On Sun, Jan 11, 2009 at 05:18:35PM +0200, George Danchev wrote:
> Hello Wouter,
>
> I'm not quite familiar with your app internals, but it seems your fix makes
> no
> big difference between 0 and 1 return codes. You really want to use
> EVP_VerifyFinal as openssl guys did it [1], and provide the above functioning
> level with the all possible returns. Their doc suggests the same:
>
> EVP_VerifyFinal() returns:
> 1 for a correct signature
> 0 for verfication failure
> -1 if some other error occurred.
>
> This is a short code snippet from openssl: apps/dgst.c around line ~458.
>
> i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key);
> if(i > 0)
> BIO_printf(out, "Verified OK\n");
> else if(i == 0)
> {
> BIO_printf(out, "Verification Failure\n");
> return 1;
> }
> else
> {
> BIO_printf(bio_err, "Error Verifying Data\n");
> ERR_print_errors(bio_err);
> return 1;
> }
Yes, I know; the code base has two more calls, where the return value is
evaluated in the above sense.
However, the point is that this particular piece of code is a library
call. It wants to return a value that includes all information on the
EVP_VerifyFinal call. Previously, the '!EVP_VerifyFinal' piece
introduced a loss of information; however, the patch I proposed should
remedy that.
I just asked upstream to look at it; I was also recently informed that
the 3.5 code should (eventually) be available in source form, once
government bureaucracy has decided on a license.
--
<Lo-lan-do> Home is where you have to wash the dishes.
-- #debian-devel, Freenode, 2004-09-22
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
