1*4724848cSchristos=pod 2*4724848cSchristos 3*4724848cSchristos=head1 NAME 4*4724848cSchristos 5*4724848cSchristosEVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal, 6*4724848cSchristosEVP_DigestVerify - EVP signature verification functions 7*4724848cSchristos 8*4724848cSchristos=head1 SYNOPSIS 9*4724848cSchristos 10*4724848cSchristos #include <openssl/evp.h> 11*4724848cSchristos 12*4724848cSchristos int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, 13*4724848cSchristos const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); 14*4724848cSchristos int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); 15*4724848cSchristos int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, 16*4724848cSchristos size_t siglen); 17*4724848cSchristos int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, 18*4724848cSchristos size_t siglen, const unsigned char *tbs, size_t tbslen); 19*4724848cSchristos 20*4724848cSchristos=head1 DESCRIPTION 21*4724848cSchristos 22*4724848cSchristosThe EVP signature routines are a high-level interface to digital signatures. 23*4724848cSchristos 24*4724848cSchristosEVP_DigestVerifyInit() sets up verification context B<ctx> to use digest 25*4724848cSchristosB<type> from ENGINE B<e> and public key B<pkey>. B<ctx> must be created 26*4724848cSchristoswith EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the 27*4724848cSchristosEVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this 28*4724848cSchristoscan be used to set alternative verification options. Note that any existing 29*4724848cSchristosvalue in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed 30*4724848cSchristosdirectly by the application if B<ctx> is not assigned an EVP_PKEY_CTX value before 31*4724848cSchristosbeing passed to EVP_DigestVerifyInit() (which means the EVP_PKEY_CTX is created 32*4724848cSchristosinside EVP_DigestVerifyInit() and it will be freed automatically when the 33*4724848cSchristosEVP_MD_CTX is freed). 34*4724848cSchristos 35*4724848cSchristosNo B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx> 36*4724848cSchristoshas already been assigned one via L<EVP_MD_CTX_set_pkey_ctx(3)>. See also L<SM2(7)>. 37*4724848cSchristos 38*4724848cSchristosEVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the 39*4724848cSchristosverification context B<ctx>. This function can be called several times on the 40*4724848cSchristossame B<ctx> to include additional data. This function is currently implemented 41*4724848cSchristosusing a macro. 42*4724848cSchristos 43*4724848cSchristosEVP_DigestVerifyFinal() verifies the data in B<ctx> against the signature in 44*4724848cSchristosB<sig> of length B<siglen>. 45*4724848cSchristos 46*4724848cSchristosEVP_DigestVerify() verifies B<tbslen> bytes at B<tbs> against the signature 47*4724848cSchristosin B<sig> of length B<siglen>. 48*4724848cSchristos 49*4724848cSchristos=head1 RETURN VALUES 50*4724848cSchristos 51*4724848cSchristosEVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0 52*4724848cSchristosfor failure. 53*4724848cSchristos 54*4724848cSchristosEVP_DigestVerifyFinal() and EVP_DigestVerify() return 1 for success; any other 55*4724848cSchristosvalue indicates failure. A return value of zero indicates that the signature 56*4724848cSchristosdid not verify successfully (that is, B<tbs> did not match the original data or 57*4724848cSchristosthe signature had an invalid form), while other values indicate a more serious 58*4724848cSchristoserror (and sometimes also indicate an invalid signature form). 59*4724848cSchristos 60*4724848cSchristosThe error codes can be obtained from L<ERR_get_error(3)>. 61*4724848cSchristos 62*4724848cSchristos=head1 NOTES 63*4724848cSchristos 64*4724848cSchristosThe B<EVP> interface to digital signatures should almost always be used in 65*4724848cSchristospreference to the low-level interfaces. This is because the code then becomes 66*4724848cSchristostransparent to the algorithm used and much more flexible. 67*4724848cSchristos 68*4724848cSchristosEVP_DigestVerify() is a one shot operation which verifies a single block of 69*4724848cSchristosdata in one function. For algorithms that support streaming it is equivalent 70*4724848cSchristosto calling EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal(). For 71*4724848cSchristosalgorithms which do not support streaming (e.g. PureEdDSA) it is the only way 72*4724848cSchristosto verify data. 73*4724848cSchristos 74*4724848cSchristosIn previous versions of OpenSSL there was a link between message digest types 75*4724848cSchristosand public key algorithms. This meant that "clone" digests such as EVP_dss1() 76*4724848cSchristosneeded to be used to sign using SHA1 and DSA. This is no longer necessary and 77*4724848cSchristosthe use of clone digest is now discouraged. 78*4724848cSchristos 79*4724848cSchristosFor some key types and parameters the random number generator must be seeded. 80*4724848cSchristosIf the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to 81*4724848cSchristosexternal circumstances (see L<RAND(7)>), the operation will fail. 82*4724848cSchristos 83*4724848cSchristosThe call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest 84*4724848cSchristoscontext. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can 85*4724848cSchristosbe called later to digest and verify additional data. 86*4724848cSchristos 87*4724848cSchristosSince only a copy of the digest context is ever finalized, the context must 88*4724848cSchristosbe cleaned up after use by calling EVP_MD_CTX_free() or a memory leak 89*4724848cSchristoswill occur. 90*4724848cSchristos 91*4724848cSchristos=head1 SEE ALSO 92*4724848cSchristos 93*4724848cSchristosL<EVP_DigestSignInit(3)>, 94*4724848cSchristosL<EVP_DigestInit(3)>, 95*4724848cSchristosL<evp(7)>, L<HMAC(3)>, L<MD2(3)>, 96*4724848cSchristosL<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>, 97*4724848cSchristosL<SHA1(3)>, L<dgst(1)>, 98*4724848cSchristosL<RAND(7)> 99*4724848cSchristos 100*4724848cSchristos=head1 HISTORY 101*4724848cSchristos 102*4724848cSchristosEVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() 103*4724848cSchristoswere added in OpenSSL 1.0.0. 104*4724848cSchristos 105*4724848cSchristos=head1 COPYRIGHT 106*4724848cSchristos 107*4724848cSchristosCopyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. 108*4724848cSchristos 109*4724848cSchristosLicensed under the OpenSSL license (the "License"). You may not use 110*4724848cSchristosthis file except in compliance with the License. You can obtain a copy 111*4724848cSchristosin the file LICENSE in the source distribution or at 112*4724848cSchristosL<https://www.openssl.org/source/license.html>. 113*4724848cSchristos 114*4724848cSchristos=cut 115