aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcryptobox
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcryptobox')
-rw-r--r--src/libcryptobox/cryptobox.c19
-rw-r--r--src/libcryptobox/cryptobox.h3
2 files changed, 18 insertions, 4 deletions
diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c
index a976653df..6c9f9a82e 100644
--- a/src/libcryptobox/cryptobox.c
+++ b/src/libcryptobox/cryptobox.c
@@ -40,6 +40,7 @@
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
+#include <openssl/err.h>
#endif
#include <signal.h>
@@ -456,9 +457,10 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
gsize siglen,
const unsigned char *digest,
gsize dlen,
- EVP_PKEY *pub_key)
+ EVP_PKEY *pub_key,
+ GError **err)
{
- bool ret = false;
+ bool ret = false, r;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pub_key, NULL);
g_assert(pctx != NULL);
@@ -467,7 +469,18 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
g_assert(EVP_PKEY_verify_init(pctx) == 1);
g_assert(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) == 1);
- g_assert(EVP_PKEY_CTX_set_signature_md(pctx, md) == 1);
+
+ if ((r = EVP_PKEY_CTX_set_signature_md(pctx, md)) <= 0) {
+ g_set_error(err, g_quark_from_static_string("OpenSSL"),
+ r,
+ "cannot set digest %s for RSA verification (%s returned from OpenSSL), try use `update-crypto-policies --set LEGACY` on RH",
+ EVP_MD_get0_name(md),
+ ERR_lib_error_string(ERR_get_error()));
+ EVP_PKEY_CTX_free(pctx);
+ EVP_MD_CTX_free(mdctx);
+
+ return false;
+ }
ret = (EVP_PKEY_verify(pctx, sig, siglen, digest, dlen) == 1);
diff --git a/src/libcryptobox/cryptobox.h b/src/libcryptobox/cryptobox.h
index afe9c4f9a..8d1f5669e 100644
--- a/src/libcryptobox/cryptobox.h
+++ b/src/libcryptobox/cryptobox.h
@@ -238,7 +238,8 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
gsize siglen,
const unsigned char *digest,
gsize dlen,
- EVP_PKEY *pub_key);
+ EVP_PKEY *pub_key,
+ GError **err);
#endif
/**