From 87b07bf08a1c9efab4bd7ee9f005f89acad003bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Thu, 4 Oct 2018 12:19:10 +0200
Subject: [PATCH] Fix creating and validating EdDSA signatures

Revert parts of commit c3b8130fe8267185e786e9c12527df7c53b37589 which
inadvertently broke creating and validating EdDSA signatures:

 1. EVP_DigestSignInit() returns 1 on success.

 2. EdDSA does not support streaming (EVP_Digest*Update() followed by
    EVP_Digest*Final()), only one shot operations.
---
 CHANGES                     |  4 +++-
 lib/dns/openssleddsa_link.c | 18 +++++-------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 953764c720..2a60992e58 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,7 @@
+5043.	[bug]		Fix creating and validating EdDSA signatures. [GL #579]
+
 	--- 9.13.3 released ---
 
 5029.	[func]		Workarounds for servers that misbehave when queried
 			with EDNS have been removed, because these broken
 			servers and the workarounds for their noncompliance
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index c3db8a3ca5..4298df1c2c 100644
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -355,16 +355,13 @@ openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 	isc_buffer_usedregion(buf, &tbsreg);
 
-	if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
+	if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey) != 1) {
 		DST_RET(dst__openssl_toresult3(dctx->category,
 					       "EVP_DigestSignInit",
 					       ISC_R_FAILURE));
-	if (EVP_DigestSignUpdate(ctx, tbsreg.base, tbsreg.length) != 1) {
-		DST_RET(dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestSignUpdate",
-					       DST_R_SIGNFAILURE));
 	}
-	if (EVP_DigestSignFinal(ctx, sigreg.base, &siglen) != 1) {
+	if (EVP_DigestSign(ctx, sigreg.base, &siglen,
+			   tbsreg.base, tbsreg.length) != 1) {
 		DST_RET(dst__openssl_toresult3(dctx->category,
 					       "EVP_DigestSign",
 					       DST_R_SIGNFAILURE));
@@ -423,13 +420,8 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 					       ISC_R_FAILURE));
 	}
 
-	if (EVP_DigestVerifyUpdate(ctx, tbsreg.base, tbsreg.length) != 1) {
-		DST_RET(dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestVerifyUpdate",
-					       ISC_R_FAILURE));
-	}
-
-	status = EVP_DigestVerifyFinal(ctx, sig->base, siglen);
+	status = EVP_DigestVerify(ctx, sig->base, siglen,
+				  tbsreg.base, tbsreg.length);
 
 	switch (status) {
 	case 1:
-- 
2.18.1