[openssl-dev] Access to ECDSA_METHOD do_verify function from engine
Douglas E Engert
deengert at gmail.com
Fri Jul 21 12:00:33 UTC 2017
First of all the ECDSA_METHOD and ECDH_METHOD in 1.0.2 are combined
into EC_KEY_METHOD on 1.1.
Both versions have a *_new and *_set_verify.
"static ECDSA_METHOD my_own_openssl_ecdsa_meth"
will not work anymore.
Have a look at:
https://github.com/OpenSC/libp11/blob/master/src/p11_ec.c
It uses either:
ops = ECDSA_METHOD_new((ECDSA_METHOD *)ECDSA_OpenSSL());
or
ops = EC_KEY_METHOD_new((EC_KEY_METHOD *)EC_KEY_OpenSSL());
which copy the default structure to the new opaque structure.
It then sets the routines it wants to change.
On 7/21/2017 4:41 AM, Johannes Bauer wrote:
> Hi list,
>
> I'm having the *exact* same issue that Jacques had 2 years ago:
> https://mta.openssl.org/pipermail/openssl-users/2015-June/001584.html
>
> I.e., I'm writing an OpenSSL 1.0.2 engine that does ECDSA signing. In my
> signing function, I want to verify the signature before leaving the
> callback. For that I need to use the *default* verification function.
>
> The problem is that ECDSA_METHOD is an opaque structure. It's only ever
> passed through reference (and has been forward-declared), but it's
> internal structure is defined in a localized crypto/ecdsa/ecs_locl.h
> header file. So two questions:
>
> When OpenSSL sees that the do_verify function in the callback has not
> been set, why does it not default to the internal definition instead of
> segfaulting?
>
> How do I get the function pointer to the default method do_verify? I.e.,
> how do I do something like:
>
> ECDSA_METHOD_set_verify(ecdsa_method,
> ECDSA_get_default_method()->ecdsa_do_verify);
>
> Which currently (because of the opaque structure) results in:
>
> usockeng.c: In function ‘bind_fn’:
> usockeng.c:341:66: error: dereferencing pointer to incomplete type
> ‘ECDSA_METHOD {aka const struct ecdsa_method}’
>
> There were two replies two years ago, both which don't help me:
>
> Rémy suggests
> (https://mta.openssl.org/pipermail/openssl-users/2015-June/001585.html)
> to define the engine's ECDSA_METHOD structure explicitly, like so:
>
> static ECDSA_METHOD my_own_openssl_ecdsa_meth = {
> "OpenSSL ECDSA method",
> my_own_ecdsa_do_sign_function,
> ecdsa_sign_setup_no_digest,
> ecdsa_do_verify,
> ...
> }
>
> This does not work (anymore?) because the stucture is opaque.
>
> Dmitry suggests
> (https://mta.openssl.org/pipermail/openssl-users/2015-June/001586.html)
> to use ECDSA_METHOD_set_sign_setup/ECDSA_METHOD_set_sign -- I don't
> understand this, since I did define set_sign (and it already works), but
> I need *verification*.
>
> Of course, the butt-ugly workaround would be to copy/paste the local
> structure definition in my engine code, creating a horribly unportable
> mess. But what's the *intended* way to solve this issue?
>
> Best regards,
> Johannes
>
--
Douglas E. Engert <DEEngert at gmail.com>
More information about the openssl-dev
mailing list