start_timing(&timing);
for (round = 0; round < rounds; round++)
{
- if (!public->verify(public, scheme, data, sigs[round]))
+ if (!public->verify(public, &scheme, data, sigs[round]))
{
printf("signature verification failed\n");
exit(1);
bool test_agent()
{
char *path;
+ signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
private_key_t *private;
public_key_t *public;
{
return FALSE;
}
- if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
+ if (!private->sign(private, scheme, data, &sig))
{
return FALSE;
}
{
return FALSE;;
}
- if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+ if (!public->verify(public, &scheme, data, sig))
{
return FALSE;
}
free(sig.ptr);
data.ptr[1] = 0x01; /* fake it */
- if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+ if (public->verify(public, &scheme, data, sig))
{
return FALSE;
}
private_key_t *private;
public_key_t *public;
u_int key_size;
+ signature_scheme_t sigscheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+ encryption_scheme_t encscheme = ENCRYPT_RSA_PKCS1;
for (key_size = 512; key_size <= 2048; key_size *= 2)
{
DBG1(DBG_CFG, "generating public from private key failed");
return FALSE;
}
- if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
+ if (!private->sign(private, sigscheme, data, &sig))
{
DBG1(DBG_CFG, "creating RSA signature failed");
return FALSE;
}
- if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+ if (!public->verify(public, &sigscheme, data, sig))
{
DBG1(DBG_CFG, "verifying RSA signature failed");
return FALSE;
}
sig.ptr[sig.len-1]++;
- if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+ if (public->verify(public, &sigscheme, data, sig))
{
DBG1(DBG_CFG, "verifying faked RSA signature succeeded!");
return FALSE;
}
free(sig.ptr);
- if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt))
+ if (!public->encrypt(public, encscheme, data, &crypt))
{
DBG1(DBG_CFG, "encrypting data with RSA failed");
return FALSE;
}
- if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain))
+ if (!private->decrypt(private, &encscheme, crypt, &plain))
{
DBG1(DBG_CFG, "decrypting data with RSA failed");
return FALSE;
id, auth);
while (enumerator->enumerate(enumerator, &public, ¤t_auth))
{
- if (public->verify(public, scheme, hash, sig))
+ if (public->verify(public, &scheme, hash, sig))
{
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
id, key_type_names, this->type);
key_type, id, auth);
while (enumerator->enumerate(enumerator, &public, ¤t_auth))
{
- if (public->verify(public, scheme, octets, auth_data))
+ if (public->verify(public, &scheme, octets, auth_data))
{
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
id, auth_method_names, auth_method);
DBG3(DBG_PTS, "PCR %d extended with: %B", pcr_num, &input);
DBG3(DBG_PTS, "PCR %d value after extend: %B", pcr_num, output);
-
+
chunk_clear(&pcr_value);
Tspi_Context_FreeMemory(hContext, NULL);
Tspi_Context_Close(hContext);
err:
DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result);
-
+
chunk_clear(&pcr_value);
Tspi_Context_FreeMemory(hContext, NULL);
Tspi_Context_Close(hContext);
-
+
return FALSE;
}
{
i++;
f = 1;
- }
+ }
if (this->pcr_select[i] & f)
{
result = use_quote2 ?
"unable to construct TPM Quote Info2");
return FALSE;
}
-
+
/**
* A TPM v1.2 has 24 PCR Registers
* so the bitmask field length used by TrouSerS is at least 3 bytes
*/
size_of_select = max(PCR_MAX_NUM / 8, 1 + this->pcr_max / 8);
pcr_comp_len = 2 + size_of_select + 4 + this->pcr_count * this->pcr_len;
-
+
writer = bio_writer_create(pcr_comp_len);
writer->write_uint16(writer, size_of_select);
{
writer->write_uint8(writer, this->pcr_select[i]);
}
-
+
/* TPM Locality Selection */
writer->write_uint8(writer, TPM_LOC_ZERO);
METHOD(pts_t, verify_quote_signature, bool,
private_pts_t *this, chunk_t data, chunk_t signature)
{
+ signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
public_key_t *aik_pub_key;
aik_pub_key = this->aik->get_public_key(this->aik);
return FALSE;
}
- if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1,
- data, signature))
+ if (!aik_pub_key->verify(aik_pub_key, &scheme, data, signature))
{
DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
DESTROY_IF(aik_pub_key);
{
strcpy(buf, str_debian);
pos += strlen(str_debian);
- len -= strlen(str_debian);
+ len -= strlen(str_debian);
}
fseek(file, 0, SEEK_END);
/**
* Decrypt a chunk of data.
*
- * @param scheme expected encryption scheme used
+ * If an encryption scheme is given, only data with such a scheme is
+ * valid. If scheme is ENCRYPT_UNKNOWN, the scheme is detected and
+ * returned to the scheme pointer.
+ *
+ * @param scheme encryption scheme to use/used
* @param crypto chunk containing encrypted data
* @param plain where to allocate decrypted data
* @return TRUE if data decrypted and plaintext allocated
*/
- bool (*decrypt)(private_key_t *this, encryption_scheme_t scheme,
+ bool (*decrypt)(private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypto, chunk_t *plain);
/**
/**
* Verifies a signature against a chunk of data.
*
- * @param scheme signature scheme to use for verification, may be default
+ * If a signature scheme is given, only a signature with such a scheme is
+ * valid. If scheme is SIGN_UNKNOWN, the signature is detected and
+ * returned to the scheme pointer.
+ *
+ * @param scheme signature scheme to use/used for verification
* @param data data to check signature against
* @param signature signature to check
* @return TRUE if signature matches
*/
- bool (*verify)(public_key_t *this, signature_scheme_t scheme,
+ bool (*verify)(public_key_t *this, signature_scheme_t *scheme,
chunk_t data, chunk_t signature);
/**
DBG1(DBG_LIB, "no public key found in CA certificate");
return FALSE;
}
- if (key->verify(key, scheme,
+ if (key->verify(key, &scheme,
this->attributes->get_encoding(this->attributes), encrypted_digest))
{
DBG2(DBG_LIB, "signature is valid");
int objectID, version;
bool success = FALSE;
+ encryption_scheme_t scheme = ENCRYPT_RSA_PKCS1;
+
chunk_t iv = chunk_empty;
chunk_t symmetric_key = chunk_empty;
chunk_t encrypted_content = chunk_empty;
}
case PKCS7_ENCRYPTED_KEY:
{
- if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
+ if (!key->decrypt(key, &scheme, object, &symmetric_key))
{
DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
goto end;
}
METHOD(private_key_t, decrypt, bool,
- private_agent_private_key_t *this, encryption_scheme_t scheme,
+ private_agent_private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypto, chunk_t *plain)
{
DBG1(DBG_LIB, "private key decryption not supported by ssh-agent");
}
METHOD(private_key_t, decrypt, bool,
- private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme,
+ private_gcrypt_rsa_private_key_t *this, encryption_scheme_t *scheme,
chunk_t encrypted, chunk_t *plain)
{
gcry_error_t err;
chunk_t padded;
u_char *pos = NULL;;
- if (scheme != ENCRYPT_RSA_PKCS1)
+ if (*scheme != ENCRYPT_RSA_PKCS1)
{
DBG1(DBG_LIB, "encryption scheme %N not supported",
- encryption_scheme_names, scheme);
+ encryption_scheme_names, *scheme);
return FALSE;
}
err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
}
METHOD(public_key_t, verify, bool,
- private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme,
+ private_gcrypt_rsa_public_key_t *this, signature_scheme_t *scheme,
chunk_t data, chunk_t signature)
{
- switch (scheme)
+ switch (*scheme)
{
case SIGN_RSA_EMSA_PKCS1_NULL:
return verify_raw(this, data, signature);
return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature);
default:
DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
- signature_scheme_names, scheme);
+ signature_scheme_names, *scheme);
return FALSE;
}
}
}
METHOD(private_key_t, decrypt, bool,
- private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme,
+ private_gmp_rsa_private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypto, chunk_t *plain)
{
chunk_t em, stripped;
bool success = FALSE;
- if (scheme != ENCRYPT_RSA_PKCS1)
+ if (*scheme != ENCRYPT_RSA_PKCS1)
{
DBG1(DBG_LIB, "encryption scheme %N not supported",
- encryption_scheme_names, scheme);
+ encryption_scheme_names, *scheme);
return FALSE;
}
/* rsa decryption using PKCS#1 RSADP */
}
METHOD(public_key_t, verify, bool,
- private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
+ private_gmp_rsa_public_key_t *this, signature_scheme_t *scheme,
chunk_t data, chunk_t signature)
{
- switch (scheme)
+ switch (*scheme)
{
case SIGN_RSA_EMSA_PKCS1_NULL:
return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
return verify_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
default:
DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
- signature_scheme_names, scheme);
+ signature_scheme_names, *scheme);
return FALSE;
}
}
return FALSE;
}
tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl);
- valid = key->verify(key, this->scheme, tbs,
+ valid = key->verify(key, &this->scheme, tbs,
openssl_asn1_str2chunk(this->crl->signature));
free(tbs.ptr);
key->destroy(key);
}
METHOD(private_key_t, decrypt, bool,
- private_openssl_ec_private_key_t *this, encryption_scheme_t scheme,
+ private_openssl_ec_private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypto, chunk_t *plain)
{
DBG1(DBG_LIB, "EC private key decryption not implemented");
}
METHOD(public_key_t, verify, bool,
- private_openssl_ec_public_key_t *this, signature_scheme_t scheme,
+ private_openssl_ec_public_key_t *this, signature_scheme_t *scheme,
chunk_t data, chunk_t signature)
{
- switch (scheme)
+ switch (*scheme)
{
case SIGN_ECDSA_WITH_SHA1_DER:
return verify_der_signature(this, NID_sha1, data, signature);
case SIGN_ECDSA_WITH_NULL:
return verify_signature(this, data, signature);
case SIGN_ECDSA_256:
- return verify_curve_signature(this, scheme, NID_sha256,
+ return verify_curve_signature(this, *scheme, NID_sha256,
NID_X9_62_prime256v1, data, signature);
case SIGN_ECDSA_384:
- return verify_curve_signature(this, scheme, NID_sha384,
+ return verify_curve_signature(this, *scheme, NID_sha384,
NID_secp384r1, data, signature);
case SIGN_ECDSA_521:
- return verify_curve_signature(this, scheme, NID_sha512,
+ return verify_curve_signature(this, *scheme, NID_sha512,
NID_secp521r1, data, signature);
default:
DBG1(DBG_LIB, "signature scheme %N not supported in EC",
- signature_scheme_names, scheme);
+ signature_scheme_names, *scheme);
return FALSE;
}
}
}
METHOD(private_key_t, decrypt, bool,
- private_openssl_rsa_private_key_t *this, encryption_scheme_t scheme,
+ private_openssl_rsa_private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypto, chunk_t *plain)
{
int padding, len;
char *decrypted;
- switch (scheme)
+ switch (*scheme)
{
case ENCRYPT_RSA_PKCS1:
padding = RSA_PKCS1_PADDING;
break;
default:
DBG1(DBG_LIB, "encryption scheme %N not supported via openssl",
- encryption_scheme_names, scheme);
+ encryption_scheme_names, *scheme);
return FALSE;
}
decrypted = malloc(RSA_size(this->rsa));
refcount_t ref;
};
-
-
/**
* Verification of an EMPSA PKCS1 signature described in PKCS#1
*/
}
METHOD(public_key_t, verify, bool,
- private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
+ private_openssl_rsa_public_key_t *this, signature_scheme_t *scheme,
chunk_t data, chunk_t signature)
{
- switch (scheme)
+ switch (*scheme)
{
case SIGN_RSA_EMSA_PKCS1_NULL:
return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
return verify_emsa_pkcs1_signature(this, NID_md5, data, signature);
default:
DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
- signature_scheme_names, scheme);
+ signature_scheme_names, *scheme);
return FALSE;
}
}
return FALSE;
}
tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info);
- valid = key->verify(key, this->scheme, tbs,
+ valid = key->verify(key, &this->scheme, tbs,
openssl_asn1_str2chunk(this->x509->signature));
free(tbs.ptr);
key->destroy(key);
/**
* Implementation of private_key_t.decrypt for signature-only keys
*/
-static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme,
+static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypto, chunk_t *plain)
{
DBG1(DBG_LIB, "decryption failed - signature only key");
}
METHOD(private_key_t, decrypt, bool,
- private_pkcs11_private_key_t *this, encryption_scheme_t scheme,
+ private_pkcs11_private_key_t *this, encryption_scheme_t *scheme,
chunk_t crypt, chunk_t *plain)
{
CK_MECHANISM_PTR mechanism;
CK_ULONG len;
CK_RV rv;
- mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+ mechanism = pkcs11_encryption_scheme_to_mech(*scheme);
if (!mechanism)
{
DBG1(DBG_LIB, "encryption scheme %N not supported",
- encryption_scheme_names, scheme);
+ encryption_scheme_names, *scheme);
return FALSE;
}
rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
}
METHOD(public_key_t, verify, bool,
- private_pkcs11_public_key_t *this, signature_scheme_t scheme,
+ private_pkcs11_public_key_t *this, signature_scheme_t *scheme,
chunk_t data, chunk_t sig)
{
CK_MECHANISM_PTR mechanism;
hash_algorithm_t hash_alg;
chunk_t hash = chunk_empty;
- mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k,
+ mechanism = pkcs11_signature_scheme_to_mech(*scheme, this->type, this->k,
&hash_alg);
if (!mechanism)
{
DBG1(DBG_LIB, "signature scheme %N not supported",
- signature_scheme_names, scheme);
+ signature_scheme_names, *scheme);
return FALSE;
}
if (sig.len && sig.ptr[0] == 0)
{
return FALSE;
}
- valid = key->verify(key, scheme, this->certificateInfo, this->signature);
+ valid = key->verify(key, &scheme, this->certificateInfo, this->signature);
key->destroy(key);
if (valid && schemep)
{
{
return FALSE;
}
- valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
+ valid = key->verify(key, &scheme, this->tbsCertificate, this->signature);
key->destroy(key);
if (valid && schemep)
{
{
return FALSE;
}
- valid = key->verify(key, scheme, this->tbsCertList, this->signature);
+ valid = key->verify(key, &scheme, this->tbsCertList, this->signature);
key->destroy(key);
if (valid && schemep)
{
{
return FALSE;
}
- valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
+ valid = key->verify(key, &scheme, this->tbsResponseData, this->signature);
key->destroy(key);
if (valid && schemep)
{
{
return FALSE;
}
- valid = key->verify(key, scheme, this->certificationRequestInfo,
+ valid = key->verify(key, &scheme, this->certificationRequestInfo,
this->signature);
if (valid && schemep)
{
tls_signature_algorithm_names, alg);
return FALSE;
}
- if (!key->verify(key, scheme, data, sig))
+ if (!key->verify(key, &scheme, data, sig))
{
return FALSE;
}
}
else
{
+ signature_scheme_t scheme;
chunk_t sig, hash;
bool done;
{
return FALSE;
}
- done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
+ scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+ done = key->verify(key, &scheme, hash, sig);
free(hash.ptr);
if (!done)
{
DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
break;
case KEY_ECDSA:
- if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
+ scheme = SIGN_ECDSA_WITH_SHA1_DER;
+ if (!key->verify(key, &scheme, data, sig))
{
return FALSE;
}
static status_t process_key_exchange_encrypted(private_tls_server_t *this,
bio_reader_t *reader)
{
+ encryption_scheme_t scheme = ENCRYPT_RSA_PKCS1;
chunk_t encrypted, decrypted;
char premaster[48];
rng_t *rng;
rng->destroy(rng);
if (this->private &&
- this->private->decrypt(this->private,
- ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
+ this->private->decrypt(this->private, &scheme, encrypted, &decrypted))
{
if (decrypted.len == sizeof(premaster) &&
untoh16(decrypted.ptr) == this->client_version)
projects / thirdparty / strongswan.git / commitdiff
