gnutls.patch

   1 --- eet-1.7.10/src/lib/eet_cipher.c.orig        2013-07-29 16:22:39.000000000 +0200
   2 +++ eet-1.7.10/src/lib/eet_cipher.c     2018-09-19 10:34:46.452526279 +0200
   3 @@ -56,9 +56,7 @@ void *alloca(size_t);
   4
   5  #ifdef HAVE_CIPHER
   6  # ifdef HAVE_GNUTLS
   7 -#  if defined EET_USE_NEW_PUBKEY_VERIFY_HASH || defined EET_USE_NEW_PRIVKEY_SIGN_DATA
   8 -#   include <gnutls/abstract.h>
   9 -#  endif
  10 +#  include <gnutls/abstract.h>
  11  #  include <gnutls/x509.h>
  12  #  include <gcrypt.h>
  13  # else /* ifdef HAVE_GNUTLS */
  14 @@ -500,10 +498,8 @@ eet_identity_sign(FILE    *fp,
  15     gnutls_datum_t datum = { NULL, 0 };
  16     size_t sign_len = 0;
  17     size_t cert_len = 0;
  18 -#ifdef EET_USE_NEW_PRIVKEY_SIGN_DATA
  19     gnutls_datum_t signum = { NULL, 0 };
  20     gnutls_privkey_t privkey;
  21 -#endif
  22  # else /* ifdef HAVE_GNUTLS */
  23     EVP_MD_CTX md_ctx;
  24     unsigned int sign_len = 0;
  25 @@ -535,7 +531,6 @@ eet_identity_sign(FILE    *fp,
  26     datum.size = st_buf.st_size;
  27
  28     /* Get the signature length */
  29 -#ifdef EET_USE_NEW_PRIVKEY_SIGN_DATA
  30     if (gnutls_privkey_init(&privkey) < 0)
  31       {
  32          err = EET_ERROR_SIGNATURE_FAILED;
  33 @@ -556,30 +551,6 @@ eet_identity_sign(FILE    *fp,
  34
  35     sign = signum.data;
  36     sign_len = signum.size;
  37 -#else
  38 -   if (gnutls_x509_privkey_sign_data(key->private_key, GNUTLS_DIG_SHA1, 0,
  39 -                                     &datum, sign, &sign_len) &&
  40 -       !sign_len)
  41 -     {
  42 -        err = EET_ERROR_SIGNATURE_FAILED;
  43 -        goto on_error;
  44 -     }
  45 -
  46 -   /* Get the signature */
  47 -   sign = malloc(sign_len);
  48 -   if (!sign ||
  49 -       gnutls_x509_privkey_sign_data(key->private_key, GNUTLS_DIG_SHA1, 0,
  50 -                                     &datum,
  51 -                                     sign, &sign_len))
  52 -     {
  53 -        if (!sign)
  54 -          err = EET_ERROR_OUT_OF_MEMORY;
  55 -        else
  56 -          err = EET_ERROR_SIGNATURE_FAILED;
  57 -
  58 -        goto on_error;
  59 -     }
  60 -#endif
  61
  62     /* Get the certificate length */
  63     if (gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert,
  64 @@ -729,15 +700,11 @@ eet_identity_check(const void   *data_ba
  65     gnutls_x509_crt_t cert;
  66     gnutls_datum_t datum;
  67     gnutls_datum_t signature;
  68 -#  if EET_USE_NEW_GNUTLS_API
  69 -#  if EET_USE_NEW_PUBKEY_VERIFY_HASH
  70     gnutls_pubkey_t pubkey;
  71     gnutls_digest_algorithm_t hash_algo;
  72 -#  endif
  73     unsigned char *hash;
  74     gcry_md_hd_t md;
  75     int err;
  76 -#  endif /* if EET_USE_NEW_GNUTLS_API */
  77
  78     /* Create an understanding certificate structure for gnutls */
  79     datum.data = (void *)cert_der;
  80 @@ -749,7 +716,6 @@ eet_identity_check(const void   *data_ba
  81     signature.size = sign_len;
  82
  83     /* Verify the signature */
  84 -#  if EET_USE_NEW_GNUTLS_API
  85     /*
  86        I am waiting for my patch being accepted in GnuTLS release.
  87        But we now have a way to prevent double computation of SHA1.
  88 @@ -767,7 +733,6 @@ eet_identity_check(const void   *data_ba
  89     datum.size = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
  90     datum.data = hash;
  91
  92 -#  ifdef EET_USE_NEW_PUBKEY_VERIFY_HASH
  93     if (gnutls_pubkey_init(&pubkey) < 0)
  94       goto on_error;
  95
  96 @@ -779,10 +744,6 @@ eet_identity_check(const void   *data_ba
  97
  98     if (gnutls_pubkey_verify_hash(pubkey, 0, &datum, &signature) < 0)
  99       goto on_error;
 100 -#  else
 101 -   if (!gnutls_x509_crt_verify_hash(cert, 0, &datum, &signature))
 102 -     goto on_error;
 103 -#  endif
 104
 105     if (sha1)
 106       {
 107 @@ -794,20 +755,6 @@ eet_identity_check(const void   *data_ba
 108       }
 109
 110     gcry_md_close(md);
 111 -#  else /* if EET_USE_NEW_GNUTLS_API */
 112 -   datum.data = (void *)data_base;
 113 -   datum.size = data_length;
 114 -
 115 -   if (!gnutls_x509_crt_verify_data(cert, 0, &datum, &signature))
 116 -     return NULL;
 117 -
 118 -   if (sha1)
 119 -     {
 120 -        *sha1 = NULL;
 121 -        *sha1_length = -1;
 122 -     }
 123 -
 124 -#  endif /* if EET_USE_NEW_GNUTLS_API */
 125     gnutls_x509_crt_deinit(cert);
 126
 127  # else /* ifdef HAVE_GNUTLS */
 128 @@ -861,11 +808,9 @@ eet_identity_check(const void   *data_ba
 129
 130     return cert_der;
 131  # ifdef HAVE_GNUTLS
 132 -#  if EET_USE_NEW_GNUTLS_API
 133   on_error:
 134     gcry_md_close(md);
 135     return NULL;
 136 -#  endif
 137  # endif
 138  #else /* ifdef HAVE_SIGNATURE */
 139     data_base = NULL;
 140 --- eet-1.7.10/src/lib/eet_cipher.c.org 2018-09-19 10:53:01.742816086 +0200
 141 +++ eet-1.7.10/src/lib/eet_cipher.c     2018-09-19 10:54:10.794913636 +0200
 142 @@ -739,10 +739,7 @@ eet_identity_check(const void   *data_ba
 143     if (gnutls_pubkey_import_x509(pubkey, cert, 0) < 0)
 144       goto on_error;
 145
 146 -   if (gnutls_pubkey_get_verify_algorithm(pubkey, &signature, &hash_algo) < 0)
 147 -     goto on_error;
 148 -
 149 -   if (gnutls_pubkey_verify_hash(pubkey, 0, &datum, &signature) < 0)
 150 +   if (gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &datum, &signature) < 0)
 151       goto on_error;
 152
 153     if (sha1)