X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=providers%2Fimplementations%2Fsignature%2Fdsa.c;h=30147aa163fce4d9bc1b803da6b923a79a8ac23c;hp=b2309ef510e5ccd0e1c67f4ba5a5081962a22de1;hb=8c555803476a2af366938161d1186a0d746910ea;hpb=8bee651213c4755761ed5dd32d416d782cc5fc3c diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index b2309ef510..30147aa163 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * DSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include @@ -19,11 +25,13 @@ #include #include "internal/nelem.h" #include "internal/sizes.h" +#include "internal/cryptlib.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "crypto/dsa.h" +#include "prov/der_dsa.h" static OSSL_OP_signature_newctx_fn dsa_newctx; static OSSL_OP_signature_sign_init_fn dsa_signature_init; @@ -67,8 +75,9 @@ typedef struct { char mdname[OSSL_MAX_NAME_SIZE]; - /* The Algorithm Identifier of the combined signature agorithm */ - unsigned char aid[OSSL_MAX_ALGORITHM_ID_SIZE]; + /* The Algorithm Identifier of the combined signature algorithm */ + unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE]; + unsigned char *aid; size_t aid_len; /* main digest */ @@ -140,21 +149,33 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int md_nid = dsa_get_md_nid(md); - size_t algorithmidentifier_len = 0; - const unsigned char *algorithmidentifier; - - EVP_MD_free(ctx->md); - ctx->md = NULL; - ctx->mdname[0] = '\0'; - - algorithmidentifier = - dsa_algorithmidentifier_encoding(md_nid, &algorithmidentifier_len); + WPACKET pkt; - if (algorithmidentifier == NULL) { + if (md == NULL || md_nid == NID_undef) { EVP_MD_free(md); return 0; } + EVP_MD_CTX_free(ctx->mdctx); + EVP_MD_free(ctx->md); + + /* + * TODO(3.0) Should we care about DER writing errors? + * All it really means is that for some reason, there's no + * AlgorithmIdentifier to be had, but the operation itself is + * still valid, just as long as it's not used to construct + * anything that needs an AlgorithmIdentifier. + */ + ctx->aid_len = 0; + if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) + && DER_w_algorithmIdentifier_DSA_with(&pkt, -1, ctx->dsa, md_nid) + && WPACKET_finish(&pkt)) { + WPACKET_get_total_written(&pkt, &ctx->aid_len); + ctx->aid = WPACKET_get_curr(&pkt); + } + WPACKET_cleanup(&pkt); + + ctx->mdctx = NULL; ctx->md = md; OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname)); } @@ -192,8 +213,7 @@ static int dsa_sign(void *vpdsactx, unsigned char *sig, size_t *siglen, if (mdsize != 0 && tbslen != mdsize) return 0; - ret = dsa_sign_int(pdsactx->libctx, 0, tbs, tbslen, sig, &sltmp, - pdsactx->dsa); + ret = dsa_sign_int(0, tbs, tbslen, sig, &sltmp, pdsactx->dsa); if (ret <= 0) return 0;