diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index da13136a8..5104bc020 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -30,6 +30,8 @@ #include "config.h" +#include "md.h" + #if defined(POLARSSL_RSA_C) #include "rsa.h" #endif @@ -123,8 +125,8 @@ typedef struct int (*can_do)( pk_type_t type ); /** Verify signature */ - int (*verify_func)( void *ctx, - const unsigned char *hash, const md_info_t *md_info, + int (*verify_func)( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); /** Allocate a new context */ @@ -203,16 +205,17 @@ int pk_can_do( pk_context *ctx, pk_type_t type ); * \brief Verify signature * * \param ctx PK context to use + * \param md_alg Hash algorithm used * \param hash Hash of the message to sign - * \param md_info Information about the hash function used + * \param hash_len Hash length * \param sig Signature to verify * \param sig_len Signature length * * \return 0 on success (signature is valid), * or a specific error code. */ -int pk_verify( pk_context *ctx, - const unsigned char *hash, const md_info_t *md_info, +int pk_verify( pk_context *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); /** diff --git a/library/pk.c b/library/pk.c index 4c16de8d7..62302b050 100644 --- a/library/pk.c +++ b/library/pk.c @@ -110,7 +110,7 @@ int pk_init_ctx( pk_context *ctx, const pk_info_t *info ) */ int pk_can_do( pk_context *ctx, pk_type_t type ) { - /* null of NONE context can't do anything */ + /* null or NONE context can't do anything */ if( ctx == NULL || ctx->pk_info == NULL ) return( 0 ); @@ -120,14 +120,16 @@ int pk_can_do( pk_context *ctx, pk_type_t type ) /* * Verify a signature */ -int pk_verify( pk_context *ctx, - const unsigned char *hash, const md_info_t *md_info, +int pk_verify( pk_context *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { if( ctx == NULL || ctx->pk_info == NULL ) return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); - return( ctx->pk_info->verify_func( ctx->pk_ctx, hash, md_info, sig, sig_len ) ); + return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, + hash, hash_len, + sig, sig_len ) ); } /* diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 8f6150025..beaa3fd4b 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -58,15 +58,15 @@ static size_t rsa_get_size( const void * ctx ) return( 8 * ((rsa_context *) ctx)->len ); } -static int rsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int rsa_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { if( sig_len != ((rsa_context *) ctx)->len ) return( POLARSSL_ERR_RSA_VERIFY_FAILED ); return( rsa_pkcs1_verify( (rsa_context *) ctx, - RSA_PUBLIC, md_info->type, 0, hash, sig ) ); + RSA_PUBLIC, md_alg, hash_len, hash, sig ) ); } static void *rsa_alloc_wrap( void ) @@ -128,19 +128,20 @@ static size_t eckey_get_size( const void *ctx ) #if defined(POLARSSL_ECDSA_C) /* Forward declaration */ -static int ecdsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); #endif -static int eckey_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int eckey_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { #if !defined(POLARSSL_ECDSA_C) ((void) ctx); + ((void) md_alg); ((void) hash); - ((void) md_info); + ((void) hash_len); ((void) sig); ((void) sig_len); @@ -152,7 +153,7 @@ static int eckey_verify_wrap( void *ctx, ecdsa_init( &ecdsa ); ret = ecdsa_from_keypair( &ecdsa, ctx ) || - ecdsa_verify_wrap( &ecdsa, hash, md_info, sig, sig_len ); + ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); ecdsa_free( &ecdsa ); @@ -203,13 +204,14 @@ static int eckeydh_can_do( pk_type_t type ) type == POLARSSL_PK_ECKEY_DH ); } -static int eckeydh_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int eckeydh_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { ((void) ctx); + ((void) md_alg); ((void) hash); - ((void) md_info); + ((void) hash_len); ((void) sig); ((void) sig_len); @@ -234,12 +236,14 @@ static int ecdsa_can_do( pk_type_t type ) return( type == POLARSSL_PK_ECDSA ); } -static int ecdsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { + ((void) md_alg); + return( ecdsa_read_signature( (ecdsa_context *) ctx, - hash, md_info->size, sig, sig_len ) ); + hash, hash_len, sig, sig_len ) ); } static void *ecdsa_alloc_wrap( void ) diff --git a/library/x509parse.c b/library/x509parse.c index 4da4e7518..bbaca8ea4 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3429,7 +3429,7 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); if( pk_can_do( &ca->pk, crl_list->sig_pk ) == 0 || - pk_verify( &ca->pk, hash, md_info, + pk_verify( &ca->pk, crl_list->sig_md, hash, md_info->size, crl_list->sig.p, crl_list->sig.len ) != 0 ) { flags |= BADCRL_NOT_TRUSTED; @@ -3546,7 +3546,7 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); if( pk_can_do( &trust_ca->pk, child->sig_pk ) == 0 || - pk_verify( &trust_ca->pk, hash, md_info, + pk_verify( &trust_ca->pk, child->sig_md, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { trust_ca = trust_ca->next; @@ -3623,7 +3623,7 @@ static int x509parse_verify_child( md( md_info, child->tbs.p, child->tbs.len, hash ); if( pk_can_do( &parent->pk, child->sig_pk ) == 0 || - pk_verify( &parent->pk, hash, md_info, + pk_verify( &parent->pk, child->sig_md, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED;