diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-26 09:16:03 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-03 11:57:53 +0200 |
| commit | 2f0e285ad8e2762b280c4ed8163ab8f5c915d4d4 (patch) | |
| tree | dd9030c732852b032ab64e34daa4b5b8cc6babaf | |
| parent | 8e225209449db9c4fe6b28d8974f6ab5cd29caa5 (diff) | |
| download | gnutls-2f0e285ad8e2762b280c4ed8163ab8f5c915d4d4.tar.gz | |
pubkey_verify_data: accept signature entry instead of PK and hash
That aligns better with current callers which know the signature
algorithm in use.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/abstract_int.h | 3 | ||||
| -rw-r--r-- | lib/pubkey.c | 23 | ||||
| -rw-r--r-- | lib/x509/crq.c | 12 | ||||
| -rw-r--r-- | lib/x509/verify.c | 10 |
4 files changed, 26 insertions, 22 deletions
diff --git a/lib/abstract_int.h b/lib/abstract_int.h index 4adc7ce9d8..c1bd7f7f25 100644 --- a/lib/abstract_int.h +++ b/lib/abstract_int.h @@ -107,8 +107,7 @@ pubkey_verify_hashed_data(gnutls_pk_algorithm_t pk, gnutls_pk_params_st * params, gnutls_x509_spki_st * sign_params); -int pubkey_verify_data(gnutls_pk_algorithm_t pk, - const mac_entry_st * algo, +int pubkey_verify_data(const gnutls_sign_entry_st *se, const gnutls_datum_t * data, const gnutls_datum_t * signature, gnutls_pk_params_st * params, diff --git a/lib/pubkey.c b/lib/pubkey.c index 1ae8c05830..ce372dbaea 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -1569,7 +1569,7 @@ gnutls_pubkey_verify_data2(gnutls_pubkey_t pubkey, if (ret < 0) return gnutls_assert_val(ret); - ret = pubkey_verify_data(params.pk, me, data, signature, &pubkey->params, + ret = pubkey_verify_data(se, data, signature, &pubkey->params, ¶ms); if (ret < 0) { gnutls_assert(); @@ -1950,18 +1950,24 @@ pubkey_verify_hashed_data(gnutls_pk_algorithm_t pk, * not verified, or 1 otherwise. */ int -pubkey_verify_data(gnutls_pk_algorithm_t pk, - const mac_entry_st * me, +pubkey_verify_data(const gnutls_sign_entry_st *se, const gnutls_datum_t * data, const gnutls_datum_t * signature, gnutls_pk_params_st * params, gnutls_x509_spki_st * sign_params) { - switch (pk) { + const mac_entry_st *me; + + me = hash_to_entry(se->hash); + + switch (se->pk) { case GNUTLS_PK_RSA: case GNUTLS_PK_RSA_PSS: + if (unlikely(me==NULL)) + return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM); + if (_pkcs1_rsa_verify_sig - (pk, me, data, NULL, signature, params, sign_params) != 0) { + (se->pk, me, data, NULL, signature, params, sign_params) != 0) { gnutls_assert(); return GNUTLS_E_PK_SIG_VERIFY_FAILED; } @@ -1970,7 +1976,7 @@ pubkey_verify_data(gnutls_pk_algorithm_t pk, break; case GNUTLS_PK_EDDSA_ED25519: - if (_gnutls_pk_verify(pk, data, signature, params, sign_params) != 0) { + if (_gnutls_pk_verify(se->pk, data, signature, params, sign_params) != 0) { gnutls_assert(); return GNUTLS_E_PK_SIG_VERIFY_FAILED; } @@ -1980,8 +1986,11 @@ pubkey_verify_data(gnutls_pk_algorithm_t pk, case GNUTLS_PK_EC: case GNUTLS_PK_DSA: + if (unlikely(me==NULL)) + return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM); + if (dsa_verify_data - (pk, me, data, signature, params, sign_params) != 0) { + (se->pk, me, data, signature, params, sign_params) != 0) { gnutls_assert(); return GNUTLS_E_PK_SIG_VERIFY_FAILED; } diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 6088ef9ac6..0642d89f49 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -2916,8 +2916,8 @@ int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags) gnutls_datum_t data = { NULL, 0 }; gnutls_datum_t signature = { NULL, 0 }; gnutls_pk_params_st params; - gnutls_digest_algorithm_t algo; gnutls_x509_spki_st sign_params; + const gnutls_sign_entry_st *se; int ret; gnutls_pk_params_init(¶ms); @@ -2939,7 +2939,12 @@ int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags) goto cleanup; } - algo = gnutls_sign_get_hash_algorithm(ret); + se = _gnutls_sign_to_entry(ret); + if (se == NULL) { + gnutls_assert(); + ret = GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM; + goto cleanup; + } ret = _gnutls_x509_get_signature(crq->crq, "signature", &signature); @@ -2963,8 +2968,7 @@ int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags) } ret = - pubkey_verify_data(sign_params.pk, - hash_to_entry(algo), &data, &signature, + pubkey_verify_data(se, &data, &signature, ¶ms, &sign_params); if (ret < 0) { gnutls_assert(); diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 1875dfb425..e95443175b 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1329,7 +1329,6 @@ _gnutls_x509_verify_data(gnutls_sign_algorithm_t sign, gnutls_pk_algorithm_t issuer_pk; int ret; gnutls_x509_spki_st sign_params; - const mac_entry_st * me; const gnutls_sign_entry_st *se; /* Read the MPI parameters from the issuer's certificate. @@ -1374,14 +1373,7 @@ _gnutls_x509_verify_data(gnutls_sign_algorithm_t sign, sign_params.rsa_pss_dig = se->hash; } - me = hash_to_entry(se->hash); - if (unlikely(me == NULL)) { - gnutls_assert(); - ret = GNUTLS_E_CERTIFICATE_ERROR; - goto cleanup; - } - - ret = pubkey_verify_data(se->pk, me, data, signature, ¶ms, + ret = pubkey_verify_data(se, data, signature, ¶ms, &sign_params); if (ret < 0) { gnutls_assert(); |