const gnutls_datum_t * hash,
const gnutls_datum_t * signature,
gnutls_pk_params_st * params,
- gnutls_x509_spki_st * sign_params);
+ gnutls_x509_spki_st * sign_params,
+ unsigned flags);
unsigned pubkey_to_bits(gnutls_pk_params_st * params)
{
return gnutls_assert_val(ret);
ret = pubkey_verify_data(se, data, signature, &pubkey->params,
- ¶ms);
+ ¶ms, flags);
if (ret < 0) {
gnutls_assert();
return ret;
}
- if (gnutls_sign_is_secure(algo) == 0 && _gnutls_is_broken_sig_allowed(algo, flags) == 0) {
- _gnutls_debug_log("signature algorithm %s is insecure\n", gnutls_sign_get_name(algo));
- return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
- }
-
return 0;
}
ret = pubkey_verify_hashed_data(se, hash, signature,
&key->params,
- ¶ms);
+ ¶ms, flags);
if (ret < 0) {
gnutls_assert();
return ret;
}
}
- if (algo != GNUTLS_SIGN_UNKNOWN && gnutls_sign_is_secure(algo) == 0 && _gnutls_is_broken_sig_allowed(algo, flags) == 0) {
- return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
- }
-
return 0;
}
const gnutls_datum_t * hash,
const gnutls_datum_t * signature,
gnutls_pk_params_st * params,
- gnutls_x509_spki_st * sign_params)
+ gnutls_x509_spki_st * sign_params,
+ unsigned flags)
{
const mac_entry_st *me;
return GNUTLS_E_INVALID_REQUEST;
}
+
+ if (gnutls_sign_is_secure(se->id) == 0 && _gnutls_is_broken_sig_allowed(se->id, flags) == 0) {
+ return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
+ }
+
+ return 1;
}
/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
const gnutls_datum_t * data,
const gnutls_datum_t * signature,
gnutls_pk_params_st * params,
- gnutls_x509_spki_st * sign_params)
+ gnutls_x509_spki_st * sign_params,
+ unsigned flags)
{
const mac_entry_st *me;
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
- return 1;
break;
case GNUTLS_PK_EDDSA_ED25519:
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
- return 1;
break;
case GNUTLS_PK_EC:
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
- return 1;
break;
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
+
+ if (gnutls_sign_is_secure(se->id) == 0 && _gnutls_is_broken_sig_allowed(se->id, flags) == 0) {
+ return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
+ }
+
+ return 1;
}
const mac_entry_st *_gnutls_dsa_q_to_hash(const gnutls_pk_params_st *
const gnutls_datum_t * data,
const gnutls_datum_t * signature,
gnutls_x509_crt_t cert,
- gnutls_x509_crt_t issuer);
+ gnutls_x509_crt_t issuer,
+ unsigned vflags);
/*
* Verifies the given certificate against a certificate list of
&cert_signed_data,
&cert_signature,
cert,
- issuer);
+ issuer, flags);
if (ret == GNUTLS_E_PK_SIG_VERIFY_FAILED) {
MARK_INVALID(GNUTLS_CERT_SIGNATURE_FAILURE);
* 'data' is the signed data
* 'signature' is the signature!
*/
-int
+static int
_gnutls_x509_verify_data(gnutls_sign_algorithm_t sign,
const gnutls_datum_t * data,
const gnutls_datum_t * signature,
gnutls_x509_crt_t cert,
- gnutls_x509_crt_t issuer)
+ gnutls_x509_crt_t issuer,
+ unsigned vflags)
{
gnutls_pk_params_st params;
gnutls_pk_algorithm_t issuer_pk;
}
ret = pubkey_verify_data(se, data, signature, ¶ms,
- &sign_params);
+ &sign_params, vflags);
if (ret < 0) {
gnutls_assert();
}
_gnutls_x509_verify_data(sigalg,
&crl_signed_data, &crl_signature,
NULL,
- issuer);
+ issuer, flags);
if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) {
gnutls_assert();
/* error. ignore it */
projects / thirdparty / gnutls.git / commitdiff
