#include "state.h"
#include "x509/common.h"
#include "abstract_int.h"
+#include "crau/crau.h"
int _gnutls_check_key_usage_for_sig(gnutls_session_t session,
unsigned key_usage, unsigned our_cert)
se = _gnutls_sign_to_entry(*sign_algo);
+ crau_new_context_with_data("name", CRAU_STRING, "tls::sign",
+ "tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+
if (_gnutls_version_has_selectable_sighash(ver))
- return _gnutls_handshake_sign_data12(session, cert, pkey,
- params, signature, se);
+ ret = _gnutls_handshake_sign_data12(session, cert, pkey, params,
+ signature, se);
else
- return _gnutls_handshake_sign_data10(session, cert, pkey,
- params, signature, se);
+ ret = _gnutls_handshake_sign_data10(session, cert, pkey, params,
+ signature, se);
+
+ crau_pop_context();
+ return ret;
}
/* Generates a signature of all the random data and the parameters.
gnutls_digest_algorithm_t hash_algo;
const mac_entry_st *me;
gnutls_pk_algorithm_t pk_algo;
+ const gnutls_sign_entry_st *se;
pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
if (pk_algo == GNUTLS_PK_RSA) {
dconcat.data = concat;
dconcat.size = _gnutls_hash_get_algo_len(me);
+ se = _gnutls_sign_to_entry(sign_algo);
+ if (se) {
+ crau_data("tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+ }
+
ret = gnutls_pubkey_verify_hash2(cert->pubkey, sign_algo,
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 |
verify_flags,
const version_entry_st *ver = get_version(session);
const gnutls_sign_entry_st *se = _gnutls_sign_to_entry(sign_algo);
+ if (unlikely(se == NULL))
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
_gnutls_handshake_log(
"HSK[%p]: verify TLS 1.2 handshake data: using %s\n", session,
se->name);
memcpy(dconcat.data + GNUTLS_RANDOM_SIZE * 2, params->data,
params->size);
+ crau_data("tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+
ret = gnutls_pubkey_verify_data2(cert->pubkey, sign_algo, verify_flags,
&dconcat, signature);
if (ret < 0)
gnutls_sign_algorithm_set_server(session, sign_algo);
+ crau_new_context_with_data("name", CRAU_STRING, "tls::verify", NULL);
+
if (_gnutls_version_has_selectable_sighash(ver))
- return _gnutls_handshake_verify_data12(session, verify_flags,
- cert, params, signature,
- sign_algo);
+ ret = _gnutls_handshake_verify_data12(session, verify_flags,
+ cert, params, signature,
+ sign_algo);
else
- return _gnutls_handshake_verify_data10(session, verify_flags,
- cert, params, signature,
- sign_algo);
+ ret = _gnutls_handshake_verify_data10(session, verify_flags,
+ cert, params, signature,
+ sign_algo);
+
+ crau_pop_context();
+ return ret;
}
/* Client certificate verify calculations
dconcat.data = session->internals.handshake_hash_buffer.data;
dconcat.size = session->internals.handshake_hash_buffer_prev_len;
+ crau_data("tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+
/* Here we intentionally enable flag GNUTLS_VERIFY_ALLOW_BROKEN
* because we have checked whether the currently used signature
* algorithm is allowed in the session. */
gnutls_datum_t dconcat;
gnutls_pk_algorithm_t pk =
gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
+ const gnutls_sign_entry_st *se;
ret = _gnutls_generate_master(session, 1);
if (ret < 0) {
dconcat.size += 20;
+ se = _gnutls_sign_to_entry(sign_algo);
+ if (se) {
+ crau_data("tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+ }
+
ret = gnutls_pubkey_verify_hash2(cert->pubkey, GNUTLS_SIGN_UNKNOWN,
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 |
verify_flags,
gnutls_datum_t dconcat;
gnutls_pk_algorithm_t pk_algo;
const mac_entry_st *me;
+ const gnutls_sign_entry_st *se;
/* TLS 1.0 and TLS 1.1 */
pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
dconcat.data = concat;
dconcat.size = _gnutls_hash_get_algo_len(me);
+ se = _gnutls_sign_to_entry(sign_algo);
+ if (se) {
+ crau_data("tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+ }
+
ret = gnutls_pubkey_verify_hash2(cert->pubkey, sign_algo,
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 |
verify_flags,
gnutls_sign_algorithm_set_client(session, sign_algo);
+ crau_new_context_with_data("name", CRAU_STRING, "tls::verify", NULL);
+
/* TLS 1.2 */
if (_gnutls_version_has_selectable_sighash(ver))
- return _gnutls_handshake_verify_crt_vrfy12(
+ ret = _gnutls_handshake_verify_crt_vrfy12(
session, verify_flags, cert, signature, sign_algo);
#ifdef ENABLE_SSL3
- if (ver->id == GNUTLS_SSL3)
- return _gnutls_handshake_verify_crt_vrfy3(
+ else if (ver->id == GNUTLS_SSL3)
+ ret = _gnutls_handshake_verify_crt_vrfy3(
session, verify_flags, cert, signature, sign_algo);
#endif
+ else {
+ /* TLS 1.0 and TLS 1.1 */
+ ret = _gnutls_handshake_verify_crt_vrfy10(
+ session, verify_flags, cert, signature, sign_algo);
+ }
- /* TLS 1.0 and TLS 1.1 */
- return _gnutls_handshake_verify_crt_vrfy10(session, verify_flags, cert,
- signature, sign_algo);
+ crau_pop_context();
+ return ret;
}
/* the same as _gnutls_handshake_sign_crt_vrfy except that it is made for TLS 1.2.
if (se == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- gnutls_sign_algorithm_set_client(session, sign_algo);
+ crau_data("tls::signature_algorithm", CRAU_WORD,
+ se->aid.id[0] << 8 | se->aid.id[1], NULL);
+
+ gnutls_sign_algorithm_set_client(session, se->id);
- if (unlikely(gnutls_sign_supports_pk_algorithm(
- sign_algo, pkey->pk_algorithm) == 0))
+ if (unlikely(sign_supports_priv_pk_algorithm(se, pkey->pk_algorithm) ==
+ 0))
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
_gnutls_debug_log("sign handshake cert vrfy: picked %s\n",
if (ret < 0)
return gnutls_assert_val(ret);
- return GNUTLS_SIGN_UNKNOWN;
+ return ret;
}
#endif
if (ret < 0)
return gnutls_assert_val(ret);
+ crau_new_context_with_data("name", CRAU_STRING, "tls::sign", NULL);
+
/* TLS 1.2 */
if (_gnutls_version_has_selectable_sighash(ver))
- return _gnutls_handshake_sign_crt_vrfy12(session, cert, pkey,
- signature);
+ ret = _gnutls_handshake_sign_crt_vrfy12(session, cert, pkey,
+ signature);
/* TLS 1.1 or earlier */
#ifdef ENABLE_SSL3
- if (ver->id == GNUTLS_SSL3)
- return _gnutls_handshake_sign_crt_vrfy3(session, cert, ver,
- pkey, signature);
+ else if (ver->id == GNUTLS_SSL3)
+ ret = _gnutls_handshake_sign_crt_vrfy3(session, cert, ver, pkey,
+ signature);
#endif
+ else {
+ ret = _gnutls_handshake_sign_crt_vrfy10(session, cert, ver,
+ pkey, signature);
+ }
- return _gnutls_handshake_sign_crt_vrfy10(session, cert, ver, pkey,
- signature);
+ crau_pop_context();
+ return ret;
}
projects / thirdparty / gnutls.git / commitdiff
