Re: [openssl.org #2459] ecdsa_method declaration prevents use in implementing a dynamic engine

Douglas E. Engert via RT Thu, 12 Sep 2013 16:42:02 -0700


On 9/11/2013 2:01 PM, Stephen Henson via RT wrote:
> On Wed Sep 11 17:52:03 2013, deeng...@anl.gov wrote:
>>
>> Attached is a patch to move the definition of ecdsa_method
>> from src/crypto/ecdsa/ecs_locl.h to ecdsa.h
>> and move the definition if ecdh_method
>> from src/crypto/ecdh/ech_locl.h to ecdh.h
>>
>
> It's been policy that we should avoiding direct structure access in
> applications code and use opaque structures where possible.
>
> I had to change ecdsa_method for the FIPS builds (add the flags field) and if
> it had been public would've meant that it would no longer be binary compatible
> across minor versions (1.0.0 incompatible with 1.0.1 and later) which would be
> a major headache.
>
> The preferred technique would be to create a function to allocate and
> initialise the structure without exposing it in a public header. See the
> EVP_PKEY_METHOD structure for example.


Is the following something like what you are looking for?

It has not been been tested, and it needs some error handling...
The 3 _put_ routines could be combined with the _new routine.

Add to ecdsa.h:

ECDSA_METHOD *ECDSA_METHOD_new();

void ECDSA_METHOD_free(ECDSA_METHOD *ecdsa_method);

int ECDSA_METHOD_put_ECDSA_do_sign(ECDSA_METHOD *ecdsa_method,
        ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len,
                 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey);

int ECDSA_METHOD_put_ECDSA_sign_setup(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
                const ECDSA_SIG *sig, EC_KEY *eckey));

int ECDSA_METHOD_put_ECDSA_do_verify(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len,
                const ECDSA_SIG *sig, EC_KEY *eckey);


add to ecs_ossl.c or some other file:

ECDSA_METHOD *ECDSA_METHOD_new()
{
        ECDSA_METHOD  *ret;

        ret=(ECDSA_METHOD *)OPENSSL_malloc(sizeof(ECDSA_METHOD));
        if (ret == NULL)
        {
                 ECDSAerr(ECDSA_F_ECDSA_METHOD_NEW, ERR_R_MALLOC_FAILURE);
                 return(NULL);
         }

#if do_you_like_this
        /* copy the structure */
        *ret = *ECDSA_get_default_method();
#else
        ret->name = "Cloned OpenSSL ECDSA method";
        /* set the defaults as the functions in ecs_ossl.c */
        ret->ecdsa_do_sign =  ecdsa_do_sign;
        ret->ecdsa_sign_setup = ecdsa_sign_setup;
        ret->ecdsa_do_verify = ecdsa_do_verify;
        ret->flags = 0
        ret->app_data = NULL;
#endif

        return ret;
}


int ECDSA_METHOD_put_ECDSA_do_sign(ECDSA_METHOD *ecdsa_method,
        ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len,
                 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey)
{
        ecdsa_method->ecdsa_do_sign = ecdsa_do_sign;
}

int ECDSA_METHOD_put_ECDSA_sign_setup(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
                const ECDSA_SIG *sig, EC_KEY *eckey))
{
        ecdsa_method->ecdsa_sign_setup = ecdsa_sign_setup;

}

int ECDSA_METHOD_put_ECDSA_do_verify(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len,
                const ECDSA_SIG *sig, EC_KEY *eckey)
{
      ecdsa_method->ecdsa_do_verify = ecdsa_do_verify;
}

void ECDSA_METHOD_free(ECDSA_METHOD *ecdsa_method)
{
        OPENSSL_free(ecdsa_method);
}


>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
>

-- 

  Douglas E. Engert  <deeng...@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Add to ecdsa.h:

ECDSA_METHOD *ECDSA_METHOD_new();

void ECDSA_METHOD_free(ECDSA_METHOD *ecdsa_method);

int ECDSA_METHOD_put_ECDSA_do_sign(ECDSA_METHOD *ecdsa_method,
        ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len,
                const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey);

int ECDSA_METHOD_put_ECDSA_sign_setup(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
                const ECDSA_SIG *sig, EC_KEY *eckey));

int ECDSA_METHOD_put_ECDSA_do_verify(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len,
                const ECDSA_SIG *sig, EC_KEY *eckey);



add to ecs_ossl.c:

ECDSA_METHOD *ECDSA_METHOD_new()
{
        ECDSA_METHOD  *ret;

        ret=(ECDSA_METHOD *)OPENSSL_malloc(sizeof(ECDSA_METHOD));
        if (ret == NULL)
        {
                ECDSAerr(ECDSA_F_ECDSA_METHOD_NEW, ERR_R_MALLOC_FAILURE);
                return(NULL);
        }

#if do_you_like_this
        /* copy the structure */
        *ret = *ECDSA_get_default_method();
#else
        ret->name = "Cloned OpenSSL ECDSA method"; 
        /* set the defaults as the functions in ecs_ossl.c */
        ret->ecdsa_do_sign =  ecdsa_do_sign;
        ret->ecdsa_sign_setup = ecdsa_sign_setup;
        ret->ecdsa_do_verify = ecdsa_do_verify;
        ret->flags = 0
        ret->app_data = NULL;
#endif

        return ret;
}


int ECDSA_METHOD_put_ECDSA_do_sign(ECDSA_METHOD *ecdsa_method,
        ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len,
                const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey)
{
        ecdsa_method->ecdsa_do_sign = ecdsa_do_sign;
}

int ECDSA_METHOD_put_ECDSA_sign_setup(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
                const ECDSA_SIG *sig, EC_KEY *eckey))
{
        ecdsa_method->ecdsa_sign_setup = ecdsa_sign_setup;

}

int ECDSA_METHOD_put_ECDSA_do_verify(ECDSA_METHOD *ecdsa_method,
        int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len,
                const ECDSA_SIG *sig, EC_KEY *eckey)
{
     ecdsa_method->ecdsa_do_verify = ecdsa_do_verify;
}

void ECDSA_METHOD_free(ECDSA_METHOD *ecdsa_method)
{
        OPENSSL_free(ecdsa_method);
}

Re: [openssl.org #2459] ecdsa_method declaration prevents use in implementing a dynamic engine

Reply via email to