cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-01 09:31:25 -04:00
Code Issues Packages Projects Releases Wiki Activity

pkcs7: Handle md errors in multisigner pkcs7 verification

Browse Source 
In resonse to feedback [1], if `mbedtls_md_info_from_type` were to
fail then skip the signer and try the next one.

Additionally, use a for loop instead of a while loop when iterating
over signers because it simplifies the use of `continue`.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967198650
Signed-off-by: Nick Child <nick.child@ibm.com>
This commit is contained in:
Nick Child 2022-09-14 14:10:00 -05:00
parent 8a94de40c7
commit 7089ce8381
1 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
library/pkcs7.c
View File

@ -656,17 +656,21 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7,
* We could also cache hashes by md, so if there are several sigs all using * We could also cache hashes by md, so if there are several sigs all using
* the same algo we don't recalculate the hash each time. * the same algo we don't recalculate the hash each time.
*/ */
signer = &pkcs7->signed_data.signers; for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next )
while( signer )
{ {
ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg );
if( ret != 0 ) if( ret != 0 )
{ {
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
goto out; continue;
} }
md_info = mbedtls_md_info_from_type( md_alg ); md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
{
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
continue;
}
hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 );
if( hash == NULL ) { if( hash == NULL ) {
@ -677,8 +681,9 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7,
ret = mbedtls_md( md_info, data, datalen, hash ); ret = mbedtls_md( md_info, data, datalen, hash );
if( ret != 0 ) if( ret != 0 )
{ {
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
mbedtls_free( hash ); mbedtls_free( hash );
goto out; continue;
} }
ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash,
@ -689,8 +694,6 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7,
if( ret == 0 ) if( ret == 0 )
break; break;
signer = signer->next;
} }
out: out:
@ -716,16 +719,21 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7,
} }
signer = &pkcs7->signed_data.signers; signer = &pkcs7->signed_data.signers;
while( signer ) for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next )
{ {
ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg );
if( ret != 0 ) if( ret != 0 )
{ {
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
goto out; continue;
} }
md_info = mbedtls_md_info_from_type( md_alg ); md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
{
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
continue;
}
if( hashlen != mbedtls_md_get_size( md_info ) ) if( hashlen != mbedtls_md_get_size( md_info ) )
{ {
@ -739,8 +747,6 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7,
pkcs7->signed_data.signers.sig.len ); pkcs7->signed_data.signers.sig.len );
if( ret == 0 ) if( ret == 0 )
break; break;
signer = signer->next;
} }
out: out: