rpms / tpm2-pkcs11

Clone
Source Code
GIT

Files

c8 c8-beta c8s c9 c9-beta
  1.   c9-beta
  2.   SOURCES
  3.   tpm2-pkcs11-1.5.0-openssl3.patch
Blob Blame History Raw 
diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c	2020-11-03 17:36:45.000000000 -0700
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c	2021-05-26 10:17:23.723128758 -0700
@@ -438,82 +438,29 @@
     return rv;
 }

-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-
-    if (siglen & 1) {
-        LOGE("Expected ECDSA signature length to be even, got : %lu",
-                siglen);
-        return CKR_SIGNATURE_LEN_RANGE;
-    }
-
-    size_t len = siglen >> 1;
-
-    unsigned char *rbuf = sig;
-    unsigned char *sbuf = &sig[len];
-
-    BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
-    if (!r) {
-        LOGE("Could not make bignum for r");
-        return CKR_GENERAL_ERROR;
-    }
-
-    BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
-    if (!s) {
-        LOGE("Could not make bignum for s");
-        BN_free(r);
-        return CKR_GENERAL_ERROR;
-    }
-
-    ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
-    if (!ossl_sig) {
-        LOGE("oom");
-        return CKR_HOST_MEMORY;
-    }
-
-    int rc = ECDSA_SIG_set0(ossl_sig, r, s);
-    if (!rc) {
-        LOGE("Could not call ECDSA_SIG_set0");
-        ECDSA_SIG_free(ossl_sig);
-        return CKR_GENERAL_ERROR;
-    }
-
-    *outsig = ossl_sig;
-
-    return CKR_OK;
-}
-
 static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
         CK_BYTE_PTR digest, CK_ULONG digest_len,
         CK_BYTE_PTR signature, CK_ULONG signature_len) {

-    EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
-    if (!eckey) {
-        LOGE("Expected EC Key");
-        return CKR_GENERAL_ERROR;
-    }
+    int rc = CKR_OK;
+    EVP_PKEY_CTX *pctx = NULL;

-    /*
-     * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
-     * R + S signatures, so convert it to ASN1 framing.
-     * See:
-     *   https://github.com/tpm2-software/tpm2-pkcs11/issues/277
-     * For details.
-     */
-    ECDSA_SIG *ossl_sig = NULL;
-    CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
-    if (rv != CKR_OK) {
-        return rv;
+    if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
+	    rc = CKR_HOST_MEMORY;
+	    goto fail;
     }

-    int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
-    if (rc < 0) {
-        ECDSA_SIG_free(ossl_sig);
-        SSL_UTIL_LOGE("ECDSA_do_verify failed");
-        return CKR_GENERAL_ERROR;
+    if (EVP_PKEY_verify_init(pctx) != 1 ||
+	EVP_PKEY_verify(pctx, signature, signature_len,
+			digest, digest_len) != 1) {
+	    rc = CKR_SIGNATURE_INVALID;
+	    goto fail;
     }
-    ECDSA_SIG_free(ossl_sig);

-    return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
+fail:
+    if (pctx)
+	    EVP_PKEY_CTX_free(pctx);
+    return rc;
 }

 CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation