summaryrefslogtreecommitdiffstats
path: root/libtransport/src/auth/verifier.cc
diff options
context:
space:
mode:
authorOlivier Roques <oroques@cisco.com>2022-11-17 11:26:23 +0000
committerOlivier Roques <oroques+fdio@cisco.com>2022-11-22 13:07:51 +0000
commita5f7941f49160021506ecae0da090f0b204b75ea (patch)
treefefbd3c7837c319deeae624c41b2280ecace8f4f /libtransport/src/auth/verifier.cc
parentb72257cade6be6fb09738f228d3b961321ca25f3 (diff)
feat(auth): add support for ED25519 and ED448
Ref: HICN-818 Signed-off-by: Olivier Roques <oroques@cisco.com> Change-Id: I8672f022b74be387e16496660a78edf3c1da4bf1
Diffstat (limited to 'libtransport/src/auth/verifier.cc')
-rw-r--r--libtransport/src/auth/verifier.cc172
1 files changed, 66 insertions, 106 deletions
diff --git a/libtransport/src/auth/verifier.cc b/libtransport/src/auth/verifier.cc
index f930383e6..0919aec7d 100644
--- a/libtransport/src/auth/verifier.cc
+++ b/libtransport/src/auth/verifier.cc
@@ -42,9 +42,8 @@ bool Verifier::verifyPacket(PacketPtr packet) {
throw errors::MalformedAHPacketException();
}
- // Get crypto suite, hash type, signature length
+ // Get crypto suite
CryptoSuite suite = packet->getValidationAlgorithm();
- CryptoHashType hash_type = getHashType(suite);
// Copy IP+TCP / ICMP header before zeroing them
u8 header_copy[HICN_HDRLEN_MAX];
@@ -69,8 +68,8 @@ bool Verifier::verifyPacket(PacketPtr packet) {
packet->resetForHash();
// Check signatures
- bool valid_packet = verifyBuffer(static_cast<utils::MemBuf *>(packet),
- signature_raw, hash_type);
+ bool valid_packet =
+ verifyBuffer(static_cast<utils::MemBuf *>(packet), signature_raw, suite);
// Restore header
packet->loadHeader(header_copy, header_len);
@@ -183,15 +182,21 @@ void Verifier::callVerificationFailedCallback(Suffix suffix,
// ---------------------------------------------------------
bool VoidVerifier::verifyPacket(PacketPtr packet) { return true; }
+bool VoidVerifier::verifyBuffer(const uint8_t *buffer, std::size_t len,
+ const utils::MemBuf::Ptr &signature,
+ CryptoSuite suite) {
+ return true;
+}
+
bool VoidVerifier::verifyBuffer(const std::vector<uint8_t> &buffer,
const utils::MemBuf::Ptr &signature,
- CryptoHashType hash_type) {
+ CryptoSuite suite) {
return true;
}
bool VoidVerifier::verifyBuffer(const utils::MemBuf *buffer,
const utils::MemBuf::Ptr &signature,
- CryptoHashType hash_type) {
+ CryptoSuite suite) {
return true;
}
@@ -250,65 +255,40 @@ void AsymmetricVerifier::useCertificate(std::shared_ptr<X509> cert) {
std::shared_ptr<EVP_PKEY>(X509_get_pubkey(cert.get()), ::EVP_PKEY_free);
}
-bool AsymmetricVerifier::verifyBuffer(const std::vector<uint8_t> &buffer,
+bool AsymmetricVerifier::verifyBuffer(const uint8_t *buffer, std::size_t len,
const utils::MemBuf::Ptr &signature,
- CryptoHashType hash_type) {
- CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type);
+ CryptoSuite suite) {
+ const EVP_MD *hash_md = getMD(suite);
- if (hash_evp == nullptr) {
- throw errors::RuntimeException("Unknown hash type");
+ std::shared_ptr<EVP_MD_CTX> md_ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
+ if (md_ctx == nullptr) {
+ throw errors::RuntimeException("Signature context allocation failed");
}
- std::shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free);
-
- if (mdctx == nullptr) {
- throw errors::RuntimeException("Digest context allocation failed");
- }
-
- if (EVP_DigestVerifyInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr,
+ if (EVP_DigestVerifyInit(md_ctx.get(), nullptr, hash_md, nullptr,
key_.get()) != 1) {
- throw errors::RuntimeException("Digest initialization failed");
+ throw errors::RuntimeException("Signature initialization failed");
}
- if (EVP_DigestVerifyUpdate(mdctx.get(), buffer.data(), buffer.size()) != 1) {
- throw errors::RuntimeException("Digest update failed");
- }
+ return EVP_DigestVerify(md_ctx.get(), signature->data(), signature->length(),
+ buffer, len) == 1;
+};
- return EVP_DigestVerifyFinal(mdctx.get(), signature->data(),
- signature->length()) == 1;
+bool AsymmetricVerifier::verifyBuffer(const std::vector<uint8_t> &buffer,
+ const utils::MemBuf::Ptr &signature,
+ CryptoSuite suite) {
+ return verifyBuffer(buffer.data(), buffer.size(), signature, suite);
}
bool AsymmetricVerifier::verifyBuffer(const utils::MemBuf *buffer,
const utils::MemBuf::Ptr &signature,
- CryptoHashType hash_type) {
- CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type);
-
- if (hash_evp == nullptr) {
- throw errors::RuntimeException("Unknown hash type");
+ CryptoSuite suite) {
+ if (buffer->isChained()) {
+ throw errors::RuntimeException(
+ "Signature of chained membuf is not supported.");
}
- const utils::MemBuf *p = buffer;
- std::shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free);
-
- if (mdctx == nullptr) {
- throw errors::RuntimeException("Digest context allocation failed");
- }
-
- if (EVP_DigestVerifyInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr,
- key_.get()) != 1) {
- throw errors::RuntimeException("Digest initialization failed");
- }
-
- do {
- if (EVP_DigestVerifyUpdate(mdctx.get(), p->data(), p->length()) != 1) {
- throw errors::RuntimeException("Digest update failed");
- }
-
- p = p->next();
- } while (p != buffer);
-
- return EVP_DigestVerifyFinal(mdctx.get(), signature->data(),
- signature->length()) == 1;
+ return verifyBuffer(buffer->data(), buffer->length(), signature, suite);
}
// ---------------------------------------------------------
@@ -327,83 +307,63 @@ void SymmetricVerifier::setPassphrase(const std::string &passphrase) {
EVP_PKEY_free);
}
-bool SymmetricVerifier::verifyBuffer(const std::vector<uint8_t> &buffer,
+bool SymmetricVerifier::verifyBuffer(const uint8_t *buffer, std::size_t len,
const utils::MemBuf::Ptr &signature,
- CryptoHashType hash_type) {
- CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type);
-
- if (hash_evp == nullptr) {
+ CryptoSuite suite) {
+ const EVP_MD *hash_md = getMD(suite);
+ if (hash_md == nullptr) {
throw errors::RuntimeException("Unknown hash type");
}
const utils::MemBuf::Ptr &signature_bis =
core::PacketManager<>::getInstance().getMemBuf();
- signature_bis->append(signature->length());
size_t signature_bis_len;
- std::shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free);
- if (mdctx == nullptr) {
- throw errors::RuntimeException("Digest context allocation failed");
+ std::shared_ptr<EVP_MD_CTX> md_ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
+ if (md_ctx == nullptr) {
+ throw errors::RuntimeException("Signature context allocation failed");
}
- if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr,
- key_.get()) != 1) {
- throw errors::RuntimeException("Digest initialization failed");
+ if (EVP_DigestSignInit(md_ctx.get(), nullptr, hash_md, nullptr, key_.get()) !=
+ 1) {
+ throw errors::RuntimeException("Signature initialization failed");
}
- if (EVP_DigestSignUpdate(mdctx.get(), buffer.data(), buffer.size()) != 1) {
- throw errors::RuntimeException("Digest update failed");
- }
+ if (EVP_DigestSign(md_ctx.get(), nullptr, &signature_bis_len, buffer, len) !=
+ 1) {
+ throw errors::RuntimeException("Signature length computation failed");
+ };
- if (EVP_DigestSignFinal(mdctx.get(), signature_bis->writableData(),
- &signature_bis_len) != 1) {
- throw errors::RuntimeException("Digest computation failed");
- }
+ DCHECK(signature_bis_len <= signature_bis->tailroom());
+ signature_bis->append(signature_bis_len);
+
+ if (EVP_DigestSign(md_ctx.get(), signature_bis->writableData(),
+ &signature_bis_len, buffer, len) != 1) {
+ throw errors::RuntimeException("Signature computation failed");
+ };
+
+ DCHECK(signature_bis_len <= signature_bis->tailroom());
+ signature_bis->setLength(signature_bis_len);
return signature->length() == signature_bis_len &&
*signature == *signature_bis;
}
-bool SymmetricVerifier::verifyBuffer(const utils::MemBuf *buffer,
+bool SymmetricVerifier::verifyBuffer(const std::vector<uint8_t> &buffer,
const utils::MemBuf::Ptr &signature,
- CryptoHashType hash_type) {
- CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type);
-
- if (hash_evp == nullptr) {
- throw errors::RuntimeException("Unknown hash type");
- }
-
- const utils::MemBuf *p = buffer;
- const utils::MemBuf::Ptr &signature_bis =
- core::PacketManager<>::getInstance().getMemBuf();
- signature_bis->append(signature->length());
- size_t signature_bis_len;
- std::shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free);
-
- if (mdctx == nullptr) {
- throw errors::RuntimeException("Digest context allocation failed");
- }
-
- if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr,
- key_.get()) != 1) {
- throw errors::RuntimeException("Digest initialization failed");
- }
-
- do {
- if (EVP_DigestSignUpdate(mdctx.get(), p->data(), p->length()) != 1) {
- throw errors::RuntimeException("Digest update failed");
- }
-
- p = p->next();
- } while (p != buffer);
+ CryptoSuite suite) {
+ return verifyBuffer(buffer.data(), buffer.size(), signature, suite);
+}
- if (EVP_DigestSignFinal(mdctx.get(), signature_bis->writableData(),
- &signature_bis_len) != 1) {
- throw errors::RuntimeException("Digest computation failed");
+bool SymmetricVerifier::verifyBuffer(const utils::MemBuf *buffer,
+ const utils::MemBuf::Ptr &signature,
+ CryptoSuite suite) {
+ if (buffer->isChained()) {
+ throw errors::RuntimeException(
+ "Signature of chained membuf is not supported.");
}
- return signature->length() == signature_bis_len &&
- *signature == *signature_bis;
+ return verifyBuffer(buffer->data(), buffer->length(), signature, suite);
}
} // namespace auth