8b88751531cd6f9b274d22d17 100644 (file)
@@ -40,6 +40,7 @@
 #include <libtasn1.h>
 #include <ext_signature.h>
 #include <gnutls_state.h>
+#include <x509/common.h>
 
 static int
 _gnutls_tls_sign (gnutls_session_t session,
@@ -90,7 +91,7 @@ _gnutls_rsa_encode_sig (gnutls_mac_algorithm_t algo,
 
   /* Use NULL parameters. */
   if ((result = asn1_write_value (di, "digestAlgorithm.parameters",
-                                 "\x05\x00", 2)) != ASN1_SUCCESS)
+                                 ASN1_NULL, ASN1_NULL_SIZE)) != ASN1_SUCCESS)
     {
       gnutls_assert ();
       asn1_delete_structure (&di);
index 44b852827c8f0fd8642f124e2753958caf2b7f5a..c90b4e2d5e7e81b2808c570a7fe6f8811038788d 100644 (file)
@@ -1226,7 +1226,7 @@ _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst,
       _asnstr_append_name (name, sizeof (name), dst_name,
                           ".algorithm.parameters");
 
-      result = asn1_write_value (dst, name, NULL, 0);
+      result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE);
       if (result != ASN1_SUCCESS)
        {
          gnutls_assert ();
index c6c2406c569559ed7783049d970fe3cf45218a32..62468248ca6aab64325f7c91ec437d643b1a1107 100644 (file)
@@ -64,6 +64,9 @@
 #define SIG_GOST_R3410_94_OID "1.2.643.2.2.4"
 #define SIG_GOST_R3410_2001_OID "1.2.643.2.2.3"
 
+#define ASN1_NULL "\x05\x00"
+#define ASN1_NULL_SIZE 2
+
 int _gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim);
 
 int _gnutls_x509_decode_octet_string (const char *string_type,
index 2ce6a53ef78ee96dced1e7c9353fe27e40e43b3f..4b1aa169edf191a6f54d08a7fbd60b6f59c909fa 100644 (file)
@@ -456,7 +456,10 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name,
   _gnutls_str_cpy (name, sizeof (name), dst_name);
   _gnutls_str_cat (name, sizeof (name), ".parameters");
 
-  result = asn1_write_value (dst, name, NULL, 0);
+  if (pk_algorithm == GNUTLS_PK_RSA)
+    result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE);
+  else
+    result = asn1_write_value (dst, name, NULL, 0);
 
   if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND)
     {
index cab6c046d25db3dd80fde71530f76339aea7c88f..1151300c6c1fac2a10f324ee8deee992b7748dc9 100644 (file)
@@ -86,7 +86,7 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash,
      Regardless of what is correct, this appears to be what most
      implementations do.  */
   result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
-                            "\x05\x00", 2);
+                            ASN1_NULL, ASN1_NULL_SIZE);
   if (result != ASN1_SUCCESS)
     {
       gnutls_assert ();
index c845e6fae28a954407b5fb8bc69cff60c3e94923..e7cdc74526ca02881236d9d44fd41d431225716d 100644 (file)
@@ -684,8 +684,8 @@ decode_ber_digest_info (const gnutls_datum_t * info,
   /* To avoid permitting garbage in the parameters field, either the
      parameters field is not present, or it contains 0x05 0x00. */
   if (!(result == ASN1_ELEMENT_NOT_FOUND ||
-       (result == ASN1_SUCCESS && len == 2 &&
-        str[0] == 0x05 && str[1] == 0x00)))
+       (result == ASN1_SUCCESS && len == ASN1_NULL_SIZE &&
+        memcmp(str, ASN1_NULL, ASN1_NULL_SIZE) == 0)))
     {
       gnutls_assert ();
       asn1_delete_structure (&dinfo);