From: Martin Willi Date: Mon, 11 Jun 2012 07:40:52 +0000 (+0200) Subject: Pass signature/encryption scheme as pointer to verify()/decrypt() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6c1eaaa4279a3871c6aef0b845227ac288d899b;p=thirdparty%2Fstrongswan.git Pass signature/encryption scheme as pointer to verify()/decrypt() To automatically detect schemes, we'll pass UNKNOWN and receive the detected result to the passed pointer. --- diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c index 6402e606da..8c8efb6b0c 100644 --- a/scripts/pubkey_speed.c +++ b/scripts/pubkey_speed.c @@ -121,7 +121,7 @@ int main(int argc, char *argv[]) start_timing(&timing); for (round = 0; round < rounds; round++) { - if (!public->verify(public, scheme, data, sigs[round])) + if (!public->verify(public, &scheme, data, sigs[round])) { printf("signature verification failed\n"); exit(1); diff --git a/src/libcharon/plugins/unit_tester/tests/test_agent.c b/src/libcharon/plugins/unit_tester/tests/test_agent.c index baab629be9..abbd0db262 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_agent.c +++ b/src/libcharon/plugins/unit_tester/tests/test_agent.c @@ -22,6 +22,7 @@ bool test_agent() { char *path; + signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_SHA1; chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08); private_key_t *private; public_key_t *public; @@ -39,7 +40,7 @@ bool test_agent() { return FALSE; } - if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig)) + if (!private->sign(private, scheme, data, &sig)) { return FALSE; } @@ -48,13 +49,13 @@ bool test_agent() { return FALSE;; } - if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig)) + if (!public->verify(public, &scheme, data, sig)) { return FALSE; } free(sig.ptr); data.ptr[1] = 0x01; /* fake it */ - if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig)) + if (public->verify(public, &scheme, data, sig)) { return FALSE; } diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c index 6ba5769b54..34530f4e0d 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c +++ b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c @@ -26,6 +26,8 @@ bool test_rsa_gen() private_key_t *private; public_key_t *public; u_int key_size; + signature_scheme_t sigscheme = SIGN_RSA_EMSA_PKCS1_SHA1; + encryption_scheme_t encscheme = ENCRYPT_RSA_PKCS1; for (key_size = 512; key_size <= 2048; key_size *= 2) { @@ -42,29 +44,29 @@ bool test_rsa_gen() DBG1(DBG_CFG, "generating public from private key failed"); return FALSE; } - if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig)) + if (!private->sign(private, sigscheme, data, &sig)) { DBG1(DBG_CFG, "creating RSA signature failed"); return FALSE; } - if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig)) + if (!public->verify(public, &sigscheme, data, sig)) { DBG1(DBG_CFG, "verifying RSA signature failed"); return FALSE; } sig.ptr[sig.len-1]++; - if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig)) + if (public->verify(public, &sigscheme, data, sig)) { DBG1(DBG_CFG, "verifying faked RSA signature succeeded!"); return FALSE; } free(sig.ptr); - if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt)) + if (!public->encrypt(public, encscheme, data, &crypt)) { DBG1(DBG_CFG, "encrypting data with RSA failed"); return FALSE; } - if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain)) + if (!private->decrypt(private, &encscheme, crypt, &plain)) { DBG1(DBG_CFG, "decrypting data with RSA failed"); return FALSE; diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index 8d3f21c49a..1f373cda72 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -160,7 +160,7 @@ METHOD(authenticator_t, process, status_t, id, auth); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, hash, sig)) + if (public->verify(public, &scheme, hash, sig)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, key_type_names, this->type); diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 179be39777..ce020c5c91 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -183,7 +183,7 @@ METHOD(authenticator_t, process, status_t, key_type, id, auth); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, octets, auth_data)) + if (public->verify(public, &scheme, octets, auth_data)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, auth_method_names, auth_method); diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index 65ae2b2d28..a719de2da3 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -842,7 +842,7 @@ METHOD(pts_t, extend_pcr, bool, DBG3(DBG_PTS, "PCR %d extended with: %B", pcr_num, &input); DBG3(DBG_PTS, "PCR %d value after extend: %B", pcr_num, output); - + chunk_clear(&pcr_value); Tspi_Context_FreeMemory(hContext, NULL); Tspi_Context_Close(hContext); @@ -851,11 +851,11 @@ METHOD(pts_t, extend_pcr, bool, err: DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result); - + chunk_clear(&pcr_value); Tspi_Context_FreeMemory(hContext, NULL); Tspi_Context_Close(hContext); - + return FALSE; } @@ -956,7 +956,7 @@ METHOD(pts_t, quote_tpm, bool, { i++; f = 1; - } + } if (this->pcr_select[i] & f) { result = use_quote2 ? @@ -1154,14 +1154,14 @@ METHOD(pts_t, get_quote_info, bool, "unable to construct TPM Quote Info2"); return FALSE; } - + /** * A TPM v1.2 has 24 PCR Registers * so the bitmask field length used by TrouSerS is at least 3 bytes */ size_of_select = max(PCR_MAX_NUM / 8, 1 + this->pcr_max / 8); pcr_comp_len = 2 + size_of_select + 4 + this->pcr_count * this->pcr_len; - + writer = bio_writer_create(pcr_comp_len); writer->write_uint16(writer, size_of_select); @@ -1228,7 +1228,7 @@ METHOD(pts_t, get_quote_info, bool, { writer->write_uint8(writer, this->pcr_select[i]); } - + /* TPM Locality Selection */ writer->write_uint8(writer, TPM_LOC_ZERO); @@ -1271,6 +1271,7 @@ METHOD(pts_t, get_quote_info, bool, METHOD(pts_t, verify_quote_signature, bool, private_pts_t *this, chunk_t data, chunk_t signature) { + signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_SHA1; public_key_t *aik_pub_key; aik_pub_key = this->aik->get_public_key(this->aik); @@ -1280,8 +1281,7 @@ METHOD(pts_t, verify_quote_signature, bool, return FALSE; } - if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, - data, signature)) + if (!aik_pub_key->verify(aik_pub_key, &scheme, data, signature)) { DBG1(DBG_PTS, "signature verification failed for TPM Quote Info"); DESTROY_IF(aik_pub_key); @@ -1357,7 +1357,7 @@ static char* extract_platform_info(void) { strcpy(buf, str_debian); pos += strlen(str_debian); - len -= strlen(str_debian); + len -= strlen(str_debian); } fseek(file, 0, SEEK_END); diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index b9f7dad550..c2bddb810a 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -51,12 +51,16 @@ struct private_key_t { /** * Decrypt a chunk of data. * - * @param scheme expected encryption scheme used + * If an encryption scheme is given, only data with such a scheme is + * valid. If scheme is ENCRYPT_UNKNOWN, the scheme is detected and + * returned to the scheme pointer. + * + * @param scheme encryption scheme to use/used * @param crypto chunk containing encrypted data * @param plain where to allocate decrypted data * @return TRUE if data decrypted and plaintext allocated */ - bool (*decrypt)(private_key_t *this, encryption_scheme_t scheme, + bool (*decrypt)(private_key_t *this, encryption_scheme_t *scheme, chunk_t crypto, chunk_t *plain); /** diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index fdbe17f2c1..d9a06954b4 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -137,12 +137,16 @@ struct public_key_t { /** * Verifies a signature against a chunk of data. * - * @param scheme signature scheme to use for verification, may be default + * If a signature scheme is given, only a signature with such a scheme is + * valid. If scheme is SIGN_UNKNOWN, the signature is detected and + * returned to the scheme pointer. + * + * @param scheme signature scheme to use/used for verification * @param data data to check signature against * @param signature signature to check * @return TRUE if signature matches */ - bool (*verify)(public_key_t *this, signature_scheme_t scheme, + bool (*verify)(public_key_t *this, signature_scheme_t *scheme, chunk_t data, chunk_t signature); /** diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index c5fa8c02d4..a7ccea85c6 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -388,7 +388,7 @@ end: DBG1(DBG_LIB, "no public key found in CA certificate"); return FALSE; } - if (key->verify(key, scheme, + if (key->verify(key, &scheme, this->attributes->get_encoding(this->attributes), encrypted_digest)) { DBG2(DBG_LIB, "signature is valid"); @@ -487,6 +487,8 @@ METHOD(pkcs7_t, parse_envelopedData, bool, int objectID, version; bool success = FALSE; + encryption_scheme_t scheme = ENCRYPT_RSA_PKCS1; + chunk_t iv = chunk_empty; chunk_t symmetric_key = chunk_empty; chunk_t encrypted_content = chunk_empty; @@ -563,7 +565,7 @@ METHOD(pkcs7_t, parse_envelopedData, bool, } case PKCS7_ENCRYPTED_KEY: { - if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key)) + if (!key->decrypt(key, &scheme, object, &symmetric_key)) { DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa"); goto end; diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index 60b57ad2dc..054b628729 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -299,7 +299,7 @@ METHOD(private_key_t, get_type, key_type_t, } METHOD(private_key_t, decrypt, bool, - private_agent_private_key_t *this, encryption_scheme_t scheme, + private_agent_private_key_t *this, encryption_scheme_t *scheme, chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "private key decryption not supported by ssh-agent"); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index eb38eea3b6..0587641d51 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -226,7 +226,7 @@ METHOD(private_key_t, sign, bool, } METHOD(private_key_t, decrypt, bool, - private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme, + private_gcrypt_rsa_private_key_t *this, encryption_scheme_t *scheme, chunk_t encrypted, chunk_t *plain) { gcry_error_t err; @@ -234,10 +234,10 @@ METHOD(private_key_t, decrypt, bool, chunk_t padded; u_char *pos = NULL;; - if (scheme != ENCRYPT_RSA_PKCS1) + if (*scheme != ENCRYPT_RSA_PKCS1) { DBG1(DBG_LIB, "encryption scheme %N not supported", - encryption_scheme_names, scheme); + encryption_scheme_names, *scheme); return FALSE; } err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))", diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index f8645da979..43c828c478 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -166,10 +166,10 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme, + private_gcrypt_rsa_public_key_t *this, signature_scheme_t *scheme, chunk_t data, chunk_t signature) { - switch (scheme) + switch (*scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return verify_raw(this, data, signature); @@ -187,7 +187,7 @@ METHOD(public_key_t, verify, bool, return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", - signature_scheme_names, scheme); + signature_scheme_names, *scheme); return FALSE; } } diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index 1b6c20817b..8f2219f31d 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -314,16 +314,16 @@ METHOD(private_key_t, sign, bool, } METHOD(private_key_t, decrypt, bool, - private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme, + private_gmp_rsa_private_key_t *this, encryption_scheme_t *scheme, chunk_t crypto, chunk_t *plain) { chunk_t em, stripped; bool success = FALSE; - if (scheme != ENCRYPT_RSA_PKCS1) + if (*scheme != ENCRYPT_RSA_PKCS1) { DBG1(DBG_LIB, "encryption scheme %N not supported", - encryption_scheme_names, scheme); + encryption_scheme_names, *scheme); return FALSE; } /* rsa decryption using PKCS#1 RSADP */ diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 898892f5b8..f096ee5801 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -280,10 +280,10 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, + private_gmp_rsa_public_key_t *this, signature_scheme_t *scheme, chunk_t data, chunk_t signature) { - switch (scheme) + switch (*scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature); @@ -301,7 +301,7 @@ METHOD(public_key_t, verify, bool, return verify_emsa_pkcs1_signature(this, HASH_SHA512, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", - signature_scheme_names, scheme); + signature_scheme_names, *scheme); return FALSE; } } diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index e529ff8a59..2a89ac97f9 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -267,7 +267,7 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl); - valid = key->verify(key, this->scheme, tbs, + valid = key->verify(key, &this->scheme, tbs, openssl_asn1_str2chunk(this->crl->signature)); free(tbs.ptr); key->destroy(key); diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index 9505045735..bc49b4d457 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -171,7 +171,7 @@ METHOD(private_key_t, sign, bool, } METHOD(private_key_t, decrypt, bool, - private_openssl_ec_private_key_t *this, encryption_scheme_t scheme, + private_openssl_ec_private_key_t *this, encryption_scheme_t *scheme, chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "EC private key decryption not implemented"); diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index 7461695ad8..67e3984d76 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -137,10 +137,10 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_openssl_ec_public_key_t *this, signature_scheme_t scheme, + private_openssl_ec_public_key_t *this, signature_scheme_t *scheme, chunk_t data, chunk_t signature) { - switch (scheme) + switch (*scheme) { case SIGN_ECDSA_WITH_SHA1_DER: return verify_der_signature(this, NID_sha1, data, signature); @@ -153,17 +153,17 @@ METHOD(public_key_t, verify, bool, case SIGN_ECDSA_WITH_NULL: return verify_signature(this, data, signature); case SIGN_ECDSA_256: - return verify_curve_signature(this, scheme, NID_sha256, + return verify_curve_signature(this, *scheme, NID_sha256, NID_X9_62_prime256v1, data, signature); case SIGN_ECDSA_384: - return verify_curve_signature(this, scheme, NID_sha384, + return verify_curve_signature(this, *scheme, NID_sha384, NID_secp384r1, data, signature); case SIGN_ECDSA_521: - return verify_curve_signature(this, scheme, NID_sha512, + return verify_curve_signature(this, *scheme, NID_sha512, NID_secp521r1, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in EC", - signature_scheme_names, scheme); + signature_scheme_names, *scheme); return FALSE; } } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index d1afd94ccd..e1178a7b1d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -166,13 +166,13 @@ METHOD(private_key_t, sign, bool, } METHOD(private_key_t, decrypt, bool, - private_openssl_rsa_private_key_t *this, encryption_scheme_t scheme, + private_openssl_rsa_private_key_t *this, encryption_scheme_t *scheme, chunk_t crypto, chunk_t *plain) { int padding, len; char *decrypted; - switch (scheme) + switch (*scheme) { case ENCRYPT_RSA_PKCS1: padding = RSA_PKCS1_PADDING; @@ -182,7 +182,7 @@ METHOD(private_key_t, decrypt, bool, break; default: DBG1(DBG_LIB, "encryption scheme %N not supported via openssl", - encryption_scheme_names, scheme); + encryption_scheme_names, *scheme); return FALSE; } decrypted = malloc(RSA_size(this->rsa)); diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index a24bae5d6d..ee99690afc 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -44,8 +44,6 @@ struct private_openssl_rsa_public_key_t { refcount_t ref; }; - - /** * Verification of an EMPSA PKCS1 signature described in PKCS#1 */ @@ -123,10 +121,10 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, + private_openssl_rsa_public_key_t *this, signature_scheme_t *scheme, chunk_t data, chunk_t signature) { - switch (scheme) + switch (*scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return verify_emsa_pkcs1_signature(this, NID_undef, data, signature); @@ -144,7 +142,7 @@ METHOD(public_key_t, verify, bool, return verify_emsa_pkcs1_signature(this, NID_md5, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", - signature_scheme_names, scheme); + signature_scheme_names, *scheme); return FALSE; } } diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index ee19c41792..226e461986 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -390,7 +390,7 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info); - valid = key->verify(key, this->scheme, tbs, + valid = key->verify(key, &this->scheme, tbs, openssl_asn1_str2chunk(this->x509->signature)); free(tbs.ptr); key->destroy(key); diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c index 3611577421..6dd0c97710 100644 --- a/src/libstrongswan/plugins/pgp/pgp_builder.c +++ b/src/libstrongswan/plugins/pgp/pgp_builder.c @@ -129,7 +129,7 @@ static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme, /** * Implementation of private_key_t.decrypt for signature-only keys */ -static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme, +static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t *scheme, chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "decryption failed - signature only key"); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index b616abc385..c27aa70419 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -296,7 +296,7 @@ METHOD(private_key_t, sign, bool, } METHOD(private_key_t, decrypt, bool, - private_pkcs11_private_key_t *this, encryption_scheme_t scheme, + private_pkcs11_private_key_t *this, encryption_scheme_t *scheme, chunk_t crypt, chunk_t *plain) { CK_MECHANISM_PTR mechanism; @@ -305,11 +305,11 @@ METHOD(private_key_t, decrypt, bool, CK_ULONG len; CK_RV rv; - mechanism = pkcs11_encryption_scheme_to_mech(scheme); + mechanism = pkcs11_encryption_scheme_to_mech(*scheme); if (!mechanism) { DBG1(DBG_LIB, "encryption scheme %N not supported", - encryption_scheme_names, scheme); + encryption_scheme_names, *scheme); return FALSE; } rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL, diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index d4ec9235d4..f380fb4b29 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -198,7 +198,7 @@ METHOD(public_key_t, get_keysize, int, } METHOD(public_key_t, verify, bool, - private_pkcs11_public_key_t *this, signature_scheme_t scheme, + private_pkcs11_public_key_t *this, signature_scheme_t *scheme, chunk_t data, chunk_t sig) { CK_MECHANISM_PTR mechanism; @@ -207,12 +207,12 @@ METHOD(public_key_t, verify, bool, hash_algorithm_t hash_alg; chunk_t hash = chunk_empty; - mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k, + mechanism = pkcs11_signature_scheme_to_mech(*scheme, this->type, this->k, &hash_alg); if (!mechanism) { DBG1(DBG_LIB, "signature scheme %N not supported", - signature_scheme_names, scheme); + signature_scheme_names, *scheme); return FALSE; } if (sig.len && sig.ptr[0] == 0) diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index d6ca8c4fa3..d6964ae894 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -748,7 +748,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - valid = key->verify(key, scheme, this->certificateInfo, this->signature); + valid = key->verify(key, &scheme, this->certificateInfo, this->signature); key->destroy(key); if (valid && schemep) { diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 88101e8051..97f8fc6614 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1612,7 +1612,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - valid = key->verify(key, scheme, this->tbsCertificate, this->signature); + valid = key->verify(key, &scheme, this->tbsCertificate, this->signature); key->destroy(key); if (valid && schemep) { diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 5b4ba92dac..675787b4c5 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -488,7 +488,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - valid = key->verify(key, scheme, this->tbsCertList, this->signature); + valid = key->verify(key, &scheme, this->tbsCertList, this->signature); key->destroy(key); if (valid && schemep) { diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index dc3fc27cac..99b9f27189 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -721,7 +721,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - valid = key->verify(key, scheme, this->tbsResponseData, this->signature); + valid = key->verify(key, &scheme, this->tbsResponseData, this->signature); key->destroy(key); if (valid && schemep) { diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index 5a9b2d92e8..a49dddeacd 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -152,7 +152,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - valid = key->verify(key, scheme, this->certificationRequestInfo, + valid = key->verify(key, &scheme, this->certificationRequestInfo, this->signature); if (valid && schemep) { diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 4d84876d01..e585274b38 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1390,7 +1390,7 @@ METHOD(tls_crypto_t, verify, bool, tls_signature_algorithm_names, alg); return FALSE; } - if (!key->verify(key, scheme, data, sig)) + if (!key->verify(key, &scheme, data, sig)) { return FALSE; } @@ -1399,6 +1399,7 @@ METHOD(tls_crypto_t, verify, bool, } else { + signature_scheme_t scheme; chunk_t sig, hash; bool done; @@ -1414,7 +1415,8 @@ METHOD(tls_crypto_t, verify, bool, { return FALSE; } - done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig); + scheme = SIGN_RSA_EMSA_PKCS1_NULL; + done = key->verify(key, &scheme, hash, sig); free(hash.ptr); if (!done) { @@ -1423,7 +1425,8 @@ METHOD(tls_crypto_t, verify, bool, DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA"); break; case KEY_ECDSA: - if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig)) + scheme = SIGN_ECDSA_WITH_SHA1_DER; + if (!key->verify(key, &scheme, data, sig)) { return FALSE; } diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index e3617dc9a9..9c9ce024f3 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -390,6 +390,7 @@ static status_t process_certificate(private_tls_server_t *this, static status_t process_key_exchange_encrypted(private_tls_server_t *this, bio_reader_t *reader) { + encryption_scheme_t scheme = ENCRYPT_RSA_PKCS1; chunk_t encrypted, decrypted; char premaster[48]; rng_t *rng; @@ -417,8 +418,7 @@ static status_t process_key_exchange_encrypted(private_tls_server_t *this, rng->destroy(rng); if (this->private && - this->private->decrypt(this->private, - ENCRYPT_RSA_PKCS1, encrypted, &decrypted)) + this->private->decrypt(this->private, &scheme, encrypted, &decrypted)) { if (decrypted.len == sizeof(premaster) && untoh16(decrypted.ptr) == this->client_version)