static int proc_srp_cert_server_kx(gnutls_session_t session, uint8_t * data, size_t _data_size) { ssize_t ret; int sigsize; gnutls_datum_t vparams, signature; ssize_t data_size; cert_auth_info_t info; gnutls_pcert_st peer_cert; uint8_t *p; gnutls_sign_algorithm_t sign_algo = GNUTLS_SIGN_UNKNOWN; const version_entry_st *ver = get_version(session); if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ret = _gnutls_proc_srp_server_kx(session, data, _data_size); if (ret < 0) return ret; data_size = _data_size - ret; info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); if (info == NULL || info->ncerts == 0) { gnutls_assert(); /* we need this in order to get peer's certificate */ return GNUTLS_E_INTERNAL_ERROR; } /* VERIFY SIGNATURE */ vparams.size = ret; /* all the data minus the signature */ vparams.data = data; p = &data[vparams.size]; if (_gnutls_version_has_selectable_sighash(ver)) { sign_algorithm_st aid; DECR_LEN(data_size, 1); aid.hash_algorithm = *p++; DECR_LEN(data_size, 1); aid.sign_algorithm = *p++; sign_algo = _gnutls_tls_aid_to_sign(&aid); if (sign_algo == GNUTLS_SIGN_UNKNOWN) { _gnutls_debug_log("unknown signature %d.%d\n", aid.sign_algorithm, aid.hash_algorithm); gnutls_assert(); return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM; } } DECR_LEN(data_size, 2); sigsize = _gnutls_read_uint16(p); DECR_LEN(data_size, sigsize); signature.data = &p[2]; signature.size = sigsize; ret = _gnutls_get_auth_info_pcert(&peer_cert, session->security_parameters. cert_type, info); if (ret < 0) { gnutls_assert(); return ret; } ret = _gnutls_handshake_verify_data(session, &peer_cert, &vparams, &signature, sign_algo); gnutls_pcert_deinit(&peer_cert); if (ret < 0) { gnutls_assert(); return ret; } return 0; }
static int proc_srp_cert_server_kx (gnutls_session_t session, opaque * data, size_t _data_size) { ssize_t ret; int sigsize; gnutls_datum_t vparams, signature; ssize_t data_size; cert_auth_info_t info; gnutls_cert peer_cert; opaque *p; ret = _gnutls_proc_srp_server_kx (session, data, _data_size); if (ret < 0) return ret; data_size = _data_size - ret; info = _gnutls_get_auth_info (session); if (info == NULL || info->ncerts == 0) { gnutls_assert (); /* we need this in order to get peer's certificate */ return GNUTLS_E_INTERNAL_ERROR; } /* VERIFY SIGNATURE */ vparams.size = ret; /* all the data minus the signature */ vparams.data = data; p = &data[vparams.size]; DECR_LEN (data_size, 2); sigsize = _gnutls_read_uint16 (p); DECR_LEN (data_size, sigsize); signature.data = &p[2]; signature.size = sigsize; ret = _gnutls_get_auth_info_gcert (&peer_cert, session->security_parameters.cert_type, info, CERT_NO_COPY); if (ret < 0) { gnutls_assert (); return ret; } ret = _gnutls_handshake_verify_data (session, &peer_cert, &vparams, &signature, GNUTLS_SIGN_UNKNOWN); _gnutls_gcert_deinit (&peer_cert); if (ret < 0) { gnutls_assert (); return ret; } return 0; }