diff options
Diffstat (limited to 'lib/rsa/rsa-sign.c')
| -rw-r--r-- | lib/rsa/rsa-sign.c | 40 |
1 files changed, 32 insertions, 8 deletions
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 05ac67b822..fb5e07b56d 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -387,13 +387,16 @@ static void rsa_engine_remove(ENGINE *e) } } -static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo, +static int rsa_sign_with_key(RSA *rsa, struct padding_algo *padding_algo, + struct checksum_algo *checksum_algo, const struct image_region region[], int region_count, uint8_t **sigp, uint *sig_size) { EVP_PKEY *key; + EVP_PKEY_CTX *ckey; EVP_MD_CTX *context; - int size, ret = 0; + int ret = 0; + size_t size; uint8_t *sig; int i; @@ -409,7 +412,7 @@ static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo, size = EVP_PKEY_size(key); sig = malloc(size); if (!sig) { - fprintf(stderr, "Out of memory for signature (%d bytes)\n", + fprintf(stderr, "Out of memory for signature (%zu bytes)\n", size); ret = -ENOMEM; goto err_alloc; @@ -421,22 +424,43 @@ static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo, goto err_create; } EVP_MD_CTX_init(context); - if (!EVP_SignInit(context, checksum_algo->calculate_sign())) { + + ckey = EVP_PKEY_CTX_new(key, NULL); + if (!ckey) { + ret = rsa_err("EVP key context creation failed"); + goto err_create; + } + + if (EVP_DigestSignInit(context, &ckey, + checksum_algo->calculate_sign(), + NULL, key) <= 0) { ret = rsa_err("Signer setup failed"); goto err_sign; } +#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT + if (padding_algo && !strcmp(padding_algo->name, "pss")) { + if (EVP_PKEY_CTX_set_rsa_padding(ckey, + RSA_PKCS1_PSS_PADDING) <= 0) { + ret = rsa_err("Signer padding setup failed"); + goto err_sign; + } + } +#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ + for (i = 0; i < region_count; i++) { - if (!EVP_SignUpdate(context, region[i].data, region[i].size)) { + if (!EVP_DigestSignUpdate(context, region[i].data, + region[i].size)) { ret = rsa_err("Signing data failed"); goto err_sign; } } - if (!EVP_SignFinal(context, sig, sig_size, key)) { + if (!EVP_DigestSignFinal(context, sig, &size)) { ret = rsa_err("Could not obtain signature"); goto err_sign; } + #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL) EVP_MD_CTX_cleanup(context); @@ -446,7 +470,7 @@ static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo, EVP_MD_CTX_destroy(context); EVP_PKEY_free(key); - debug("Got signature: %d bytes, expected %d\n", *sig_size, size); + debug("Got signature: %d bytes, expected %zu\n", *sig_size, size); *sigp = sig; *sig_size = size; @@ -483,7 +507,7 @@ int rsa_sign(struct image_sign_info *info, ret = rsa_get_priv_key(info->keydir, info->keyname, e, &rsa); if (ret) goto err_priv; - ret = rsa_sign_with_key(rsa, info->checksum, region, + ret = rsa_sign_with_key(rsa, info->padding, info->checksum, region, region_count, sigp, sig_len); if (ret) goto err_sign; |