Re: [PATCH v7 00/11] ima-evm-utils: Convert v2 signatures from RSA to EVP_PKEY API

Vitaly Chikunov <vt@xxxxxxxxxxxx> · Mon, 24 Jun 2019 22:23:49 +0300

Mimi,

On Mon, Jun 24, 2019 at 03:09:53PM -0400, Mimi Zohar wrote:
> On Mon, 2019-06-24 at 19:16 +0300, Vitaly Chikunov wrote:
> > On Mon, Jun 24, 2019 at 10:42:32AM -0400, Mimi Zohar wrote:
> > > On Sun, 2019-06-23 at 12:00 +0300, Vitaly Chikunov wrote:
> > > > Convert sign v2 from RSA API (with manual formatting PKCS1) to more generic
> > > > EVP_PKEY API, allowing to generate more types of OpenSSL supported signatures.
> > > > This is done to enable EC-RDSA signatures, which are already supported in the
> > > > Kernel. With some small fixes.
> > > > 
> > > > All patches tested on x86_64 to not break anything.
> > > > 
> > > > Changes since v6:
> > > > - Remove "Make sure sig buffer is always MAX_SIGNATURE_SIZE" commit. Instead,
> > > >   change assumption of sign_hash_v2() about @sig size.
> > > 
> > > With and without this change, the sha family is working properly, but
> > > with this patch set, I'm now seeing "sign_hash_v2: signing failed:
> > > (invalid digest)" for gost/streebog.  Previously it worked.
> > 
> > Sounds strange. For me it's working good for streebog now and then.
> > 
> >   = Testing algo gost2012_256-A hash streebog256 =
> >   test.txt: verification is OK
> >   ...
> > 
> > Maybe somehow your test env is getting broken?
> > 
> > I test on Debian 9, manually compiled openssl and then gost-engine
> > from git. Env is like this:
> > 
> >   PATH=$HOME/src/openssl/apps:$HOME/src/ima-evm-utils/src/.libs:$PATH
> >   LD_LIBRARY_PATH=$HOME/src/openssl:$HOME/src/ima-evm-utils/src/.libs
> >   OPENSSL_CONF=$HOME/src/gost-engine/build/openssl.conf
> >   OPENSSL_ENGINES=$HOME/src/gost-engine/build/bin
> > 
> > ima-evm-utils is ./configure'd with
> > 
> >   export OPENSSL_LIBS="-L$HOME/src/openssl -lssl -lcrypto"
> > 
> > and then make'd without install, and test run.
> 
> Ok.  I'm using a version, which I built when you first sent the
> patches for the crypto engine support.

Did you mean you try to make RSA signature with Streebog hashes? This
shouldn't work, as intended. Streebog hash only should be used with
EC-RDSA signatures (or gost2012_{256,512} in terms of OpenSSL).

If it worked before this is strange. It should not. What patchset
version it was?

Vitaly,