verify_sha: Move base64 decode out of crypto backends

No reason to put that in there.

Signed-off-by: Ben Collins <[email protected]>

libjwt/gnutls/sign-verify.c

@@ -249,7 +249,8 @@ static int gnutls_sign_sha_pem(jwt_t *jwt, char **out, unsigned int *len,
 #define VERIFY_ERROR(_msg) { jwt_write_error(jwt, "JWT[GnuTLS]: " _msg); goto verify_clean_sig; }
 
 static int gnutls_verify_sha_pem(jwt_t *jwt, const char *head,
-				 unsigned int head_len, const char *sig_b64)
+				 unsigned int head_len, unsigned char *sig,
+				 int sig_len)
 {
 	gnutls_datum_t r, s;
 	gnutls_datum_t data = {
@@ -258,8 +259,7 @@ static int gnutls_verify_sha_pem(jwt_t *jwt, const char *head,
 	};
 	gnutls_datum_t sig_dat = { NULL, 0 };
 	gnutls_pubkey_t pubkey;
-	int alg, ret = 0, sig_len;
-	unsigned char *sig = NULL;
+	int alg, ret = 0;
 
 	if (gnutls_pubkey_init(&pubkey))
 		VERIFY_ERROR("Failed initializing pubkey") // LCOV_EXCL_LINE
@@ -353,10 +353,6 @@ static int gnutls_verify_sha_pem(jwt_t *jwt, const char *head,
 		VERIFY_ERROR("Unknown alg") // LCOV_EXCL_LINE
 	}
 
-	sig = (unsigned char *)jwt_base64uri_decode(sig_b64, &sig_len);
-	if (sig == NULL)
-		VERIFY_ERROR("Error decoding signature") // LCOV_EXCL_LINE
-
 	/* Rebuild signature using r and s extracted from sig when jwt->alg
 	 * is ESxxx. */
 	switch (jwt->alg) {
@@ -406,7 +402,6 @@ static int gnutls_verify_sha_pem(jwt_t *jwt, const char *head,
 
 verify_clean_sig:
 	gnutls_pubkey_deinit(pubkey);
-	jwt_freemem(sig);
 
 	return ret;
 }

libjwt/jwt-private.h

@@ -151,7 +151,8 @@ struct jwt_crypto_ops {
 	int (*sign_sha_pem)(jwt_t *jwt, char **out, unsigned int *len,
 		const char *str, unsigned int str_len);
 	int (*verify_sha_pem)(jwt_t *jwt, const char *head,
-		unsigned int head_len, const char *sig_b64);
+		unsigned int head_len, unsigned char *sig,
+		int sig_len);
 
 	/* Parsing a JWK to prepare it for use */
 	int jwk_implemented;

libjwt/jwt.c

@@ -419,14 +419,19 @@ static int _verify_sha_hmac(jwt_t *jwt, const char *head,
 }
 
 jwt_t *jwt_verify_sig(jwt_t *jwt, const char *head, unsigned int head_len,
-		      const char *sig)
+		      const char *sig_b64)
 {
+	int sig_len;
+	unsigned char *sig;
+
+	sig = jwt_base64uri_decode(sig_b64, &sig_len);
+
 	switch (jwt->alg) {
 	/* HMAC */
 	case JWT_ALG_HS256:
 	case JWT_ALG_HS384:
 	case JWT_ALG_HS512:
-		if (_verify_sha_hmac(jwt, head, head_len, sig))
+		if (_verify_sha_hmac(jwt, head, head_len, sig_b64))
 			jwt_write_error(jwt, "Token failed verification");
 		break;
 
@@ -448,8 +453,16 @@ jwt_t *jwt_verify_sig(jwt_t *jwt, const char *head, unsigned int head_len,
 
 	/* EdDSA */
 	case JWT_ALG_EDDSA:
-		if (jwt_ops->verify_sha_pem(jwt, head, head_len, sig))
+		sig = jwt_base64uri_decode(sig_b64, &sig_len);
+		if (sig == NULL) {
+			jwt_write_error(jwt, "Error decoding signature");
+			return jwt;
+		}
+
+		if (jwt_ops->verify_sha_pem(jwt, head, head_len, sig, sig_len))
 			jwt_write_error(jwt, "Token failed verification");
+
+		jwt_freemem(sig);
 		break;
 
 	/* You wut, mate? */

libjwt/mbedtls/sign-verify.c

@@ -249,13 +249,12 @@ static int mbedtls_sign_sha_pem(jwt_t *jwt, char **out, unsigned int *len,
 #define VERIFY_ERROR(_msg) { jwt_write_error(jwt, "JWT[MbedTLS]: " _msg); goto verify_clean_key; }
 
 static int mbedtls_verify_sha_pem(jwt_t *jwt, const char *head,
-				  unsigned int head_len, const char *sig_b64)
+				  unsigned int head_len,
+				  unsigned char *sig, int sig_len)
 {
 	mbedtls_pk_context pk;
 	unsigned char hash[MBEDTLS_MD_MAX_SIZE];
 	const mbedtls_md_info_t *md_info = NULL;
-	unsigned char *sig = NULL;
-	size_t sig_len = 0;
 	int ret = 1;
 
 	mbedtls_pk_init(&pk);
@@ -306,11 +305,6 @@ static int mbedtls_verify_sha_pem(jwt_t *jwt, const char *head,
 			      hash)))
 		VERIFY_ERROR("Failed to computer hash"); // LCOV_EXCL_LINE
 
-	/* Decode the base64url signature */
-	sig = jwt_base64uri_decode(sig_b64, (int *)&sig_len);
-	if (sig == NULL)
-		VERIFY_ERROR("Failed to decode signature"); // LCOV_EXCL_LINE
-
 	/* Handle ECDSA R/S format conversion */
 	if (mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA)) {
 		mbedtls_mpi r, s;
@@ -362,7 +356,6 @@ static int mbedtls_verify_sha_pem(jwt_t *jwt, const char *head,
 	}
 
 verify_clean_key:
-	jwt_freemem(sig);
 	mbedtls_pk_free(&pk);
 
 	return jwt->error;

libjwt/openssl/sign-verify.c

@@ -268,9 +268,9 @@ static int openssl_sign_sha_pem(jwt_t *jwt, char **out, unsigned int *len,
 #define VERIFY_ERROR(_msg) { jwt_write_error(jwt, "JWT[OpenSSL]: " _msg); goto jwt_verify_sha_pem_done; }
 
 static int openssl_verify_sha_pem(jwt_t *jwt, const char *head,
-				  unsigned int head_len, const char *sig_b64)
+				  unsigned int head_len,
+				  unsigned char *sig, int slen)
 {
-	unsigned char *sig = NULL;
 	EVP_MD_CTX *mdctx = NULL;
 	EVP_PKEY_CTX *pkey_ctx = NULL;
 	ECDSA_SIG *ec_sig = NULL;
@@ -280,7 +280,6 @@ static int openssl_verify_sha_pem(jwt_t *jwt, const char *head,
 	const EVP_MD *alg;
 	int type;
 	BIO *bufkey = NULL;
-	int slen;
 
 	if (!ops_compat(jwt->key, JWT_CRYPTO_OPS_OPENSSL))
 		VERIFY_ERROR("Key is not compatible"); // LCOV_EXCL_LINE
@@ -345,10 +344,6 @@ static int openssl_verify_sha_pem(jwt_t *jwt, const char *head,
 		VERIFY_ERROR("Unknown algorithm"); // LCOV_EXCL_LINE
 	}
 
-	sig = jwt_base64uri_decode(sig_b64, &slen);
-	if (sig == NULL)
-		VERIFY_ERROR("Error decoding signature");
-
 	if (type == EVP_PKEY_RSA_PSS) {
 		if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA_PSS &&
 		    EVP_PKEY_id(pkey) != EVP_PKEY_RSA)
@@ -415,7 +410,6 @@ static int openssl_verify_sha_pem(jwt_t *jwt, const char *head,
 jwt_verify_sha_pem_done:
 	BIO_free(bufkey);
 	EVP_MD_CTX_destroy(mdctx);
-	jwt_freemem(sig);
 	ECDSA_SIG_free(ec_sig);
 
 	return jwt->error;

libjwt/wincrypt/sign-verify.c

@@ -783,7 +783,9 @@ static int wincrypt_sign_sha_pem(jwt_t *jwt, char **out, unsigned int *len,
 
 #define VERIFY_PEM_ERROR(__err) { ret = __err; goto jwt_verify_sha_pem_done; }
 
-static int wincrypt_verify_sha_pem(jwt_t *jwt, const char *head, const char *sig_b64)
+static int wincrypt_verify_sha_pem(jwt_t *jwt, const char *head,
+				   unsigned char *sig,
+				   int sig_len)
 {
 	int ret = EINVAL;
 	LPCWSTR alg;
@@ -837,9 +839,8 @@ static int wincrypt_verify_sha_pem(jwt_t *jwt, const char *head, const char *sig
 		VERIFY_PEM_ERROR(EINVAL);
 	}
 
-	/* Decode signature. */
-	if (!(pbSignature = jwt_b64_decode(sig_b64, &cbSignature)))
-		VERIFY_PEM_ERROR(EINVAL);
+	pbSignature = sig;
+	cbSignature = sig_len;
 
 	/* Open handle to public key. */
 	if (is_public_key_pem(jwt->key, jwt->key_len))
@@ -933,9 +934,6 @@ static int wincrypt_verify_sha_pem(jwt_t *jwt, const char *head, const char *sig
 	ret = 0;
 
 jwt_verify_sha_pem_done:
-	if (pbSignature)
-		jwt_freemem(pbSignature);
-
 	if (pbHashObject)
 		jwt_freemem(pbHashObject);