Vitaly Chikunov <vt@xxxxxxxxxxxx> wrote: > Current akcipher .verify() just decrypts signature to uncover message > hash, which is then verified in upper level public_key_verify_signature > by memcmp with the expected signature value, which is never passed into > verify(). > > This approach is incompatible with ECDSA algorithms, because, to verify > a signature ECDSA algorithm also needs a hash value as input; also, hash > is used in ECDSA (together with a signature divided into halves `r||s`), > not to produce hash, but to produce a number, which is then compared to > `r` (first part of the signature) to determine if the signature is > correct. Thus, for ECDSA, nor requirements of .verify() itself, nor its > output expectations in public_key_verify_signature aren't satisfied. > > Make alternative .verify2() call which gets hash value and produce > complete signature check (without any output, thus max_size() call will > not be needed for verify2() operation). > > If .verify2() call is present, it should be used in place of .verify(). > > Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx> We should convert all existing users to this interface and not have both verify/verify2 forever. Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt