# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1411493314 -7200
# Node ID ad411fb64046d987272043f311ca477022c6fef4
# Parent 70ae6afde27f9c977badc5271efa835c8a4ec4f0
Fix bug 1064636, patch part 2, r=rrelyea
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -7,121 +7,165 @@
#include <stdio.h>
#include "cryptohi.h"
#include "sechash.h"
#include "keyhi.h"
#include "secasn1.h"
#include "secoid.h"
#include "pk11func.h"
+#include "pkcs1sig.h"
#include "secdig.h"
#include "secerr.h"
#include "keyi.h"
/*
-** Decrypt signature block using public key
-** Store the hash algorithm oid tag in *tagp
-** Store the digest in the digest buffer
-** Store the digest length in *digestlen
+** Recover the DigestInfo from an RSA PKCS#1 signature.
+**
+** If givenDigestAlg != SEC_OID_UNKNOWN, copy givenDigestAlg to digestAlgOut.
+** Otherwise, parse the DigestInfo structure and store the decoded digest
+** algorithm into digestAlgOut.
+**
+** Store the encoded DigestInfo into digestInfo.
+** Store the DigestInfo length into digestInfoLen.
+**
+** This function does *not* verify that the AlgorithmIdentifier in the
+** DigestInfo identifies givenDigestAlg or that the DigestInfo is encoded
+** correctly; verifyPKCS1DigestInfo does that.
+**
** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
*/
static SECStatus
-DecryptSigBlock(SECOidTag *tagp, unsigned char *digest,
- unsigned int *digestlen, unsigned int maxdigestlen,
- SECKEYPublicKey *key, const SECItem *sig, char *wincx)
+recoverPKCS1DigestInfo(SECOidTag givenDigestAlg,
+ /*out*/ SECOidTag* digestAlgOut,
+ /*out*/ unsigned char** digestInfo,
+ /*out*/ unsigned int* digestInfoLen,
+ SECKEYPublicKey* key,
+ const SECItem* sig, void* wincx)
{
- SGNDigestInfo *di = NULL;
- unsigned char *buf = NULL;
- SECStatus rv;
- SECOidTag tag;
- SECItem it;
+ SGNDigestInfo* di = NULL;
+ SECItem it;
+ PRBool rv = SECSuccess;
- if (key == NULL) goto loser;
+ PORT_Assert(digestAlgOut);
+ PORT_Assert(digestInfo);
+ PORT_Assert(digestInfoLen);
+ PORT_Assert(key);
+ PORT_Assert(key->keyType == rsaKey);
+ PORT_Assert(sig);
+ it.data = NULL;
it.len = SECKEY_PublicKeyStrength(key);
- if (!it.len) goto loser;
- it.data = buf = (unsigned char *)PORT_Alloc(it.len);
- if (!buf) goto loser;
+ if (it.len != 0) {
+ it.data = (unsigned char *)PORT_Alloc(it.len);
+ }
+ if (it.len == 0 || it.data == NULL ) {
+ rv = SECFailure;
+ }
- /* decrypt the block */
- rv = PK11_VerifyRecover(key, (SECItem *)sig, &it, wincx);
- if (rv != SECSuccess) goto loser;
+ if (rv == SECSuccess) {
+ /* decrypt the block */
+ rv = PK11_VerifyRecover(key, sig, &it, wincx);
+ }
+
+ if (rv == SECSuccess) {
+ if (givenDigestAlg != SEC_OID_UNKNOWN) {
+ /* We don't need to parse the DigestInfo if the caller gave us the
+ * digest algorithm to use. Later verifyPKCS1DigestInfo will verify
+ * that the DigestInfo identifies the given digest algorithm and
+ * that the DigestInfo is encoded absolutely correctly.
+ */
+ *digestInfoLen = it.len;
+ *digestInfo = (unsigned char*)it.data;
+ *digestAlgOut = givenDigestAlg;
+ return SECSuccess;
+ }
+ }
- di = SGN_DecodeDigestInfo(&it);
- if (di == NULL) goto sigloser;
+ if (rv == SECSuccess) {
+ /* The caller didn't specify a digest algorithm to use, so choose the
+ * digest algorithm by parsing the AlgorithmIdentifier within the
+ * DigestInfo.
+ */
+ di = SGN_DecodeDigestInfo(&it);
+ if (!di) {
+ rv = SECFailure;
+ }
+ }
- /*
- ** Finally we have the digest info; now we can extract the algorithm
- ** ID and the signature block
- */
- tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
- /* Check that tag is an appropriate algorithm */
- if (tag == SEC_OID_UNKNOWN) {
- goto sigloser;
+ if (rv == SECSuccess) {
+ *digestAlgOut = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
+ if (*digestAlgOut == SEC_OID_UNKNOWN) {
+ rv = SECFailure;
+ }
}
- /* make sure the "parameters" are not too bogus. */
- if (di->digestAlgorithm.parameters.len > 2) {
- goto sigloser;
+
+ if (di) {
+ SGN_DestroyDigestInfo(di);
}
- if (di->digest.len > maxdigestlen) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- goto loser;
+
+ if (rv == SECSuccess) {
+ *digestInfoLen = it.len;
+ *digestInfo = (unsigned char*)it.data;
+ } else {
+ if (it.data) {
+ PORT_Free(it.data);
+ }
+ *digestInfo = NULL;
+ *digestInfoLen = 0;
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
}
- PORT_Memcpy(digest, di->digest.data, di->digest.len);
- *tagp = tag;
- *digestlen = di->digest.len;
- goto done;
- sigloser:
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-
- loser:
- rv = SECFailure;
-
- done:
- if (di != NULL) SGN_DestroyDigestInfo(di);
- if (buf != NULL) PORT_Free(buf);
-
return rv;
}
-
struct VFYContextStr {
SECOidTag hashAlg; /* the hash algorithm */
SECKEYPublicKey *key;
/*
* This buffer holds either the digest or the full signature
* depending on the type of the signature (key->keyType). It is
* defined as a union to make sure it always has enough space.
*
* Use the "buffer" union member to reference the buffer.
* Note: do not take the size of the "buffer" union member. Take
* the size of the union or some other union member instead.
*/
union {
unsigned char buffer[1];
- /* the digest in the decrypted RSA signature */
- unsigned char rsadigest[HASH_LENGTH_MAX];
/* the full DSA signature... 40 bytes */
unsigned char dsasig[DSA_MAX_SIGNATURE_LEN];
/* the full ECDSA signature */
unsigned char ecdsasig[2 * MAX_ECKEY_LEN];
} u;
- unsigned int rsadigestlen;
+ unsigned int pkcs1RSADigestInfoLen;
+ /* the encoded DigestInfo from a RSA PKCS#1 signature */
+ unsigned char *pkcs1RSADigestInfo;
void * wincx;
void *hashcx;
const SECHashObject *hashobj;
SECOidTag encAlg; /* enc alg */
PRBool hasSignature; /* true if the signature was provided in the
* VFY_CreateContext call. If false, the
* signature must be provided with a
* VFY_EndWithSignature call. */
};
+static SECStatus
+verifyPKCS1DigestInfo(const VFYContext* cx, const SECItem* digest)
+{
+ SECItem pkcs1DigestInfo;
+ pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
+ pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
+ return _SGN_VerifyPKCS1DigestInfo(
+ cx->hashAlg, digest, &pkcs1DigestInfo,
+ PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+}
+
/*
* decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed
* to by dsig and has enough room for len bytes.
*/
static SECStatus
decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
unsigned int len) {
@@ -371,26 +415,26 @@ vfy_CreateContext(const SECKEYPublicKey
goto loser;
}
cx->wincx = wincx;
cx->hasSignature = (sig != NULL);
cx->encAlg = encAlg;
cx->hashAlg = hashAlg;
cx->key = SECKEY_CopyPublicKey(key);
+ cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess;
if (sig) {
switch (type) {
case rsaKey:
- rv = DecryptSigBlock(&cx->hashAlg, cx->u.buffer, &cx->rsadigestlen,
- HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
- if (cx->hashAlg != hashAlg && hashAlg != SEC_OID_UNKNOWN) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- rv = SECFailure;
- }
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+ &cx->pkcs1RSADigestInfo,
+ &cx->pkcs1RSADigestInfoLen,
+ cx->key,
+ sig, wincx);
break;
case dsaKey:
case ecKey:
sigLen = SECKEY_SignatureLen(key);
if (sigLen == 0) {
/* error set by SECKEY_SignatureLen */
rv = SECFailure;
break;
@@ -464,16 +508,19 @@ VFY_DestroyContext(VFYContext *cx, PRBoo
if (cx) {
if (cx->hashcx != NULL) {
(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
cx->hashcx = NULL;
}
if (cx->key) {
SECKEY_DestroyPublicKey(cx->key);
}
+ if (cx->pkcs1RSADigestInfo) {
+ PORT_Free(cx->pkcs1RSADigestInfo);
+ }
if (freeit) {
PORT_ZFree(cx, sizeof(VFYContext));
}
}
}
SECStatus
VFY_Begin(VFYContext *cx)
@@ -543,31 +590,35 @@ VFY_EndWithSignature(VFYContext *cx, SEC
hash.data = final;
hash.len = part;
if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
break;
case rsaKey:
+ {
+ SECItem digest;
+ digest.data = final;
+ digest.len = part;
if (sig) {
- SECOidTag hashid = SEC_OID_UNKNOWN;
- rv = DecryptSigBlock(&hashid, cx->u.buffer, &cx->rsadigestlen,
- HASH_LENGTH_MAX, cx->key, sig, (char*)cx->wincx);
- if ((rv != SECSuccess) || (hashid != cx->hashAlg)) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN);
+ SECOidTag hashid;
+ rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid,
+ &cx->pkcs1RSADigestInfo,
+ &cx->pkcs1RSADigestInfoLen,
+ cx->key,
+ sig, cx->wincx);
+ PORT_Assert(cx->hashAlg == hashid);
+ if (rv != SECSuccess) {
return SECFailure;
}
}
- if ((part != cx->rsadigestlen) ||
- PORT_Memcmp(final, cx->u.buffer, part)) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
- break;
+ return verifyPKCS1DigestInfo(cx, &digest);
+ }
default:
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure; /* shouldn't happen */
}
return SECSuccess;
}
SECStatus
@@ -590,22 +641,17 @@ vfy_VerifyDigest(const SECItem *digest,
SECItem dsasig; /* also used for ECDSA */
rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
if (cx != NULL) {
switch (key->keyType) {
case rsaKey:
- if ((digest->len != cx->rsadigestlen) ||
- PORT_Memcmp(digest->data, cx->u.buffer, digest->len)) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- } else {
- rv = SECSuccess;
- }
+ rv = verifyPKCS1DigestInfo(cx, digest);
break;
case dsaKey:
case ecKey:
dsasig.data = cx->u.buffer;
dsasig.len = SECKEY_SignatureLen(cx->key);
if (dsasig.len == 0) {
break;
}