|
 |
4dee9c |
diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
|
|
|
4dee9c |
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c 2020-11-03 17:36:45.000000000 -0700
|
|
|
4dee9c |
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c 2021-05-26 10:17:23.723128758 -0700
|
|
|
4dee9c |
@@ -438,82 +438,29 @@
|
|
|
4dee9c |
return rv;
|
|
|
4dee9c |
}
|
|
|
4dee9c |
|
|
|
4dee9c |
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- if (siglen & 1) {
|
|
|
4dee9c |
- LOGE("Expected ECDSA signature length to be even, got : %lu",
|
|
|
4dee9c |
- siglen);
|
|
|
4dee9c |
- return CKR_SIGNATURE_LEN_RANGE;
|
|
|
4dee9c |
- }
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- size_t len = siglen >> 1;
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- unsigned char *rbuf = sig;
|
|
|
4dee9c |
- unsigned char *sbuf = &sig[len];
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
|
|
|
4dee9c |
- if (!r) {
|
|
|
4dee9c |
- LOGE("Could not make bignum for r");
|
|
|
4dee9c |
- return CKR_GENERAL_ERROR;
|
|
|
4dee9c |
- }
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
|
|
|
4dee9c |
- if (!s) {
|
|
|
4dee9c |
- LOGE("Could not make bignum for s");
|
|
|
4dee9c |
- BN_free(r);
|
|
|
4dee9c |
- return CKR_GENERAL_ERROR;
|
|
|
4dee9c |
- }
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
|
|
|
4dee9c |
- if (!ossl_sig) {
|
|
|
4dee9c |
- LOGE("oom");
|
|
|
4dee9c |
- return CKR_HOST_MEMORY;
|
|
|
4dee9c |
- }
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- int rc = ECDSA_SIG_set0(ossl_sig, r, s);
|
|
|
4dee9c |
- if (!rc) {
|
|
|
4dee9c |
- LOGE("Could not call ECDSA_SIG_set0");
|
|
|
4dee9c |
- ECDSA_SIG_free(ossl_sig);
|
|
|
4dee9c |
- return CKR_GENERAL_ERROR;
|
|
|
4dee9c |
- }
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- *outsig = ossl_sig;
|
|
|
4dee9c |
-
|
|
|
4dee9c |
- return CKR_OK;
|
|
|
4dee9c |
-}
|
|
|
4dee9c |
-
|
|
|
4dee9c |
static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
|
|
|
4dee9c |
CK_BYTE_PTR digest, CK_ULONG digest_len,
|
|
|
4dee9c |
CK_BYTE_PTR signature, CK_ULONG signature_len) {
|
|
|
4dee9c |
|
|
|
4dee9c |
- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
|
|
|
4dee9c |
- if (!eckey) {
|
|
|
4dee9c |
- LOGE("Expected EC Key");
|
|
|
4dee9c |
- return CKR_GENERAL_ERROR;
|
|
|
4dee9c |
- }
|
|
|
4dee9c |
+ int rc = CKR_OK;
|
|
|
4dee9c |
+ EVP_PKEY_CTX *pctx = NULL;
|
|
|
4dee9c |
|
|
|
4dee9c |
- /*
|
|
|
4dee9c |
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
|
|
|
4dee9c |
- * R + S signatures, so convert it to ASN1 framing.
|
|
|
4dee9c |
- * See:
|
|
|
4dee9c |
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
|
|
|
4dee9c |
- * For details.
|
|
|
4dee9c |
- */
|
|
|
4dee9c |
- ECDSA_SIG *ossl_sig = NULL;
|
|
|
4dee9c |
- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
|
|
|
4dee9c |
- if (rv != CKR_OK) {
|
|
|
4dee9c |
- return rv;
|
|
|
4dee9c |
+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
|
|
|
4dee9c |
+ rc = CKR_HOST_MEMORY;
|
|
|
4dee9c |
+ goto fail;
|
|
|
4dee9c |
}
|
|
|
4dee9c |
|
|
|
4dee9c |
- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
|
|
|
4dee9c |
- if (rc < 0) {
|
|
|
4dee9c |
- ECDSA_SIG_free(ossl_sig);
|
|
|
4dee9c |
- SSL_UTIL_LOGE("ECDSA_do_verify failed");
|
|
|
4dee9c |
- return CKR_GENERAL_ERROR;
|
|
|
4dee9c |
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
|
|
|
4dee9c |
+ EVP_PKEY_verify(pctx, signature, signature_len,
|
|
|
4dee9c |
+ digest, digest_len) != 1) {
|
|
|
4dee9c |
+ rc = CKR_SIGNATURE_INVALID;
|
|
|
4dee9c |
+ goto fail;
|
|
|
4dee9c |
}
|
|
|
4dee9c |
- ECDSA_SIG_free(ossl_sig);
|
|
|
4dee9c |
|
|
|
4dee9c |
- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
|
|
|
4dee9c |
+fail:
|
|
|
4dee9c |
+ if (pctx)
|
|
|
4dee9c |
+ EVP_PKEY_CTX_free(pctx);
|
|
|
4dee9c |
+ return rc;
|
|
|
4dee9c |
}
|
|
|
4dee9c |
|
|
|
4dee9c |
CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
|