-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c index 38b44ab61d..d2f36cb3da 100644 - --- a/lib/libswan/pubkey_rsa.c +++ b/lib/libswan/pubkey_rsa.c @@ -402,58 +402,20 @@ static bool RSA_authenticate_signature_raw_rsa(const struct crypt_mac *expected_ *expected_hash); } - - /* - - * Use the same space used by the out going hash. - - */ - - - - SECItem decrypted_signature = { - - .type = siBuffer, - - }; - - - - if (SECITEM_AllocItem(NULL, &decrypted_signature, signature.len) == NULL) { - - llog_nss_error(RC_LOG, logger, "allocating space for decrypted RSA signature"); - - return false; - - } - - /* NSS doesn't do const */ - - const SECItem encrypted_signature = { - - .type = siBuffer, - - .data = DISCARD_CONST(unsigned char *, signature.ptr), - - .len = signature.len, - - }; - - - - if (PK11_VerifyRecover(seckey_public, &encrypted_signature, &decrypted_signature, - - lsw_nss_get_password_context(logger)) != SECSuccess) { - - SECITEM_FreeItem(&decrypted_signature, PR_FALSE/*not-pointer*/); - - dbg("NSS RSA verify: decrypting signature is failed"); - - *fatal_diag = NULL; - - return false; - - } - - if (DBGP(DBG_CRYPT)) { - - LLOG_JAMBUF(DEBUG_STREAM, logger, buf) { - - jam_string(buf, "NSS RSA verify: decrypted sig: "); - - jam_nss_secitem(buf, &decrypted_signature); - - } - - } + const SECItem signature_secitem = + same_shunk_as_secitem(signature, siBuffer); + const SECItem expected_hash_secitem = + same_shunk_as_secitem(HUNK_AS_SHUNK(*expected_hash), siBuffer); - - /* - - * Expect the matching hash to appear at the end. See above - - * for length check. It may, or may not, be prefixed by a - - * PKCS#1 1.5 RSA ASN.1 blob. - - */ - - passert(decrypted_signature.len >= expected_hash->len); - - uint8_t *start = (decrypted_signature.data - - + decrypted_signature.len - - - expected_hash->len); - - if (!memeq(start, expected_hash->ptr, expected_hash->len)) { - - dbg("RSA Signature NOT verified"); - - SECITEM_FreeItem(&decrypted_signature, PR_FALSE/*not-pointer*/); + if (PK11_Verify(seckey_public, &signature_secitem, &expected_hash_secitem, + lsw_nss_get_password_context(logger)) != SECSuccess) { + dbg("NSS RSA verify: decrypting signature is failed"); *fatal_diag = NULL; return false; } - - SECITEM_FreeItem(&decrypted_signature, PR_FALSE/*not-pointer*/); *fatal_diag = NULL; return true; } -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmo8EoETHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+XVdD/sFPftXtJxqQdrqUGzrRGyPA6GoTIJK IqFgfLNN6S24xx7UKvAdwujAAsAuqExCmCXG/2Jznxb17yILV8VgM7K1TmSjzKQx hEKauc/qHSDBoPJPOkE0SEu3aXv6nc2LY289gupFpj7hMZpNiWFqkF9cbQV21Yuf gtSxk0h5zqsQy6cTOLEEEH3ECMFo5dy5ZJj8aqw7hjk0CDAxRygTFRlOwv837SAw KaTvZXvc/qsj99lrP1LCbm8VECSWC6vKqQewzky53ew2u9/HkHvUhH/YRxMz7K/r ypgMq1/YyOxaZYUPcXiq+Y8+/NeTOvU2aIQsGX29O97jXwiLmeafv0xDac3JKqNr 0rTBHTTKrtw7hNdGL7oxn612dCt4EHt1WbDhvCABg0tOz9+ys1v8rsZLz3MrJGOH 6cZmKTk+h9tJ77+A/EVrvPT+oksdkmwE4TyyQWC9fFPvVHlj7NtIISvJuP90M3fu T+UjYFOSUud5dpTHO+6b9lC+7cMKSvhFoxyv0/Y/M9t1qyz3uM5h4UfKdP5igeJT Ru5FtoYSBFGePgjeaXYGGAJwREM85ddAp3esUtsy15KQwwUbkY3zSKAPB3R9vV76 +g+rwg1UsrKG7GPU5Y2aMib0F6vhuvM7ihs6hdyZdY2FnIdpKdsonUml/bW0VgFP y8boHdOLxJt+kw== =tpea -----END PGP SIGNATURE-----