diff options
| author | Michael Brown <mcb30@ipxe.org> | 2024-08-21 16:25:10 +0100 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2024-08-21 21:00:57 +0100 |
| commit | 46937a9df622d1e9fb5b1e926a04176b8855fdce (patch) | |
| tree | 05287931d7afaad1f6eb3294fcddda4118484c79 /src/crypto/cms.c | |
| parent | acbabdb335f47eb8246188a23ed7e3997da6e8ba (diff) | |
| download | ipxe-46937a9df622d1e9fb5b1e926a04176b8855fdce.tar.gz | |
[crypto] Remove the concept of a public-key algorithm reusable context
Instances of cipher and digest algorithms tend to get called
repeatedly to process substantial amounts of data. This is not true
for public-key algorithms, which tend to get called only once or twice
for a given key.
Simplify the public-key algorithm API so that there is no reusable
algorithm context. In particular, this allows callers to omit the
error handling currently required to handle memory allocation (or key
parsing) errors from pubkey_init(), and to omit the cleanup calls to
pubkey_final().
This change does remove the ability for a caller to distinguish
between a verification failure due to a memory allocation failure and
a verification failure due to a bad signature. This difference is not
material in practice: in both cases, for whatever reason, the caller
was unable to verify the signature and so cannot proceed further, and
the cause of the error will be visible to the user via the return
status code.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto/cms.c')
| -rw-r--r-- | src/crypto/cms.c | 19 |
1 files changed, 4 insertions, 15 deletions
diff --git a/src/crypto/cms.c b/src/crypto/cms.c index 0b772f1cf..2e153d819 100644 --- a/src/crypto/cms.c +++ b/src/crypto/cms.c @@ -612,33 +612,22 @@ static int cms_verify_digest ( struct cms_message *cms, userptr_t data, size_t len ) { struct digest_algorithm *digest = part->digest; struct pubkey_algorithm *pubkey = part->pubkey; - struct x509_public_key *public_key = &cert->subject.public_key; + struct asn1_cursor *key = &cert->subject.public_key.raw; uint8_t digest_out[ digest->digestsize ]; - uint8_t ctx[ pubkey->ctxsize ]; int rc; /* Generate digest */ cms_digest ( cms, part, data, len, digest_out ); - /* Initialise public-key algorithm */ - if ( ( rc = pubkey_init ( pubkey, ctx, &public_key->raw ) ) != 0 ) { - DBGC ( cms, "CMS %p/%p could not initialise public key: %s\n", - cms, part, strerror ( rc ) ); - goto err_init; - } - /* Verify digest */ - if ( ( rc = pubkey_verify ( pubkey, ctx, digest, digest_out, + if ( ( rc = pubkey_verify ( pubkey, key, digest, digest_out, part->value, part->len ) ) != 0 ) { DBGC ( cms, "CMS %p/%p signature verification failed: %s\n", cms, part, strerror ( rc ) ); - goto err_verify; + return rc; } - err_verify: - pubkey_final ( pubkey, ctx ); - err_init: - return rc; + return 0; } /** |