From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH v6 08/11] ima-evm-utils: Convert sign_hash_v2 to EVP_PKEY API
Date: Thu, 20 Jun 2019 10:13:01 +0300 [thread overview]
Message-ID: <20190620071304.24495-9-vt@altlinux.org> (raw)
In-Reply-To: <20190620071304.24495-1-vt@altlinux.org>
Convert sign_hash_v2() to use more generic EVP_PKEY API instead of RSA
API. This enables generation of more signatures out of the box, such as
EC-RDSA (GOST) and any other that OpenSSL supports. This conversion also
fixes generation of MD4 signatures, because it didn't have proper
RSA_ASN1_template.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
src/libimaevm.c | 54 ++++++++++++++++++++++++++++++------------------------
1 file changed, 30 insertions(+), 24 deletions(-)
diff --git a/src/libimaevm.c b/src/libimaevm.c
index d8223e0..0d3f49f 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -916,14 +916,19 @@ out:
return len;
}
+/*
+ * @sig is assumed to be of MAX_SIGNATURE_SIZE size
+ * Return: -1 signing error, >0 length of signature
+ */
int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
{
struct signature_v2_hdr *hdr;
int len = -1;
- RSA *key;
+ EVP_PKEY *pkey;
char name[20];
- unsigned char *buf;
- const struct RSA_ASN1_template *asn1;
+ EVP_PKEY_CTX *ctx = NULL;
+ const EVP_MD *md;
+ size_t sigsize;
if (!hash) {
log_err("sign_hash_v2: hash is null\n");
@@ -948,8 +953,8 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
log_info("hash: ");
log_dump(hash, size);
- key = read_priv_key(keyfile, params.keypass);
- if (!key)
+ pkey = read_priv_pkey(keyfile, params.keypass);
+ if (!pkey)
return -1;
hdr = (struct signature_v2_hdr *)sig;
@@ -957,31 +962,32 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
hdr->hash_algo = get_hash_algo(algo);
- calc_keyid_v2(&hdr->keyid, name, key);
+ calc_pkeyid_v2(&hdr->keyid, name, pkey);
- asn1 = &RSA_ASN1_templates[hdr->hash_algo];
-
- buf = malloc(size + asn1->size);
- if (!buf)
- goto out;
-
- memcpy(buf, asn1->data, asn1->size);
- memcpy(buf + asn1->size, hash, size);
- len = RSA_private_encrypt(size + asn1->size, buf, hdr->sig,
- key, RSA_PKCS1_PADDING);
- if (len < 0) {
- log_err("RSA_private_encrypt() failed: %d\n", len);
- goto out;
- }
+ if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
+ goto err;
+ if (!EVP_PKEY_sign_init(ctx))
+ goto err;
+ if (!(md = EVP_get_digestbyname(params.hash_algo)))
+ goto err;
+ if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
+ goto err;
+ sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr);
+ if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
+ goto err;
+ len = (int)sigsize;
/* we add bit length of the signature to make it gnupg compatible */
hdr->sig_size = __cpu_to_be16(len);
len += sizeof(*hdr);
log_info("evm/ima signature: %d bytes\n", len);
-out:
- if (buf)
- free(buf);
- RSA_free(key);
+
+err:
+ if (len == -1)
+ log_err("sign_hash_v2: signing failed: (%s)\n",
+ ERR_reason_error_string(ERR_peek_error()));
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
return len;
}
--
2.11.0
next prev parent reply other threads:[~2019-06-20 7:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 7:12 [PATCH v6 00/11] ima-evm-utils: Convert v2 signatures from RSA to EVP_PKEY API Vitaly Chikunov
2019-06-20 7:12 ` [PATCH v6 01/11] ima-evm-utils: Make sure sig buffer is always MAX_SIGNATURE_SIZE Vitaly Chikunov
2019-06-20 7:12 ` [PATCH v6 02/11] ima-evm-utils: Convert read_pub_key to EVP_PKEY API Vitaly Chikunov
2019-06-20 7:12 ` [PATCH v6 03/11] ima-evm-utils: Convert read_priv_key " Vitaly Chikunov
2019-06-20 7:12 ` [PATCH v6 04/11] ima-evm-utils: Convert cmd_import and calc keyid v2 " Vitaly Chikunov
2019-06-20 7:12 ` [PATCH v6 05/11] ima-evm-utils: Start converting find_keyid " Vitaly Chikunov
2019-06-20 7:12 ` [PATCH v6 06/11] ima-evm-utils: Convert verify_hash_v2 " Vitaly Chikunov
2019-06-20 7:13 ` [PATCH v6 07/11] ima-evm-utils: Replace find_keyid with find_keyid_pkey Vitaly Chikunov
2019-06-20 7:13 ` Vitaly Chikunov [this message]
2019-06-20 7:13 ` [PATCH v6 09/11] ima-evm-utils: Replace calc_keyid_v2 with calc_pkeyid_v2 Vitaly Chikunov
2019-06-20 7:13 ` [PATCH v6 10/11] ima-evm-utils: Remove RSA_ASN1_templates Vitaly Chikunov
2019-06-20 7:13 ` [PATCH v6 11/11] ima-evm-utils: Pass status codes from sign and hash functions to the callers Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620071304.24495-9-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).