dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

ima-evm-utils: Convert sign_hash_v2 to EVP_PKEY API

Browse Source 
Convert sign_hash_v2() to use more generic EVP_PKEY API instead of RSA
API. This enables generation of more signatures out of the box, such as
EC-RDSA (GOST) and any other that OpenSSL supports. This conversion also
fixes generation of MD4 signatures, because it didn't have proper
RSA_ASN1_template.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov 2019-07-03 18:50:11 +03:00 committed by Mimi Zohar
parent e0d778c608
commit 07e623b608
1 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
src/libimaevm.c
View File

@ -924,14 +924,20 @@ out:
return len;
}
/*
* @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size
* Return: -1 signing error, >0 length of signature
*/
int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
{
struct signature_v2_hdr *hdr;
int len = -1;
RSA *key;
EVP_PKEY *pkey;
char name[20];
unsigned char *buf;
const struct RSA_ASN1_template *asn1;
EVP_PKEY_CTX *ctx = NULL;
const EVP_MD *md;
size_t sigsize;
const char *st;
if (!hash) {
log_err("sign_hash_v2: hash is null\n");
@ -956,8 +962,8 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
log_info("hash: ");
log_dump(hash, size);
key = read_priv_key(keyfile, params.keypass);
if (!key)
pkey = read_priv_pkey(keyfile, params.keypass);
if (!pkey)
return -1;
hdr = (struct signature_v2_hdr *)sig;
@ -965,31 +971,37 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
hdr->hash_algo = get_hash_algo(algo);
calc_keyid_v2(&hdr->keyid, name, key);
calc_pkeyid_v2(&hdr->keyid, name, pkey);
asn1 = &RSA_ASN1_templates[hdr->hash_algo];
buf = malloc(size + asn1->size);
if (!buf)
goto out;
memcpy(buf, asn1->data, asn1->size);
memcpy(buf + asn1->size, hash, size);
len = RSA_private_encrypt(size + asn1->size, buf, hdr->sig,
key, RSA_PKCS1_PADDING);
if (len < 0) {
log_err("RSA_private_encrypt() failed: %d\n", len);
goto out;
}
st = "EVP_PKEY_CTX_new";
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto err;
st = "EVP_PKEY_sign_init";
if (!EVP_PKEY_sign_init(ctx))
goto err;
st = "EVP_get_digestbyname";
if (!(md = EVP_get_digestbyname(params.hash_algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
goto err;
st = "EVP_PKEY_sign";
sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1;
if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
goto err;
len = (int)sigsize;
/* we add bit length of the signature to make it gnupg compatible */
hdr->sig_size = __cpu_to_be16(len);
len += sizeof(*hdr);
log_info("evm/ima signature: %d bytes\n", len);
out:
if (buf)
free(buf);
RSA_free(key);
err:
if (len == -1)
log_err("sign_hash_v2: signing failed: (%s) in %s\n",
ERR_reason_error_string(ERR_peek_error()), st);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
return len;
}