From: Nikos Mavrogiannopoulos Date: Sat, 18 Dec 2010 11:00:01 +0000 (+0100) Subject: The verification functions now return a GNUTLS_E_PK_SIG_VERIFY_FAILED on signature... X-Git-Tag: gnutls_2_11_7~115 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=32aabbb05e25e7eb3cf306590ff30be8d7e30da5;p=thirdparty%2Fgnutls.git The verification functions now return a GNUTLS_E_PK_SIG_VERIFY_FAILED on signature verification error. --- diff --git a/NEWS b/NEWS index 66f6d6ddc8..b61d12d70e 100644 --- a/NEWS +++ b/NEWS @@ -8,7 +8,13 @@ See the end for copying conditions. ** libgnutls: The deprecated gnutls_x509_privkey_sign_hash() was replaced by gnutls_privkey_sign_hash2(). -** Added helper functions for signature verification: +** libgnutls: gnutls_pubkey_verify_data, gnutls_pubkey_verify_hash, +gnutls_openpgp_crt_verify_hash, gnutls_x509_privkey_verify_data, +gnutls_x509_crt_verify_data, gnutls_x509_crt_verify_hash +return the negative error code GNUTLS_E_PK_SIG_VERIFY_FAILED +if verification fails. + +** libgnutls: Added helper functions for signature verification: gnutls_pubkey_verify_data() and gnutls_pubkey_import_privkey(). ** libgnutls: Added gnutls_pkcs11_privkey_sign_hash2(), diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c index 51421308a0..035553fb9f 100644 --- a/lib/gnutls_pubkey.c +++ b/lib/gnutls_pubkey.c @@ -981,8 +981,8 @@ gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key, * This function will verify the given signed data, using the * parameters from the certificate. * - * Returns: In case of a verification failure 0 is returned, and 1 on - * success. + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * is returned, and a positive code on success. **/ int gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags, @@ -1018,8 +1018,8 @@ gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey, unsigned int flags, * This function will verify the given signed digest, using the * parameters from the certificate. * - * Returns: In case of a verification failure 0 is returned, and 1 on - * success. + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * is returned, and a positive code on success. **/ int gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned int flags, diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c index 4dc8af4cf3..409711c252 100644 --- a/lib/openpgp/pgp.c +++ b/lib/openpgp/pgp.c @@ -1698,8 +1698,8 @@ gnutls_openpgp_crt_get_auth_subkey (gnutls_openpgp_crt_t crt, * This function will verify the given signed digest, using the * parameters from the certificate. * - * Returns: In case of a verification failure 0 is returned, and 1 on - * success. + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * is returned, and a positive code on success. **/ int gnutls_openpgp_crt_verify_hash (gnutls_openpgp_crt_t crt, unsigned int flags, @@ -1738,7 +1738,7 @@ gnutls_openpgp_crt_verify_hash (gnutls_openpgp_crt_t crt, unsigned int flags, if (ret < 0) { gnutls_assert (); - return 0; + return ret; } return ret; diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 7d3caa317e..b5ad997d8e 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -1889,8 +1889,8 @@ gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key, * This function will verify the given signed data, using the * parameters in the private key. * - * Returns: In case of a verification failure 0 is returned, and 1 on - * success. + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * is returned, and a positive code on success. **/ int gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key, @@ -1910,7 +1910,7 @@ gnutls_x509_privkey_verify_data (gnutls_x509_privkey_t key, if (result < 0) { gnutls_assert (); - return 0; + return result; } return result; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 8ced28102e..e830cec7da 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -299,7 +299,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, gnutls_datum_t cert_signed_data = { NULL, 0 }; gnutls_datum_t cert_signature = { NULL, 0 }; gnutls_x509_crt_t issuer = NULL; - int ret, issuer_version, result; + int issuer_version, result; if (output) *output = 0; @@ -365,20 +365,21 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, goto cleanup; } - ret = + result = _gnutls_x509_verify_signature (&cert_signed_data, NULL, &cert_signature, issuer); - if (ret < 0) - { - gnutls_assert (); - } - else if (ret == 0) + if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { gnutls_assert (); /* error. ignore it */ if (output) *output |= GNUTLS_CERT_INVALID; - ret = 0; + result = 0; + } + else if (result < 0) + { + gnutls_assert(); + goto cleanup; } /* If the certificate is not self signed check if the algorithms @@ -398,12 +399,10 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, { if (output) *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; - ret = 0; + result = 0; } } - result = ret; - cleanup: _gnutls_free_datum (&cert_signed_data); _gnutls_free_datum (&cert_signature); @@ -829,8 +828,8 @@ dsa_verify_sig (const gnutls_datum_t * text, return ret; } -/* Verifies the signature data, and returns 0 if not verified, - * or 1 otherwise. +/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if + * not verified, or 1 otherwise. */ int pubkey_verify_sig (const gnutls_datum_t * tbs, @@ -848,7 +847,7 @@ pubkey_verify_sig (const gnutls_datum_t * tbs, (tbs, hash, signature, issuer_params, issuer_params_size) != 0) { gnutls_assert (); - return 0; + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } return 1; @@ -859,7 +858,7 @@ pubkey_verify_sig (const gnutls_datum_t * tbs, (tbs, hash, signature, issuer_params, issuer_params_size) != 0) { gnutls_assert (); - return 0; + return GNUTLS_E_PK_SIG_VERIFY_FAILED; } return 1; @@ -967,7 +966,7 @@ cleanup: } /* verifies if the certificate is properly signed. - * returns 0 on failure and 1 on success. + * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success. * * 'tbs' is the signed data * 'signature' is the signature! @@ -1012,7 +1011,7 @@ _gnutls_x509_verify_signature (const gnutls_datum_t * tbs, } /* verifies if the certificate is properly signed. - * returns 0 on failure and 1 on success. + * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success. * * 'tbs' is the signed data * 'signature' is the signature! @@ -1244,7 +1243,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, gnutls_datum_t crl_signed_data = { NULL, 0 }; gnutls_datum_t crl_signature = { NULL, 0 }; gnutls_x509_crt_t issuer; - int ret, result; + int result; if (output) *output = 0; @@ -1296,20 +1295,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, goto cleanup; } - ret = + result = _gnutls_x509_verify_signature (&crl_signed_data, NULL, &crl_signature, issuer); - if (ret < 0) - { - gnutls_assert (); - } - else if (ret == 0) + if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { gnutls_assert (); /* error. ignore it */ if (output) *output |= GNUTLS_CERT_INVALID; - ret = 0; + result = 0; + } + else if (result < 0) + { + gnutls_assert (); + goto cleanup; } { @@ -1324,12 +1324,10 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, { if (output) *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; - ret = 0; + result = 0; } } - result = ret; - cleanup: _gnutls_free_datum (&crl_signed_data); _gnutls_free_datum (&crl_signature); diff --git a/lib/x509/x509.c b/lib/x509/x509.c index c3b9090793..9aaeff8f80 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -2600,8 +2600,8 @@ gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt, * This function will verify the given signed data, using the * parameters from the certificate. * - * Returns: In case of a verification failure 0 is returned, and 1 on - * success. + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * is returned, and a positive code on success. **/ int gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, @@ -2620,7 +2620,7 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, if (result < 0) { gnutls_assert (); - return 0; + return result; } return result; @@ -2636,8 +2636,8 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, * This function will verify the given signed digest, using the * parameters from the certificate. * - * Returns: In case of a verification failure 0 is returned, and 1 on - * success. + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * is returned, and a positive code on success. **/ int gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags, @@ -2656,7 +2656,7 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags, if (result < 0) { gnutls_assert (); - return 0; + return result; } return result; diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c index 0d2a36c89c..85e9ce7883 100644 --- a/tests/x509sign-verify.c +++ b/tests/x509sign-verify.c @@ -195,7 +195,7 @@ doit (void) fail ("gnutls_x509_crt_get_verify_algorithm\n"); ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature); - if (ret <= 0) + if (ret < 0) fail ("gnutls_x509_privkey_verify_hash\n"); ret = @@ -204,12 +204,12 @@ doit (void) fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n"); ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature2); - if (ret <= 0) + if (ret < 0) fail ("gnutls_x509_privkey_verify_hash (hashed data)\n"); /* should fail */ ret = gnutls_x509_crt_verify_hash (crt, 0, &invalid_hash_data, &signature2); - if (ret < 0 || ret == 1) + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) fail ("gnutls_x509_privkey_verify_hash (hashed data)\n"); @@ -262,13 +262,13 @@ doit (void) fail ("gnutls_pubkey_get_verify_algorithm\n"); /* should fail */ - ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature); - if (ret < 0 || ret == 1) + ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, + &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) fail ("gnutls_x509_privkey_verify_hash 1\n"); /* should succeed */ ret = gnutls_pubkey_verify_data (pubkey, 0, &raw_data, &signature); - if (ret <= 0) + if (ret < 0) fail ("gnutls_x509_privkey_verify_data\n"); gnutls_x509_privkey_deinit(key);