- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.

git-svn-id: file:///svn/unbound/trunk@2608 be551aaa-1e26-0410-a405-d3ace91eadb9
2026-02-03 12:19:27 -05:00 · 2012-02-08 16:40:46 +00:00 · 2012-02-08 16:40:46 +00:00 · c352ee2e85
commit c352ee2e85
parent 9117191d44
5 changed files with 626 additions and 571 deletions
--- a/config.h.in
+++ b/config.h.in
@ -490,6 +490,9 @@
 /* Define this to enable ECDSA support. */
 #undef USE_ECDSA

+/* Define this to enable an EVP workaround for older openssl */
+#undef USE_ECDSA_EVP_WORKAROUND
+
 /* Define this to enable GOST support. */
 #undef USE_GOST

--- a/1149
+++ b/1149
--- a/configure.ac
+++ b/configure.ac
@ -667,6 +667,14 @@ case "$enable_ecdsa" in
      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves])], [AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
      ])
+      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
+      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+	AC_MSG_RESULT([no])
+	AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
+      else
+	AC_MSG_RESULT([yes])
+      fi
      # we now know we have ECDSA and the required curves.
      AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
      use_ecdsa="yes"
--- a/doc/Changelog
+++ b/doc/Changelog
@ -5,6 +5,7 @@
 	  been assigned).  Needs recent ldns with --enable-ecdsa.
 	- fix memory leak in errorcase for DSA signatures.
 	- iana portlist updated.
+	- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.

 3 February 2012: Wouter
 	- fix for windows, rename() is not posix compliant on windows.
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@ -1538,7 +1538,24 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 					"ldns_ecdsa2pkey_raw failed");
 				return 0;
 			}
+#ifdef USE_ECDSA_EVP_WORKAROUND
+			/* openssl before 1.0.0 fixes RSA with the SHA256
+			 * hash in EVP.  We create one for ecdsa_sha256 */
+			{
+				static int md_ecdsa_256_done = 0;
+				static EVP_MD md;
+				if(!md_ecdsa_256_done) {
+					EVP_MD m = *EVP_sha256();
+					md_ecdsa_256_done = 1;
+					m.required_pkey_type[0] = (*evp_key)->type;
+					m.verify = (void*)ECDSA_verify;
+					md = m;
+				}
+				*digest_type = &md;
+			}
+#else
 			*digest_type = EVP_sha256();
+#endif
 			break;
 		case LDNS_ECDSAP384SHA384:
 			*evp_key = ldns_ecdsa2pkey_raw(key, keylen,
@ -1548,9 +1565,26 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 					"ldns_ecdsa2pkey_raw failed");
 				return 0;
 			}
+#ifdef USE_ECDSA_EVP_WORKAROUND
+			/* openssl before 1.0.0 fixes RSA with the SHA384
+			 * hash in EVP.  We create one for ecdsa_sha384 */
+			{
+				static int md_ecdsa_384_done = 0;
+				static EVP_MD md;
+				if(!md_ecdsa_384_done) {
+					EVP_MD m = *EVP_sha384();
+					md_ecdsa_384_done = 1;
+					m.required_pkey_type[0] = (*evp_key)->type;
+					m.verify = (void*)ECDSA_verify;
+					md = m;
+				}
+				*digest_type = &md;
+			}
+#else
 			*digest_type = EVP_sha384();
-			break;
 #endif
+			break;
+#endif /* USE_ECDSA */
 		default:
 			verbose(VERB_QUERY, "verify: unknown algorithm %d", 
 				algo);