Re: [PATCH v7 00/11] ima-evm-utils: Convert v2 signatures from RSA to EVP_PKEY API

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2019-06-24 at 22:23 +0300, Vitaly Chikunov wrote:
> Mimi,
> 
> On Mon, Jun 24, 2019 at 03:09:53PM -0400, Mimi Zohar wrote:
> > On Mon, 2019-06-24 at 19:16 +0300, Vitaly Chikunov wrote:
> > > On Mon, Jun 24, 2019 at 10:42:32AM -0400, Mimi Zohar wrote:
> > > > On Sun, 2019-06-23 at 12:00 +0300, Vitaly Chikunov wrote:
> > > > > Convert sign v2 from RSA API (with manual formatting PKCS1) to more generic
> > > > > EVP_PKEY API, allowing to generate more types of OpenSSL supported signatures.
> > > > > This is done to enable EC-RDSA signatures, which are already supported in the
> > > > > Kernel. With some small fixes.
> > > > > 
> > > > > All patches tested on x86_64 to not break anything.
> > > > > 
> > > > > Changes since v6:
> > > > > - Remove "Make sure sig buffer is always MAX_SIGNATURE_SIZE" commit. Instead,
> > > > >   change assumption of sign_hash_v2() about @sig size.
> > > > 
> > > > With and without this change, the sha family is working properly, but
> > > > with this patch set, I'm now seeing "sign_hash_v2: signing failed:
> > > > (invalid digest)" for gost/streebog.  Previously it worked.
> > > 
> > > Sounds strange. For me it's working good for streebog now and then.
> > > 
> > >   = Testing algo gost2012_256-A hash streebog256 =
> > >   test.txt: verification is OK
> > >   ...
> > > 
> > > Maybe somehow your test env is getting broken?
> > > 
> > > I test on Debian 9, manually compiled openssl and then gost-engine
> > > from git. Env is like this:
> > > 
> > >   PATH=$HOME/src/openssl/apps:$HOME/src/ima-evm-utils/src/.libs:$PATH
> > >   LD_LIBRARY_PATH=$HOME/src/openssl:$HOME/src/ima-evm-utils/src/.libs
> > >   OPENSSL_CONF=$HOME/src/gost-engine/build/openssl.conf
> > >   OPENSSL_ENGINES=$HOME/src/gost-engine/build/bin
> > > 
> > > ima-evm-utils is ./configure'd with
> > > 
> > >   export OPENSSL_LIBS="-L$HOME/src/openssl -lssl -lcrypto"
> > > 
> > > and then make'd without install, and test run.
> > 
> > Ok.  I'm using a version, which I built when you first sent the
> > patches for the crypto engine support.
> 
> Did you mean you try to make RSA signature with Streebog hashes? This
> shouldn't work, as intended. Streebog hash only should be used with
> EC-RDSA signatures (or gost2012_{256,512} in terms of OpenSSL).
> 
> If it worked before this is strange. It should not. What patchset
> version it was?

No, I'm saying that I built both openssl and the gost engine a while
ago.  There's been some gost engine updates since then, which are
dependent on a newer version of openssl.  So I'll need to rebuild both
openssl and the gost engine in order to re-test.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux