On Tue, Feb 01, 2022 at 07:10:33PM -0800, Eric Biggers wrote:
This seem incorrect too, as sig->pkey_algo could be NULL for direct signature verification calls. For example, for keyctl pkey_verify.
We can make it optional if some callers aren't providing it. Of course, such callers wouldn't be able to verify ECDSA signatures.
Sorry, I got that backwards. ECDSA signatures don't specify the curve, but the keys do (as I noted in a comment). So ECDSA wouldn't require sig->pkey_algo.
Since it appears that KEYCTL_PKEY_VERIFY does in fact have no way to specify a pkey_algo, I'll allow NULL pkey_algo in v2.
Note that SM2 isn't implemented correctly when sig->pkey_algo is NULL, as the following code incorrectly uses the signature's pkey_algo rather than the key's:
if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) { ret = cert_sig_digest_update(sig, tfm); if (ret) goto error_free_key; }
I'm not sure whether I should even bother fixing that, given how broken the SM2 stuff is anyway.
- Eric