From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Tue, 6 Dec 2016 00:57:24 +0000 (+0300)
Subject: Support key matching with GOST keys
X-Git-Tag: gnutls_3_6_3~77^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a86c64bb897787282f28126b41104b119df49e47;p=thirdparty%2Fgnutls.git

Support key matching with GOST keys

GOST keys do not support signing non-GOST hashes, so use correct digest
algorithm when verifying that GOST public and private keys match.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---

diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index 4fb609b2f4..d3777e51ff 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -672,6 +672,7 @@ int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res)
 {
 	gnutls_datum_t test = {(void*)TEST_TEXT, sizeof(TEST_TEXT)-1};
 	gnutls_datum_t sig = {NULL, 0};
+	gnutls_digest_algorithm_t dig;
 	int pk, pk2, ret;
 	unsigned sign_algo;
 
@@ -700,7 +701,16 @@ int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res)
 		return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
 	}
 
-	sign_algo = gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256);
+	if (pk == GNUTLS_PK_GOST_01)
+		dig = GNUTLS_DIG_GOSTR_94;
+	else if (pk == GNUTLS_PK_GOST_12_256)
+		dig = GNUTLS_DIG_STREEBOG_256;
+	else if (pk == GNUTLS_PK_GOST_12_512)
+		dig = GNUTLS_DIG_STREEBOG_512;
+	else
+		dig = GNUTLS_DIG_SHA256;
+
+	sign_algo = gnutls_pk_to_sign(pk, dig);
 
 	/* now check if keys really match. We use the sign/verify approach
 	 * because we cannot always obtain the parameters from the abstract