On Tue, 2019-06-18 at 16:56 +0300, Vitaly Chikunov wrote:
> Fix off-by-one error of the output buffer passed to sign_hash().
>
> Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
> ---
> src/evmctl.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 15a7226..03f41fe 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -510,7 +510,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> static int sign_evm(const char *file, const char *key)
> {
> unsigned char hash[MAX_DIGEST_SIZE];
> - unsigned char sig[MAX_SIGNATURE_SIZE];
> + unsigned char sig[MAX_SIGNATURE_SIZE + 1];
> int len, err;
>
> len = calc_evm_hash(file, hash);
> @@ -519,7 +519,7 @@ static int sign_evm(const char *file, const char *key)
> return len;
>
> len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
> - assert(len < sizeof(sig));
> + assert(len <= MAX_SIGNATURE_SIZE);
> if (len <= 1)
> return len;
>
A similar problem occurs in sign_ima. Without these changes
sign_hash() succeeds, returning a length of 520 for
sha256/streebog256. With these patches, for streebog256
EVP_PKEY_CTX_set_signature_md is failing, returning -1, but works for
sha256. With a similar change as this patch, it also works, returning
520.
Obviously it isn't an issue of the buffer size.
Mimi
