public-key: Add optional parameters argument to verify() method
authorTobias Brunner <tobias@strongswan.org>
Tue, 19 Sep 2017 15:15:18 +0000 (17:15 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:48:10 +0000 (16:48 +0100)
28 files changed:
scripts/pubkey_speed.c
src/charon-tkm/src/tkm/tkm_public_key.c
src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
src/libimcv/pts/pts.c
src/libstrongswan/credentials/keys/public_key.c
src/libstrongswan/credentials/keys/public_key.h
src/libstrongswan/plugins/bliss/bliss_public_key.c
src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
src/libstrongswan/plugins/curve25519/curve25519_public_key.c
src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
src/libstrongswan/plugins/openssl/openssl_crl.c
src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
src/libstrongswan/plugins/openssl/openssl_pkcs7.c
src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c
src/libstrongswan/plugins/x509/x509_pkcs10.c
src/libstrongswan/tests/suites/test_ecdsa.c
src/libstrongswan/tests/suites/test_ed25519.c
src/libstrongswan/tests/suites/test_rsa.c
src/libtls/tls_crypto.c

index 66279ad..8ccaa0b 100644 (file)
@@ -135,7 +135,7 @@ int main(int argc, char *argv[])
        start_timing(&timing);
        for (round = 0; round < rounds; round++)
        {
-               if (!public->verify(public, scheme, data, sigs[round]))
+               if (!public->verify(public, scheme, NULL, data, sigs[round]))
                {
                        printf("signature verification failed\n");
                        exit(1);
index 9ebdc29..788336c 100644 (file)
@@ -53,7 +53,7 @@ METHOD(public_key_t, get_type, key_type_t,
 }
 
 METHOD(public_key_t, verify, bool,
-       private_tkm_public_key_t *this, signature_scheme_t scheme,
+       private_tkm_public_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t signature)
 {
        return TRUE;
index 344c1bf..8e048c8 100644 (file)
@@ -176,7 +176,7 @@ METHOD(authenticator_t, process, status_t,
                                                                                                                id, auth, TRUE);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
-               if (public->verify(public, scheme, hash, sig))
+               if (public->verify(public, scheme, NULL, hash, sig))
                {
                        DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
                                 id, signature_scheme_names, scheme);
index b2b1ef2..e47abc7 100644 (file)
@@ -434,7 +434,7 @@ METHOD(authenticator_t, process, status_t,
                                                                                                        key_type, id, auth, online);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
-               if (public->verify(public, scheme, octets, auth_data))
+               if (public->verify(public, scheme, NULL, octets, auth_data))
                {
                        DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
                                 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
index d771d07..09ffd71 100644 (file)
@@ -762,7 +762,7 @@ METHOD(pts_t, verify_quote_signature, bool,
                        return FALSE;
        }
 
-       if (!aik_pubkey->verify(aik_pubkey, scheme, digest, signature))
+       if (!aik_pubkey->verify(aik_pubkey, scheme, NULL, digest, signature))
        {
                DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
                DESTROY_IF(aik_pubkey);
index 17b90b4..74a27d0 100644 (file)
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2015 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2015-2017 Tobias Brunner
  * Copyright (C) 2014-2016 Andreas Steffen
+ * Copyright (C) 2007 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
index 32cb0c3..186530f 100644 (file)
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2015 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2015-2017 Tobias Brunner
  * Copyright (C) 2014-2017 Andreas Steffen
+ * Copyright (C) 2007 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -170,12 +170,13 @@ struct public_key_t {
        /**
         * Verifies a signature against a chunk of data.
         *
-        * @param scheme        signature scheme to use for verification, may be default
+        * @param scheme        signature scheme to use for verification
+        * @param params        optional parameters required by the specified scheme
         * @param data          data to check signature against
         * @param signature     signature to check
         * @return                      TRUE if signature matches
         */
-       bool (*verify)(public_key_t *this, signature_scheme_t scheme,
+       bool (*verify)(public_key_t *this, signature_scheme_t scheme, void *params,
                                   chunk_t data, chunk_t signature);
 
        /**
index f7ddbbf..945840c 100644 (file)
@@ -194,7 +194,7 @@ end:
 }
 
 METHOD(public_key_t, verify, bool,
-       private_bliss_public_key_t *this, signature_scheme_t scheme,
+       private_bliss_public_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t signature)
 {
        switch (scheme)
index d871068..dc50115 100644 (file)
@@ -120,7 +120,7 @@ START_TEST(test_bliss_sign_all)
                {
                        ck_assert(privkey->sign(privkey, signature_scheme, msg,
                                                                        &signature));
-                       ck_assert(pubkey->verify(pubkey, signature_scheme, msg,
+                       ck_assert(pubkey->verify(pubkey, signature_scheme, NULL, msg,
                                                                         signature));
                        free(signature.ptr);
                }
@@ -179,11 +179,11 @@ START_TEST(test_bliss_sign_fail)
        ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature));
 
        /* verify with invalid signature scheme */
-       ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature));
+       ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, NULL, msg, signature));
 
        /* corrupt signature */
        signature.ptr[signature.len - 1] ^= 0x80;
-       ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, msg, signature));
+       ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, NULL, msg, signature));
 
        free(signature.ptr);
        privkey->destroy(privkey);
index d077763..1d4dec5 100644 (file)
@@ -50,7 +50,7 @@ METHOD(public_key_t, get_type, key_type_t,
 
 METHOD(public_key_t, verify, bool,
        private_curve25519_public_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t signature)
+       void *params, chunk_t data, chunk_t signature)
 {
        hasher_t *hasher;
        uint8_t d = 0, k[HASH_SIZE_SHA512], r[32], *sig;
index 90829e0..5820a89 100644 (file)
@@ -167,7 +167,7 @@ METHOD(public_key_t, get_type, key_type_t,
 
 METHOD(public_key_t, verify, bool,
        private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t signature)
+       void *params, chunk_t data, chunk_t signature)
 {
        switch (scheme)
        {
index 065c889..7194fee 100644 (file)
@@ -290,7 +290,7 @@ METHOD(public_key_t, get_type, key_type_t,
 }
 
 METHOD(public_key_t, verify, bool,
-       private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
+       private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t signature)
 {
        switch (scheme)
index 503f7bf..663f091 100644 (file)
@@ -332,7 +332,8 @@ METHOD(certificate_t, issued_by, bool,
        tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl);
 #endif
        X509_CRL_get0_signature(this->crl, &sig, NULL);
-       valid = key->verify(key, this->scheme, tbs, openssl_asn1_str2chunk(sig));
+       valid = key->verify(key, this->scheme, NULL, tbs,
+                                               openssl_asn1_str2chunk(sig));
        free(tbs.ptr);
        key->destroy(key);
        if (valid && scheme)
index a1e56fc..faa9408 100644 (file)
@@ -151,7 +151,7 @@ METHOD(public_key_t, get_type, key_type_t,
 
 METHOD(public_key_t, verify, bool,
        private_openssl_ec_public_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t signature)
+       void *params, chunk_t data, chunk_t signature)
 {
        switch (scheme)
        {
index 83ac8df..f94767c 100644 (file)
@@ -256,7 +256,7 @@ static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid)
                        key = cert->get_public_key(cert);
                        if (key)
                        {
-                               if (key->verify(key, signature_scheme_from_oid(hash_oid),
+                               if (key->verify(key, signature_scheme_from_oid(hash_oid), NULL,
                                                                attrs, sig))
                                {
                                        found = auth->clone(auth);
index d3a644f..078b261 100644 (file)
@@ -137,7 +137,7 @@ METHOD(public_key_t, get_type, key_type_t,
 
 METHOD(public_key_t, verify, bool,
        private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
-       chunk_t data, chunk_t signature)
+       void *params, chunk_t data, chunk_t signature)
 {
        switch (scheme)
        {
index 0d0b997..7e077e7 100644 (file)
@@ -430,7 +430,8 @@ METHOD(certificate_t, issued_by, bool,
        tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info);
 #endif
        X509_get0_signature(&sig, NULL, this->x509);
-       valid = key->verify(key, this->scheme, tbs, openssl_asn1_str2chunk(sig));
+       valid = key->verify(key, this->scheme, NULL, tbs,
+                                               openssl_asn1_str2chunk(sig));
        free(tbs.ptr);
        key->destroy(key);
        if (valid && scheme)
index 3847776..36029fa 100644 (file)
@@ -201,7 +201,7 @@ METHOD(public_key_t, get_keysize, int,
 }
 
 METHOD(public_key_t, verify, bool,
-       private_pkcs11_public_key_t *this, signature_scheme_t scheme,
+       private_pkcs11_public_key_t *this, signature_scheme_t scheme, void *params,
        chunk_t data, chunk_t sig)
 {
        CK_MECHANISM_PTR mechanism;
index 413c3ff..4d822a4 100644 (file)
@@ -227,7 +227,8 @@ METHOD(enumerator_t, enumerate, bool,
                                if (key)
                                {
                                        chunk = info->attributes->get_encoding(info->attributes);
-                                       if (key->verify(key, scheme, chunk, info->encrypted_digest))
+                                       if (key->verify(key, scheme, NULL, chunk,
+                                                                       info->encrypted_digest))
                                        {
                                                this->auth = auth->clone(auth);
                                                key->destroy(key);
index ba45928..a01b270 100644 (file)
@@ -933,7 +933,8 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       valid = key->verify(key, scheme, this->certificateInfo, this->signature);
+       valid = key->verify(key, scheme, NULL, this->certificateInfo,
+                                               this->signature);
        key->destroy(key);
        if (valid && schemep)
        {
index dea2c70..c626859 100644 (file)
@@ -1719,7 +1719,8 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
+       valid = key->verify(key, scheme, NULL, this->tbsCertificate,
+                                               this->signature);
        key->destroy(key);
        if (valid && schemep)
        {
index 6d18ea5..5896aa2 100644 (file)
@@ -502,7 +502,7 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       valid = key->verify(key, scheme, this->tbsCertList, this->signature);
+       valid = key->verify(key, scheme, NULL, this->tbsCertList, this->signature);
        key->destroy(key);
        if (valid && schemep)
        {
index 140e9bf..fd0d84e 100644 (file)
@@ -753,7 +753,8 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
+       valid = key->verify(key, scheme, NULL, this->tbsResponseData,
+                                               this->signature);
        key->destroy(key);
        if (valid && schemep)
        {
index e39e24b..5455541 100644 (file)
@@ -152,7 +152,7 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       valid = key->verify(key, scheme, this->certificationRequestInfo,
+       valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
                                                this->signature);
        if (valid && schemep)
        {
index 3c84299..d30d87e 100644 (file)
@@ -59,7 +59,7 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
                }
                fail_unless(privkey->sign(privkey, schemes[i].scheme, data, &sig),
                                        "sign %N", signature_scheme_names, schemes[i].scheme);
-               fail_unless(pubkey->verify(pubkey, schemes[i].scheme, data, sig),
+               fail_unless(pubkey->verify(pubkey, schemes[i].scheme, NULL, data, sig),
                                        "verify %N", signature_scheme_names, schemes[i].scheme);
                free(sig.ptr);
        }
@@ -121,7 +121,8 @@ static void test_bad_sigs(public_key_t *pubkey)
                for (i = 0; i < countof(invalid_sigs); i++)
                {
                        fail_if(
-                               pubkey->verify(pubkey, schemes[s].scheme, data, invalid_sigs[i]),
+                               pubkey->verify(pubkey, schemes[s].scheme, NULL, data,
+                                                          invalid_sigs[i]),
                                "bad %N sig accepted %B",
                                signature_scheme_names, schemes[s].scheme,
                                &invalid_sigs[i]);
index 0084262..6fbec12 100644 (file)
@@ -302,8 +302,8 @@ START_TEST(test_ed25519_sign)
        ck_assert(chunk_equals(sig, sig_tests[_i].sig));
 
        /* verify */
-       ck_assert(pubkey->verify(pubkey, SIGN_ED25519, sig_tests[_i].msg,
-                                                                                                  sig_tests[_i].sig));
+       ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg,
+                                                        sig_tests[_i].sig));
 
        /* cleanup */
        key->destroy(key);
@@ -375,10 +375,10 @@ START_TEST(test_ed25519_gen)
        ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL));
 
        /* verify with wrong signature scheme */
-       ck_assert(!pubkey->verify(pubkey, SIGN_ED448, msg, sig));
+       ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig));
 
        /* verify with correct signature scheme */
-       ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig));
+       ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig));
 
        /* cleanup */
        key->destroy(key);
@@ -407,7 +407,7 @@ START_TEST(test_ed25519_speed)
                ck_assert(key->sign(key, SIGN_ED25519, msg, &sig));
                pubkey = key->get_public_key(key);
                ck_assert(pubkey != NULL);
-               ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig));
+               ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig));
                key->destroy(key);
                pubkey->destroy(pubkey);
                chunk_free(&sig);
@@ -476,25 +476,29 @@ START_TEST(test_ed25519_fail)
                                        BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END);
        ck_assert(pubkey != NULL);
 
-       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, chunk_empty, chunk_empty));
+       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, chunk_empty,
+                                                         chunk_empty));
 
        /* malformed signature */
        sig = chunk_create(sig1, 64);
        memcpy(sig1, sig_tests[0].sig.ptr, 64);
        sig1[63] |= 0xe0;
-       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig));
+       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+                                                         sig));
 
        /* wrong signature */
        memcpy(sig1, sig_tests[0].sig.ptr, 64);
        sig1[0] = 0xe4;
-       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig));
+       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+                                                         sig));
 
        /* detect all-zeroes public key */
        pubkey->destroy(pubkey);
        pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
                                        BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
        ck_assert(pubkey != NULL);
-       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig));
+       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+                                                         sig));
        pubkey->destroy(pubkey);
 }
 END_TEST
index 41e7835..a155980 100644 (file)
@@ -49,7 +49,7 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
                }
                fail_unless(privkey->sign(privkey, schemes[i], data, &sig),
                                        "sign %N", signature_scheme_names, schemes[i]);
-               fail_unless(pubkey->verify(pubkey, schemes[i], data, sig),
+               fail_unless(pubkey->verify(pubkey, schemes[i], NULL, data, sig),
                                        "verify %N", signature_scheme_names, schemes[i]);
                free(sig.ptr);
        }
@@ -106,7 +106,7 @@ static void test_bad_sigs(public_key_t *pubkey)
                for (i = 0; i < countof(invalid_sigs); i++)
                {
                        fail_if(
-                               pubkey->verify(pubkey, schemes[s], data, invalid_sigs[i]),
+                               pubkey->verify(pubkey, schemes[s], NULL, data, invalid_sigs[i]),
                                "bad %N sig accepted %B", signature_scheme_names, schemes[s],
                                &invalid_sigs[i]);
                }
index 05ae62b..29af5d9 100644 (file)
@@ -1509,7 +1509,7 @@ METHOD(tls_crypto_t, verify, bool,
                                 tls_signature_algorithm_names, alg);
                        return FALSE;
                }
-               if (!key->verify(key, scheme, data, sig))
+               if (!key->verify(key, scheme, NULL, data, sig))
                {
                        return FALSE;
                }
@@ -1533,7 +1533,8 @@ METHOD(tls_crypto_t, verify, bool,
                                {
                                        return FALSE;
                                }
-                               done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
+                               done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
+                                                                  sig);
                                free(hash.ptr);
                                if (!done)
                                {
@@ -1542,7 +1543,8 @@ METHOD(tls_crypto_t, verify, bool,
                                DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
                                break;
                        case KEY_ECDSA:
-                               if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
+                               if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
+                                                                sig))
                                {
                                        return FALSE;
                                }