On Tue, Feb 01, 2022 at 07:10:33PM -0800, Eric Biggers wrote:
> > This seem incorrect too, as sig->pkey_algo could be NULL for direct
> > signature verification calls. For example, for keyctl pkey_verify.
>
> We can make it optional if some callers aren't providing it. Of course, such
> callers wouldn't be able to verify ECDSA signatures.
Sorry, I got that backwards. ECDSA signatures don't specify the curve, but the
keys do (as I noted in a comment). So ECDSA wouldn't require sig->pkey_algo.
Since it appears that KEYCTL_PKEY_VERIFY does in fact have no way to specify a
pkey_algo, I'll allow NULL pkey_algo in v2.
Note that SM2 isn't implemented correctly when sig->pkey_algo is NULL, as the
following code incorrectly uses the signature's pkey_algo rather than the key's:
if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
sig->data_size) {
ret = cert_sig_digest_update(sig, tfm);
if (ret)
goto error_free_key;
}
I'm not sure whether I should even bother fixing that, given how broken the SM2
stuff is anyway.
- Eric
