Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
gnutls.18749
0001-pubkey-avoid-spurious-audit-messages-from-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch of Package gnutls.18749
From 57d22ddc85a1fde180c0a5b0178eeb128792e636 Mon Sep 17 00:00:00 2001 From: Petr Pavlu <petr.pavlu@suse.com> Date: Wed, 8 Jul 2020 10:12:30 +0200 Subject: [PATCH] pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() When checking in _gnutls_pubkey_compatible_with_sig() whether a public key is compatible with a signature algorithm, run first pubkey_supports_sig() before performing weaker checks that can accept the given algorithm but with an audit-log warning. This avoids an issue when a weaker check would log an audit message for some signature algorithm that would then be determined as incompatible by the pubkey_supports_sig() check anyway. For instance, a GnuTLS server might have a certificate with a SECP384R1 public key and a client can report that it supports ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the GnuTLS server will eventually find that it must use ECDSA-SECP384R1-SHA384 with this public key. However, the code would first run _gnutls_pubkey_compatible_with_sig() to check if SECP384R1 is compatible with ECDSA-SECP256R1-SHA256. The function would report the audit warning "The hash size used in signature (32) is less than the expected (48)" but then reject the signature algorithm in pubkey_supports_sig() as incompatible because it has a different curve. Since the algorithm gets rejected it is not necessary to inform about its hash size difference in the audit log. Signed-off-by: Petr Pavlu <petr.pavlu@suse.com> --- lib/pubkey.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/pubkey.c b/lib/pubkey.c index de95a04c3..6f9d54f11 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -2092,10 +2092,16 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session, unsigned int sig_hash_size; const mac_entry_st *me; const gnutls_sign_entry_st *se; + int ret; se = _gnutls_sign_to_entry(sign); - if (se == NULL && _gnutls_version_has_selectable_sighash(ver)) + if (se != NULL) { + ret = pubkey_supports_sig(pubkey, se); + if (ret < 0) + return gnutls_assert_val(ret); + } else if (_gnutls_version_has_selectable_sighash(ver)) { return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } if (pubkey->params.algo == GNUTLS_PK_DSA) { me = _gnutls_dsa_q_to_hash(&pubkey->params, &hash_size); @@ -2158,9 +2164,6 @@ int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session, } } - if (se != NULL) - return pubkey_supports_sig(pubkey, se); - return 0; } -- 2.29.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor