EVP: Make the SIGNATURE implementation leaner

Because the algorithm to use is decided already when creating an
EVP_PKEY_CTX regardless of how it was created, it turns out that it's
unnecessary to provide the SIGNATURE method explicitly, and rather
always have it be fetched implicitly.

This means fewer changes for applications that want to use new
signature algorithms / implementations.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10303)
This commit is contained in:
Richard Levitte 2019-10-30 16:59:34 +01:00
parent c0e0984f12
commit 0e52100400
9 changed files with 179 additions and 251 deletions

View File

@ -118,8 +118,6 @@ struct evp_signature_st {
CRYPTO_REF_COUNT refcnt;
CRYPTO_RWLOCK *lock;
EVP_KEYMGMT *keymgmt;
OSSL_OP_signature_newctx_fn *newctx;
OSSL_OP_signature_sign_init_fn *sign_init;
OSSL_OP_signature_sign_fn *sign;

View File

@ -27,9 +27,10 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, const char *mdname,
const char *props, ENGINE *e, EVP_PKEY *pkey,
EVP_SIGNATURE *signature, int ver)
int ver)
{
EVP_PKEY_CTX *locpctx = NULL;
EVP_SIGNATURE *signature = NULL;
void *provkey = NULL;
int ret;
@ -43,51 +44,69 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ctx->provctx = NULL;
}
if (ctx->pctx == NULL) {
if (ctx->pctx == NULL)
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
if (ctx->pctx == NULL)
return 0;
} else if (pkey != NULL) {
if (!EVP_PKEY_up_ref(pkey))
return 0;
EVP_PKEY_free(ctx->pctx->pkey);
ctx->pctx->pkey = pkey;
}
if (ctx->pctx == NULL)
return 0;
locpctx = ctx->pctx;
evp_pkey_ctx_free_old_ops(locpctx);
if (locpctx->pkey == NULL)
if (locpctx->algorithm == NULL)
goto legacy;
if (e != NULL || locpctx->engine != NULL)
goto legacy;
if (signature != NULL) {
if (!EVP_SIGNATURE_up_ref(signature))
goto err;
} else {
/*
* TODO(3.0): Check for legacy handling. Remove this once all all
* algorithms are moved to providers.
*/
switch (locpctx->pkey->type) {
case NID_dsa:
break;
default:
goto legacy;
}
signature
= EVP_SIGNATURE_fetch(NULL, OBJ_nid2sn(locpctx->pkey->type), NULL);
if (signature == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
if (mdname == NULL) {
if (type != NULL) {
mdname = EVP_MD_name(type);
} else if (pkey != NULL) {
/*
* TODO(v3.0) work out a better way for EVP_PKEYs with no legacy
* component.
*/
if (pkey->pkey.ptr != NULL) {
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0)
mdname = OBJ_nid2sn(def_nid);
}
}
}
locpctx->operation = ver ? EVP_PKEY_OP_VERIFYCTX
: EVP_PKEY_OP_SIGNCTX;
/*
* Because we cleared out old ops, we shouldn't need to worry about
* checking if signature is already there. Keymgmt is a different
* matter, as it isn't tied to a specific EVP_PKEY op.
*/
signature = EVP_SIGNATURE_fetch(locpctx->libctx, locpctx->algorithm,
locpctx->propquery);
if (signature != NULL && locpctx->keymgmt == NULL) {
int name_id = EVP_SIGNATURE_number(signature);
locpctx->keymgmt =
evp_keymgmt_fetch_by_number(locpctx->libctx, name_id,
locpctx->propquery);
}
if (locpctx->keymgmt == NULL
|| signature == NULL
|| (EVP_KEYMGMT_provider(locpctx->keymgmt)
!= EVP_SIGNATURE_provider(signature))) {
/*
* We don't have the full support we need with provided methods,
* let's go see if legacy does. Also, we don't need to free
* ctx->keymgmt here, as it's not necessarily tied to this
* operation. It will be freed by EVP_PKEY_CTX_free().
*/
EVP_SIGNATURE_free(signature);
goto legacy;
}
/* No more legacy from here down to legacy: */
locpctx->op.sig.signature = signature;
locpctx->operation = ver ? EVP_PKEY_OP_VERIFYCTX
: EVP_PKEY_OP_SIGNCTX;
locpctx->op.sig.sigprovctx
= signature->newctx(ossl_provider_ctx(signature->prov));
if (locpctx->op.sig.sigprovctx == NULL) {
@ -95,14 +114,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
goto err;
}
provkey =
evp_keymgmt_export_to_provider(locpctx->pkey, signature->keymgmt, 0);
evp_keymgmt_export_to_provider(locpctx->pkey, locpctx->keymgmt, 0);
if (provkey == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
if (mdname == NULL) {
mdname = EVP_MD_name(type);
if (type != NULL) {
ctx->reqdigest = type;
} else {
/*
@ -111,11 +129,8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
* man pages), i.e. the ref count is not updated so the EVP_MD should
* not be used beyound the lifetime of the EVP_MD_CTX.
*/
ctx->reqdigest
= ctx->fetched_digest
= EVP_MD_fetch(
ossl_provider_library_context(EVP_SIGNATURE_provider(signature)),
mdname, props);
ctx->reqdigest = ctx->fetched_digest =
EVP_MD_fetch(locpctx->libctx, mdname, props);
}
if (ver) {
@ -123,15 +138,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
ret = signature->digest_verify_init(locpctx->op.sig.sigprovctx, mdname,
props, provkey);
ret = signature->digest_verify_init(locpctx->op.sig.sigprovctx,
mdname, props, provkey);
} else {
if (signature->digest_sign_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
ret = signature->digest_sign_init(locpctx->op.sig.sigprovctx, mdname,
props, provkey);
ret = signature->digest_sign_init(locpctx->op.sig.sigprovctx,
mdname, props, provkey);
}
return ret ? 1 : 0;
@ -197,31 +212,28 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const char *mdname, const char *props, EVP_PKEY *pkey,
EVP_SIGNATURE *signature)
const char *mdname, const char *props, EVP_PKEY *pkey)
{
return do_sigver_init(ctx, pctx, NULL, mdname, props, NULL, pkey, signature,
0);
return do_sigver_init(ctx, pctx, NULL, mdname, props, NULL, pkey, 0);
}
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey)
{
return do_sigver_init(ctx, pctx, type, NULL, NULL, e, pkey, NULL, 0);
return do_sigver_init(ctx, pctx, type, NULL, NULL, e, pkey, 0);
}
int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const char *mdname, const char *props,
EVP_PKEY *pkey, EVP_SIGNATURE *signature)
EVP_PKEY *pkey)
{
return do_sigver_init(ctx, pctx, NULL, mdname, props, NULL, pkey, signature,
1);
return do_sigver_init(ctx, pctx, NULL, mdname, props, NULL, pkey, 1);
}
int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey)
{
return do_sigver_init(ctx, pctx, type, NULL, NULL, e, pkey, NULL, 1);
return do_sigver_init(ctx, pctx, type, NULL, NULL, e, pkey, 1);
}
#endif /* FIPS_MDOE */

View File

@ -35,39 +35,19 @@ static EVP_SIGNATURE *evp_signature_new(OSSL_PROVIDER *prov)
static void *evp_signature_from_dispatch(int name_id,
const OSSL_DISPATCH *fns,
OSSL_PROVIDER *prov,
void *vkeymgmt_data)
void *unused)
{
/*
* Signature functions cannot work without a key, and key management
* from the same provider to manage its keys. We therefore fetch
* a key management method using the same algorithm and properties
* and pass that down to evp_generic_fetch to be passed on to our
* evp_signature_from_dispatch, which will attach the key management
* method to the newly created key exchange method as long as the
* provider matches.
*/
struct keymgmt_data_st *keymgmt_data = vkeymgmt_data;
EVP_KEYMGMT *keymgmt =
evp_keymgmt_fetch_by_number(keymgmt_data->ctx, name_id,
keymgmt_data->properties);
EVP_SIGNATURE *signature = NULL;
int ctxfncnt = 0, signfncnt = 0, verifyfncnt = 0, verifyrecfncnt = 0;
int digsignfncnt = 0, digverifyfncnt = 0;
int gparamfncnt = 0, sparamfncnt = 0, gmdparamfncnt = 0, smdparamfncnt = 0;
if (keymgmt == NULL || EVP_KEYMGMT_provider(keymgmt) != prov) {
ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEYMGMT_AVAILABLE);
goto err;
}
if ((signature = evp_signature_new(prov)) == NULL) {
ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
goto err;
}
signature->name_id = name_id;
signature->keymgmt = keymgmt;
keymgmt = NULL; /* avoid double free on failure below */
for (; fns->function_id != 0; fns++) {
switch (fns->function_id) {
@ -263,7 +243,6 @@ static void *evp_signature_from_dispatch(int name_id,
return signature;
err:
EVP_SIGNATURE_free(signature);
EVP_KEYMGMT_free(keymgmt);
return NULL;
}
@ -275,7 +254,6 @@ void EVP_SIGNATURE_free(EVP_SIGNATURE *signature)
CRYPTO_DOWN_REF(&signature->refcnt, &i, signature->lock);
if (i > 0)
return;
EVP_KEYMGMT_free(signature->keymgmt);
ossl_provider_free(signature->prov);
CRYPTO_THREAD_lock_free(signature->lock);
OPENSSL_free(signature);
@ -298,16 +276,8 @@ OSSL_PROVIDER *EVP_SIGNATURE_provider(const EVP_SIGNATURE *signature)
EVP_SIGNATURE *EVP_SIGNATURE_fetch(OPENSSL_CTX *ctx, const char *algorithm,
const char *properties)
{
struct keymgmt_data_st keymgmt_data;
/*
* A signature operation cannot work without a key, so we need key
* management from the same provider to manage its keys.
*/
keymgmt_data.ctx = ctx;
keymgmt_data.properties = properties;
return evp_generic_fetch(ctx, OSSL_OP_SIGNATURE, algorithm, properties,
evp_signature_from_dispatch, &keymgmt_data,
evp_signature_from_dispatch, NULL,
(int (*)(void *))EVP_SIGNATURE_up_ref,
(void (*)(void *))EVP_SIGNATURE_free);
}
@ -327,13 +297,9 @@ void EVP_SIGNATURE_do_all_provided(OPENSSL_CTX *libctx,
void *arg),
void *arg)
{
struct keymgmt_data_st keymgmt_data;
keymgmt_data.ctx = libctx;
keymgmt_data.properties = NULL;
evp_generic_do_all(libctx, OSSL_OP_SIGNATURE,
(void (*)(void *, void *))fn, arg,
evp_signature_from_dispatch, &keymgmt_data,
evp_signature_from_dispatch, NULL,
(void (*)(void *))EVP_SIGNATURE_free);
}
@ -346,11 +312,11 @@ void EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature,
evp_names_do_all(signature->prov, signature->name_id, fn, data);
}
static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
int operation)
static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
{
int ret = 0;
void *provkey = NULL;
EVP_SIGNATURE *signature = NULL;
if (ctx == NULL) {
EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
@ -360,41 +326,42 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
evp_pkey_ctx_free_old_ops(ctx);
ctx->operation = operation;
if (ctx->engine != NULL)
if (ctx->algorithm == NULL)
goto legacy;
if (signature != NULL) {
if (!EVP_SIGNATURE_up_ref(signature))
goto err;
} else {
int nid = ctx->pkey != NULL ? ctx->pkey->type : ctx->pmeth->pkey_id;
/*
* Because we cleared out old ops, we shouldn't need to worry about
* checking if signature is already there. Keymgmt is a different
* matter, as it isn't tied to a specific EVP_PKEY op.
*/
signature = EVP_SIGNATURE_fetch(ctx->libctx, ctx->algorithm,
ctx->propquery);
if (signature != NULL && ctx->keymgmt == NULL) {
int name_id = EVP_SIGNATURE_number(signature);
ctx->keymgmt = evp_keymgmt_fetch_by_number(ctx->libctx, name_id,
ctx->propquery);
}
if (ctx->keymgmt == NULL
|| signature == NULL
|| (EVP_KEYMGMT_provider(ctx->keymgmt)
!= EVP_SIGNATURE_provider(signature))) {
/*
* TODO(3.0): Check for legacy handling. Remove this once all all
* algorithms are moved to providers.
* We don't have the full support we need with provided methods,
* let's go see if legacy does. Also, we don't need to free
* ctx->keymgmt here, as it's not necessarily tied to this
* operation. It will be freed by EVP_PKEY_CTX_free().
*/
if (ctx->pkey != NULL) {
switch (ctx->pkey->type) {
case NID_dsa:
break;
default:
goto legacy;
}
signature = EVP_SIGNATURE_fetch(NULL, OBJ_nid2sn(nid), NULL);
} else {
goto legacy;
}
if (signature == NULL) {
EVPerr(0, EVP_R_INITIALIZATION_ERROR);
goto err;
}
EVP_SIGNATURE_free(signature);
goto legacy;
}
ctx->op.sig.signature = signature;
if (ctx->pkey != NULL) {
provkey =
evp_keymgmt_export_to_provider(ctx->pkey, signature->keymgmt, 0);
evp_keymgmt_export_to_provider(ctx->pkey, ctx->keymgmt, 0);
if (provkey == NULL) {
EVPerr(0, EVP_R_INITIALIZATION_ERROR);
goto err;
@ -483,14 +450,9 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
return ret;
}
int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature)
{
return evp_pkey_signature_init(ctx, signature, EVP_PKEY_OP_SIGN);
}
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx)
{
return evp_pkey_signature_init(ctx, NULL, EVP_PKEY_OP_SIGN);
return evp_pkey_signature_init(ctx, EVP_PKEY_OP_SIGN);
}
int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
@ -527,14 +489,9 @@ int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
return ctx->pmeth->sign(ctx, sig, siglen, tbs, tbslen);
}
int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature)
{
return evp_pkey_signature_init(ctx, signature, EVP_PKEY_OP_VERIFY);
}
int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx)
{
return evp_pkey_signature_init(ctx, NULL, EVP_PKEY_OP_VERIFY);
return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFY);
}
int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
@ -569,14 +526,9 @@ int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
return ctx->pmeth->verify(ctx, sig, siglen, tbs, tbslen);
}
int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature)
{
return evp_pkey_signature_init(ctx, signature, EVP_PKEY_OP_VERIFYRECOVER);
}
int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx)
{
return evp_pkey_signature_init(ctx, NULL, EVP_PKEY_OP_VERIFYRECOVER);
return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFYRECOVER);
}
int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,

View File

@ -11,7 +11,7 @@ EVP_DigestSignFinal, EVP_DigestSign - EVP signing functions
int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const char *mdname, const char *props,
EVP_PKEY *pkey, EVP_SIGNATURE *signature);
EVP_PKEY *pkey);
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
@ -26,41 +26,38 @@ EVP_DigestSignFinal, EVP_DigestSign - EVP signing functions
The EVP signature routines are a high level interface to digital signatures.
Input data is digested first before the signing takes place.
EVP_DigestSignInit_ex() sets up signing context B<ctx> to use a digest with the
name B<mdname> and private key B<pkey>. The signature algorithm B<signature>
will be used for the actual signing which must be compatible with the private
key. The name of the digest to be used is passed to the provider of the
signature algorithm in use. How that provider interprets the digest name is
provider specific. The provider may implement that digest directly itself or it
may (optionally) choose to fetch it (which could result in a digest from a
different provider being selected). If the provider supports fetching the digest
then it may use the B<props> argument for the properties to be used during the
fetch.
EVP_DigestSignInit_ex() sets up signing context I<ctx> to use a digest with the
name I<mdname> and private key I<pkey>. The name of the digest to be used is
passed to the provider of the signature algorithm in use. How that provider
interprets the digest name is provider specific. The provider may implement
that digest directly itself or it may (optionally) choose to fetch it (which
could result in a digest from a different provider being selected). If the
provider supports fetching the digest then it may use the I<props> argument for
the properties to be used during the fetch.
The B<signature> parameter may be NULL in which case a suitable signature
algorithm implementation will be implicitly fetched based on the type of key in
use. See L<provider(7)> for further information about providers and fetching
algorithms.
The I<pkey> algorithm is used to fetch a B<EVP_SIGNATURE> method implicitly, to
be used for the actual signing. See L<provider(7)/Implicit fetch> for
more information about implict fetches.
The OpenSSL default and legacy providers support fetching digests and can fetch
those digests from any available provider. The OpenSSL fips provider also
supports fetching digests but will only fetch digests that are themselves
implemented inside the fips provider.
B<ctx> must be created with EVP_MD_CTX_new() before calling this function. If
B<pctx> is not NULL, the EVP_PKEY_CTX of the signing operation will be written
to B<*pctx>: this can be used to set alternative signing options. Note that any
existing value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must
not be freed directly by the application if B<ctx> is not assigned an
I<ctx> must be created with EVP_MD_CTX_new() before calling this function. If
I<pctx> is not NULL, the EVP_PKEY_CTX of the signing operation will be written
to I<*pctx>: this can be used to set alternative signing options. Note that any
existing value in I<*pctx> is overwritten. The EVP_PKEY_CTX value returned must
not be freed directly by the application if I<ctx> is not assigned an
EVP_PKEY_CTX value before being passed to EVP_DigestSignInit_ex() (which means
the EVP_PKEY_CTX is created inside EVP_DigestSignInit_ex() and it will be freed
automatically when the EVP_MD_CTX is freed).
The digest B<mdname> may be NULL if the signing algorithm supports it. The
B<props> argument can always be NULL.
The digest I<mdname> may be NULL if the signing algorithm supports it. The
I<props> argument can always be NULL.
No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit_ex() if the passed
B<ctx> has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also
I<ctx> has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also
L<SM2(7)>.
Only EVP_PKEY types that support signing can be used with these functions. This
@ -82,7 +79,7 @@ Supports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3
=item RSA with no padding
Supports no digests (the digest B<type> must be NULL)
Supports no digests (the digest I<type> must be NULL)
=item RSA with X931 padding
@ -95,7 +92,7 @@ SHA3-224, SHA3-256, SHA3-384, SHA3-512
=item Ed25519 and Ed448
Support no digests (the digest B<type> must be NULL)
Support no digests (the digest I<type> must be NULL)
=item HMAC
@ -110,23 +107,23 @@ Will ignore any digest provided.
If RSA-PSS is used and restrictions apply then the digest must match.
EVP_DigestSignInit() works in the same way as EVP_DigestSignInit_ex() except
that the B<mdname> parameter will be inferred from the supplied digest B<type>,
and B<props> will be NULL. Where supplied the ENGINE B<e> will be used for the
signing and digest algorithm implementations. B<e> may be NULL.
that the I<mdname> parameter will be inferred from the supplied digest I<type>,
and I<props> will be NULL. Where supplied the ENGINE I<e> will be used for the
signing and digest algorithm implementations. I<e> may be NULL.
EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the
signature context B<ctx>. This function can be called several times on the
same B<ctx> to include additional data.
EVP_DigestSignUpdate() hashes I<cnt> bytes of data at I<d> into the
signature context I<ctx>. This function can be called several times on the
same I<ctx> to include additional data.
EVP_DigestSignFinal() signs the data in B<ctx> and places the signature in B<sig>.
If B<sig> is B<NULL> then the maximum size of the output buffer is written to
the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the
B<siglen> parameter should contain the length of the B<sig> buffer. If the
call is successful the signature is written to B<sig> and the amount of data
written to B<siglen>.
EVP_DigestSignFinal() signs the data in I<ctx> and places the signature in I<sig>.
If I<sig> is NULL then the maximum size of the output buffer is written to
the I<siglen> parameter. If I<sig> is not NULL then before the call the
I<siglen> parameter should contain the length of the I<sig> buffer. If the
call is successful the signature is written to I<sig> and the amount of data
written to I<siglen>.
EVP_DigestSign() signs B<tbslen> bytes of data at B<tbs> and places the
signature in B<sig> and its length in B<siglen> in a similar way to
EVP_DigestSign() signs I<tbslen> bytes of data at I<tbs> and places the
signature in I<sig> and its length in I<siglen> in a similar way to
EVP_DigestSignFinal().
=head1 RETURN VALUES

View File

@ -2,14 +2,13 @@
=head1 NAME
EVP_PKEY_sign_init_ex, EVP_PKEY_sign_init, EVP_PKEY_sign
EVP_PKEY_sign_init, EVP_PKEY_sign
- sign using a public key algorithm
=head1 SYNOPSIS
#include <openssl/evp.h>
int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature);
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
unsigned char *sig, size_t *siglen,
@ -17,26 +16,19 @@ EVP_PKEY_sign_init_ex, EVP_PKEY_sign_init, EVP_PKEY_sign
=head1 DESCRIPTION
The EVP_PKEY_sign_init_ex() function initializes a public key algorithm
context for performing signing using the signature algorithm B<signature>.
The signature algorithm B<signature> should be fetched using a call to
L<EVP_SIGNATURE_fetch(3)>.
The EVP_PKEY object associated with B<ctx> must be compatible with that
algorithm.
B<signature> may be NULL in which case the EVP_SIGNATURE algorithm is fetched
implicitly based on the type of EVP_PKEY associated with B<ctx>.
See L<provider(7)/Implicit fetch> for more information about implict fetches.
The EVP_PKEY_sign_init() function is the same as EVP_PKEY_sign_init_ex() except
that the EVP_SIGNATURE algorithm is always implicitly fetched.
EVP_PKEY_sign_init() initializes a public key algorithm context I<ctx> for
signing using the algorithm given when the context was created
using L<EVP_PKEY_CTX_new(3)> or variants thereof. The algorithm is used to
fetch a B<EVP_SIGNATURE> method implicitly, see L<provider(7)/Implicit fetch>
for more information about implict fetches.
The EVP_PKEY_sign() function performs a public key signing operation
using B<ctx>. The data to be signed is specified using the B<tbs> and
B<tbslen> parameters. If B<sig> is B<NULL> then the maximum size of the output
buffer is written to the B<siglen> parameter. If B<sig> is not B<NULL> then
before the call the B<siglen> parameter should contain the length of the
B<sig> buffer, if the call is successful the signature is written to
B<sig> and the amount of data written to B<siglen>.
using I<ctx>. The data to be signed is specified using the I<tbs> and
I<tbslen> parameters. If I<sig> is NULL then the maximum size of the output
buffer is written to the I<siglen> parameter. If I<sig> is not NULL then
before the call the I<siglen> parameter should contain the length of the
I<sig> buffer, if the call is successful the signature is written to
I<sig> and the amount of data written to I<siglen>.
=head1 NOTES

View File

@ -2,14 +2,13 @@
=head1 NAME
EVP_PKEY_verify_init_ex, EVP_PKEY_verify_init, EVP_PKEY_verify
EVP_PKEY_verify_init, EVP_PKEY_verify
- signature verification using a public key algorithm
=head1 SYNOPSIS
#include <openssl/evp.h>
int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature);
int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
const unsigned char *sig, size_t siglen,
@ -17,24 +16,16 @@ EVP_PKEY_verify_init_ex, EVP_PKEY_verify_init, EVP_PKEY_verify
=head1 DESCRIPTION
The EVP_PKEY_verify_init_ex() function initializes a public key algorithm
context for performing signature verification using the signature algorithm
B<signature>.
The signature algorithm B<signature> should be fetched using a call to
L<EVP_SIGNATURE_fetch(3)>.
The EVP_PKEY object associated with B<ctx> must be compatible with that
algorithm.
B<signature> may be NULL in which case the EVP_SIGNATURE algorithm is fetched
implicitly based on the type of EVP_PKEY associated with B<ctx>.
See L<provider(7)/Implicit fetch> for more information about implict fetches.
The EVP_PKEY_verify_init() function is the same as EVP_PKEY_verify_init_ex()
except that the EVP_SIGNATURE algorithm is always implicitly fetched.
EVP_PKEY_verify_init() initializes a public key algorithm context I<ctx> for
signing using the algorithm given when the context was created
using L<EVP_PKEY_CTX_new(3)> or variants thereof. The algorithm is used to
fetch a B<EVP_SIGNATURE> method implicitly, see L<provider(7)/Implicit fetch>
for more information about implict fetches.
The EVP_PKEY_verify() function performs a public key verification operation
using B<ctx>. The signature is specified using the B<sig> and
B<siglen> parameters. The verified data (i.e. the data believed originally
signed) is specified using the B<tbs> and B<tbslen> parameters.
using I<ctx>. The signature is specified using the I<sig> and
I<siglen> parameters. The verified data (i.e. the data believed originally
signed) is specified using the I<tbs> and I<tbslen> parameters.
=head1 NOTES

View File

@ -2,15 +2,13 @@
=head1 NAME
EVP_PKEY_verify_recover_init_ex, EVP_PKEY_verify_recover_init,
EVP_PKEY_verify_recover - recover signature using a public key algorithm
EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover
- recover signature using a public key algorithm
=head1 SYNOPSIS
#include <openssl/evp.h>
int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx,
EVP_SIGNATURE *signature);
int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
unsigned char *rout, size_t *routlen,
@ -18,28 +16,19 @@ EVP_PKEY_verify_recover - recover signature using a public key algorithm
=head1 DESCRIPTION
The EVP_PKEY_verify_recover_init_ex() function initializes a public key
algorithm context for performing signature signed data recovery using the
signature algorithm B<signature>.
The signature algorithm B<signature> should be fetched using a call to
L<EVP_SIGNATURE_fetch(3)>.
The EVP_PKEY object associated with B<ctx> must be compatible with that
algorithm.
B<signature> may be NULL in which case the EVP_SIGNATURE algorithm is fetched
implicitly based on the type of EVP_PKEY associated with B<ctx>.
See L<provider(7)/Implicit fetch> for more information about implict fetches.
The EVP_PKEY_verify_recover_init() function is the same as
EVP_PKEY_verify_recover_init_ex() except that the EVP_SIGNATURE algorithm is
always implicitly fetched.
EVP_PKEY_verify_recover_init() initializes a public key algorithm context
I<ctx> for signing using the algorithm given when the context was created
using L<EVP_PKEY_CTX_new(3)> or variants thereof. The algorithm is used to
fetch a B<EVP_SIGNATURE> method implicitly, see L<provider(7)/Implicit fetch>
for more information about implict fetches.
The EVP_PKEY_verify_recover() function recovers signed data
using B<ctx>. The signature is specified using the B<sig> and
B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
before the call the B<routlen> parameter should contain the length of the
B<rout> buffer, if the call is successful recovered data is written to
B<rout> and the amount of data written to B<routlen>.
using I<ctx>. The signature is specified using the I<sig> and
I<siglen> parameters. If I<rout> is NULL then the maximum size of the output
buffer is written to the I<routlen> parameter. If I<rout> is not NULL then
before the call the I<routlen> parameter should contain the length of the
I<rout> buffer, if the call is successful recovered data is written to
I<rout> and the amount of data written to I<routlen>.
=head1 NOTES

View File

@ -678,8 +678,8 @@ __owur int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
size_t tbslen);
int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const char *mdname, const char *props, EVP_PKEY *pkey,
EVP_SIGNATURE *signature);
const char *mdname, const char *props,
EVP_PKEY *pkey);
/*__owur*/ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e,
EVP_PKEY *pkey);
@ -689,7 +689,7 @@ __owur int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const char *mdname, const char *props,
EVP_PKEY *pkey, EVP_SIGNATURE *signature);
EVP_PKEY *pkey);
__owur int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e,
EVP_PKEY *pkey);
@ -1526,17 +1526,14 @@ void EVP_SIGNATURE_names_do_all(const EVP_SIGNATURE *signature,
void (*fn)(const char *name, void *data),
void *data);
int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature);
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
unsigned char *sig, size_t *siglen,
const unsigned char *tbs, size_t tbslen);
int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature);
int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen);
int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature);
int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
unsigned char *rout, size_t *routlen,

View File

@ -4742,10 +4742,10 @@ EVP_SIGNATURE_free 4858 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_up_ref 4859 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_provider 4860 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_fetch 4861 3_0_0 EXIST::FUNCTION:
EVP_PKEY_sign_init_ex 4862 3_0_0 EXIST::FUNCTION:
EVP_PKEY_sign_init_ex 4862 3_0_0 NOEXIST::FUNCTION:
EVP_PKEY_CTX_set_signature_md 4863 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_init_ex 4864 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_recover_init_ex 4865 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_init_ex 4864 3_0_0 NOEXIST::FUNCTION:
EVP_PKEY_verify_recover_init_ex 4865 3_0_0 NOEXIST::FUNCTION:
EVP_PKEY_CTX_get_signature_md 4866 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get_params 4867 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_gettable_params 4868 3_0_0 EXIST::FUNCTION: