diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c 2020-11-03 17:36:45.000000000 -0700
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c 2021-05-26 10:17:23.723128758 -0700
@@ -438,82 +438,29 @@
return rv;
}
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-
- if (siglen & 1) {
- LOGE("Expected ECDSA signature length to be even, got : %lu",
- siglen);
- return CKR_SIGNATURE_LEN_RANGE;
- }
-
- size_t len = siglen >> 1;
-
- unsigned char *rbuf = sig;
- unsigned char *sbuf = &sig[len];
-
- BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
- if (!r) {
- LOGE("Could not make bignum for r");
- return CKR_GENERAL_ERROR;
- }
-
- BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
- if (!s) {
- LOGE("Could not make bignum for s");
- BN_free(r);
- return CKR_GENERAL_ERROR;
- }
-
- ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
- if (!ossl_sig) {
- LOGE("oom");
- return CKR_HOST_MEMORY;
- }
-
- int rc = ECDSA_SIG_set0(ossl_sig, r, s);
- if (!rc) {
- LOGE("Could not call ECDSA_SIG_set0");
- ECDSA_SIG_free(ossl_sig);
- return CKR_GENERAL_ERROR;
- }
-
- *outsig = ossl_sig;
-
- return CKR_OK;
-}
-
static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
CK_BYTE_PTR digest, CK_ULONG digest_len,
CK_BYTE_PTR signature, CK_ULONG signature_len) {
- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
- if (!eckey) {
- LOGE("Expected EC Key");
- return CKR_GENERAL_ERROR;
- }
+ int rc = CKR_OK;
+ EVP_PKEY_CTX *pctx = NULL;
- /*
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
- * R + S signatures, so convert it to ASN1 framing.
- * See:
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
- * For details.
- */
- ECDSA_SIG *ossl_sig = NULL;
- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
- if (rv != CKR_OK) {
- return rv;
+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
+ rc = CKR_HOST_MEMORY;
+ goto fail;
}
- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
- if (rc < 0) {
- ECDSA_SIG_free(ossl_sig);
- SSL_UTIL_LOGE("ECDSA_do_verify failed");
- return CKR_GENERAL_ERROR;
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
+ EVP_PKEY_verify(pctx, signature, signature_len,
+ digest, digest_len) != 1) {
+ rc = CKR_SIGNATURE_INVALID;
+ goto fail;
}
- ECDSA_SIG_free(ossl_sig);
- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
+fail:
+ if (pctx)
+ EVP_PKEY_CTX_free(pctx);
+ return rc;
}
CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,