From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Mon, 9 Jul 2018 11:02:14 +0000 (+0300)
Subject: lib: remove undefined behaviour when handling GOST paramset
X-Git-Tag: gnutls_3_6_3~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=025abe3d3693ebdbd55d8a0c8953eaebe8c4b87e;p=thirdparty%2Fgnutls.git

lib: remove undefined behaviour when handling GOST paramset

Initial version of GOST patchset used param < 0 to represent unknown
value. Later special enum entry GNUTLS_GOST_PARAMSET_UNKNOWN was
introduced. Fix several leftovers comparing params to 0 directly.

Closes #505.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---

diff --git a/lib/pk.c b/lib/pk.c
index b4db8033e0..b395f1741a 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -459,6 +459,17 @@ gnutls_pk_algorithm_t _gnutls_digest_gost(gnutls_digest_algorithm_t digest)
 	return GNUTLS_PK_UNKNOWN;
 }
 
+gnutls_gost_paramset_t _gnutls_gost_paramset_default(gnutls_pk_algorithm_t pk)
+{
+	if (pk == GNUTLS_PK_GOST_01)
+		return GNUTLS_GOST_PARAMSET_CP_A;
+	else if (pk == GNUTLS_PK_GOST_12_256 ||
+		 pk == GNUTLS_PK_GOST_12_512)
+		return GNUTLS_GOST_PARAMSET_TC26_Z;
+	else
+		return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN);
+}
+
 /* some generic pk functions */
 
 int _gnutls_pk_params_copy(gnutls_pk_params_st * dst,
diff --git a/lib/pk.h b/lib/pk.h
index 1203c9ed1b..c365eece20 100644
--- a/lib/pk.h
+++ b/lib/pk.h
@@ -79,6 +79,7 @@ _gnutls_decode_gost_rs(const gnutls_datum_t * sig_value, bigint_t * r,
 
 gnutls_digest_algorithm_t _gnutls_gost_digest(gnutls_pk_algorithm_t pk);
 gnutls_pk_algorithm_t _gnutls_digest_gost(gnutls_digest_algorithm_t digest);
+gnutls_gost_paramset_t _gnutls_gost_paramset_default(gnutls_pk_algorithm_t pk);
 
 int
 encode_ber_digest_info(const mac_entry_st * e,
diff --git a/lib/pubkey.c b/lib/pubkey.c
index 7c9b6da5f8..1eae075937 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1560,12 +1560,8 @@ gnutls_pubkey_import_gost_raw(gnutls_pubkey_t key,
 	if (pk_algo == GNUTLS_PK_UNKNOWN)
 		return GNUTLS_E_ILLEGAL_PARAMETER;
 
-	if (paramset < 0) {
-		if (pk_algo == GNUTLS_PK_GOST_01)
-			paramset = GNUTLS_GOST_PARAMSET_CP_A;
-		else
-			paramset = GNUTLS_GOST_PARAMSET_TC26_Z;
-	}
+	if (paramset == GNUTLS_GOST_PARAMSET_UNKNOWN)
+		paramset = _gnutls_gost_paramset_default(pk_algo);
 
 	gnutls_pk_params_release(&key->params);
 	gnutls_pk_params_init(&key->params);
diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c
index b1df8aaab3..9d67f1b3d5 100644
--- a/lib/x509/key_decode.c
+++ b/lib/x509/key_decode.c
@@ -503,7 +503,7 @@ _gnutls_x509_read_gost_params(uint8_t * der, int dersize,
 	if (ret != ASN1_ELEMENT_NOT_FOUND)
 		param = gnutls_oid_to_gost_paramset(oid);
 
-	if (param < 0) {
+	if (param == GNUTLS_GOST_PARAMSET_UNKNOWN) {
 		gnutls_assert();
 		ret = param;
 		goto cleanup;
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index eea0b28b14..96465cf763 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1207,17 +1207,14 @@ gnutls_x509_privkey_import_gost_raw(gnutls_x509_privkey_t key,
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	if (paramset < 0) {
-		if (digest == GNUTLS_DIG_GOSTR_94)
-			paramset = GNUTLS_GOST_PARAMSET_CP_A;
-		else
-			paramset = GNUTLS_GOST_PARAMSET_TC26_Z;
-	}
-
 	key->params.curve = curve;
-	key->params.gost_params = paramset;
 	key->params.algo = _gnutls_digest_gost(digest);
 
+	if (paramset == GNUTLS_GOST_PARAMSET_UNKNOWN)
+		paramset = _gnutls_gost_paramset_default(key->params.algo);
+
+	key->params.gost_params = paramset;
+
 	if (_gnutls_mpi_init_scan_nz
 	    (&key->params.params[GOST_X], x->data, x->size)) {
 		gnutls_assert();