return ret;
}
+static int verify_signed_data(gnutls_pubkey_t pubkey, gnutls_privkey_t privkey,
+ const gnutls_datum_t *data, const gnutls_datum_t *sig)
+{
+#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
+ gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */
+
+ if (privkey != OPENCONNECT_TPM_PKEY)
+ algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
+ GNUTLS_DIG_SHA1);
+
+ return gnutls_pubkey_verify_data2(pubkey, algo, 0, data, sig);
+#else
+ return gnutls_pubkey_verify_data(pubkey, 0, data, sig);
+#endif
+}
+
static int load_certificate(struct openconnect_info *vpninfo)
{
gnutls_datum_t fdata;
match. So sign some dummy data and then check the signature against each
of the available certificates until we find the right one. */
if (pkey) {
- gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; // TPM
-
/* The TPM code may have already signed it, to test authorisation. We
only sign here for PKCS#11 keys, in which case fdata might be
empty too so point it at dummy data. */
fdata.size = 20;
}
- err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig, &algo);
+ err = sign_dummy_data(vpninfo, pkey, &fdata, &pkey_sig);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Error signing test data with private key: %s\n"),
gnutls_pubkey_deinit(pubkey);
continue;
}
- err = gnutls_pubkey_verify_data2(pubkey, algo, 0, &fdata, &pkey_sig);
+ err = verify_signed_data(pubkey, pkey, &fdata, &pkey_sig);
gnutls_pubkey_deinit(pubkey);
if (err >= 0) {
#endif /* !HAVE_GNUTLS_PKCS12_SIMPLE_PARSE */
-#ifndef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
-static inline int gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
- gnutls_sign_algorithm_t algo,
- unsigned int flags,
- const gnutls_datum_t *data,
- const gnutls_datum_t *sig)
-{
- return gnutls_pubkey_verify_data(pubkey, flags, data, sig);
-}
-#endif /* !HAVE_GNUTLS_PUBKEY_VERIFY_DATA2 */
#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
int gtls2_tpm_sign_cb(gnutls_session_t sess, void *_vpninfo,
static inline int sign_dummy_data(struct openconnect_info *vpninfo,
gnutls_privkey_t pkey,
const gnutls_datum_t *data,
- gnutls_datum_t *sig,
- gnutls_sign_algorithm_t *algo)
+ gnutls_datum_t *sig)
{
#if defined (HAVE_TROUSERS) && !defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
- if (pkey == OPENCONNECT_TPM_PKEY) {
- if (algo)
- *algo = GNUTLS_SIGN_RSA_SHA1;
+ if (pkey == OPENCONNECT_TPM_PKEY)
return gtls2_tpm_sign_dummy_data(vpninfo, data, sig);
- }
#endif
- if (algo)
- *algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(pkey, NULL), GNUTLS_DIG_SHA1);
return gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, data, sig);
}
#endif
retry_sign:
- err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig, NULL);
+ err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig);
if (err == GNUTLS_E_INSUFFICIENT_CREDENTIALS) {
if (!vpninfo->tpm_key_policy) {
err = Tspi_Context_CreateObject(vpninfo->tpm_context,
projects / users / dwmw2 / openconnect.git / commitdiff