-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c index a97590a569..8fb4d17b1c 100644 - --- a/lib/libswan/pubkey_rsa.c +++ b/lib/libswan/pubkey_rsa.c @@ -406,58 +406,19 @@ static bool RSA_authenticate_signature_raw_rsa(const struct crypt_mac *expected_ LDBG_hunk(logger, *expected_hash); } - - /* - - * Use the same space used by the out going hash. - - */ - - - - SECItem decrypted_signature = { - - .type = siBuffer, - - }; - - - - if (SECITEM_AllocItem(NULL, &decrypted_signature, signature.len) == NULL) { - - llog_nss_error(RC_LOG, logger, "allocating space for decrypted RSA signature"); - - return false; - - } - - /* NSS doesn't do const */ - - const SECItem encrypted_signature = { - - .type = siBuffer, - - .data = DISCARD_CONST(unsigned char *, signature.ptr), - - .len = signature.len, - - }; + const SECItem signature_secitem = + same_shunk_as_secitem(signature, siBuffer); + const SECItem expected_hash_secitem = + same_shunk_as_secitem(HUNK_AS_SHUNK(*expected_hash), siBuffer); - - if (PK11_VerifyRecover(seckey_public, &encrypted_signature, &decrypted_signature, - - lsw_nss_get_password_context(logger)) != SECSuccess) { - - SECITEM_FreeItem(&decrypted_signature, PR_FALSE/*not-pointer*/); + if (PK11_Verify(seckey_public, &signature_secitem, &expected_hash_secitem, + lsw_nss_get_password_context(logger)) != SECSuccess) { ldbg(logger, "NSS RSA verify: decrypting signature is failed"); *fatal_diag = NULL; return false; } - - if (LDBGP(DBG_CRYPT, logger)) { - - LLOG_JAMBUF(DEBUG_STREAM, logger, buf) { - - jam_string(buf, "NSS RSA verify: decrypted sig: "); - - jam_nss_secitem(buf, &decrypted_signature); - - } - - } - - - - /* - - * Expect the matching hash to appear at the end. See above - - * for length check. It may, or may not, be prefixed by a - - * PKCS#1 1.5 RSA ASN.1 blob. - - */ - - passert(decrypted_signature.len >= expected_hash->len); - - uint8_t *start = (decrypted_signature.data - - + decrypted_signature.len - - - expected_hash->len); - - if (!memeq(start, expected_hash->ptr, expected_hash->len)) { - - ldbg(logger, "RSA Signature NOT verified"); - - SECITEM_FreeItem(&decrypted_signature, PR_FALSE/*not-pointer*/); - - *fatal_diag = NULL; - - return false; - - } - - - - SECITEM_FreeItem(&decrypted_signature, PR_FALSE/*not-pointer*/); *fatal_diag = NULL; return true; } -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmo8EoETHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Za4D/wI85Hoe6fkUhGj/lB6hdjc/IHSfOYn J0G5jtrVoDv+sDYSxn++zCw0CfTFw1NTaqhi9xZGG4TOjamdDUaXELnqXOKCvukx CZgqLMURf4VVEOqScERKpXBbw33NQLzSeL+vXzQ8NG4RC8EfrtGUSAS2p7mkh2Sb +xImr9OTm9loTJcV5bPe1ITrP/3HiUJo0QMB6v9vC3XvNUUX/jlGXJnrXWIvrIRG SGTxQYnV/uVwXuKWcf7eu2WysMk1uu3yqGtAwj7cuKnctReSIWLn6gz7VEPx8QXq YRatGh1ifgkIhjJXBHTxR4HD5I/txa7ewZQow+FBB7oshOE+VR4x7Pi2X1fDS2Sh IJzKFRLX3tWnoWmlxON428I51ATK6NeWsHi9jYte57PDu504xVgLh90ZSzR288yF NNNdNOseJT9+z+EbBPq5tW4ysy0A/S8zmtNucMyi1NntssNVVO9KOasQ2ufIoJK8 94mADzFEuh99WGPKL0Mj3Fb9Y+OT6scZk9bAC4QcY5XMQYs7Vj70a0ot+aQDGhlI FKjHbWHfnV9x8TuG9UCkUcfhGOW5HFEKuv9zIoysF0JPcOuj5mPUs/24uQHxqIlk 7qhdfdhKv7NmnjtHcKBqs7JN+yJSzZ7BSs3iGW4B2BSsZ/4DRFhpuf03bz0xBl2G 4QxGvyXQlhxgIg== =amJO -----END PGP SIGNATURE-----