lib: pubkey vs TLS signature compatibility for GOST algorithms

author Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Thu, 21 Jun 2018 16:34:45 +0000 (19:34 +0300)

committer Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Fri, 18 Oct 2019 12:04:10 +0000 (15:04 +0300)
author Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Thu, 21 Jun 2018 16:34:45 +0000 (19:34 +0300)
committer Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fri, 18 Oct 2019 12:04:10 +0000 (15:04 +0300)
diff --git a/lib/pubkey.c b/lib/pubkey.c

index 74d19d8b39b896e7118455b9e705429a2920cb55..3b4d7f90036bbaa262eb4b72a4ab18e2d8a0fb5f 100644 (file)
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -1972,6 +1972,19 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session,
                                                   hash_size);
                 }
  
+       } else if (pubkey->params.algo == GNUTLS_PK_GOST_01 ||
+                  pubkey->params.algo == GNUTLS_PK_GOST_12_256 ||
+                  pubkey->params.algo == GNUTLS_PK_GOST_12_512) {
+               if (_gnutls_version_has_selectable_sighash(ver)
+                   && se != NULL) {
+                       if (_gnutls_gost_digest(pubkey->params.algo) != se->hash) {
+                               _gnutls_audit_log(session,
+                                                 "The hash algo used in signature (%u) is not expected (%u)\n",
+                                                 se->hash, _gnutls_gost_digest(pubkey->params.algo));
+                               return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
+                       }
+               }
+
         } else if (pubkey->params.algo == GNUTLS_PK_RSA_PSS) {
                 if (!_gnutls_version_has_selectable_sighash(ver))
                         /* this should not have happened */
author	Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
	Thu, 21 Jun 2018 16:34:45 +0000 (19:34 +0300)
committer	Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
	Fri, 18 Oct 2019 12:04:10 +0000 (15:04 +0300)