[openssl-dev] Access to ECDSA_METHOD do_verify function from engine

Johannes Bauer dfnsonfsduifb at gmx.de
Fri Jul 21 09:41:00 UTC 2017 

Hi list,

I'm having the *exact* same issue that Jacques had 2 years ago:
https://mta.openssl.org/pipermail/openssl-users/2015-June/001584.html

I.e., I'm writing an OpenSSL 1.0.2 engine that does ECDSA signing. In my
signing function, I want to verify the signature before leaving the
callback. For that I need to use the *default* verification function.

The problem is that ECDSA_METHOD is an opaque structure. It's only ever
passed through reference (and has been forward-declared), but it's
internal structure is defined in a localized crypto/ecdsa/ecs_locl.h
header file. So two questions:

When OpenSSL sees that the do_verify function in the callback has not
been set, why does it not default to the internal definition instead of
segfaulting?

How do I get the function pointer to the default method do_verify? I.e.,
how do I do something like:

ECDSA_METHOD_set_verify(ecdsa_method,
ECDSA_get_default_method()->ecdsa_do_verify);

Which currently (because of the opaque structure) results in:

usockeng.c: In function ‘bind_fn’:
usockeng.c:341:66: error: dereferencing pointer to incomplete type
‘ECDSA_METHOD {aka const struct ecdsa_method}’

There were two replies two years ago, both which don't help me:

Rémy suggests
(https://mta.openssl.org/pipermail/openssl-users/2015-June/001585.html)
to define the engine's ECDSA_METHOD structure explicitly, like so:

static ECDSA_METHOD my_own_openssl_ecdsa_meth = {
      "OpenSSL ECDSA method",
      my_own_ecdsa_do_sign_function,
      ecdsa_sign_setup_no_digest,
      ecdsa_do_verify,
...
}

This does not work (anymore?) because the stucture is opaque.

Dmitry suggests
(https://mta.openssl.org/pipermail/openssl-users/2015-June/001586.html)
to use ECDSA_METHOD_set_sign_setup/ECDSA_METHOD_set_sign -- I don't
understand this, since I did define set_sign (and it already works), but
I need *verification*.

Of course, the butt-ugly workaround would be to copy/paste the local
structure definition in my engine code, creating a horribly unportable
mess. But what's the *intended* way to solve this issue?

Best regards,
Johannes

More information about the openssl-dev mailing list