On Mon, 2019-06-24 at 19:16 +0300, Vitaly Chikunov wrote:

Mimi,

On Mon, Jun 24, 2019 at 10:42:32AM -0400, Mimi Zohar wrote:

quoted

On Sun, 2019-06-23 at 12:00 +0300, Vitaly Chikunov wrote:

quoted

Convert sign v2 from RSA API (with manual formatting PKCS1) to more generic
EVP_PKEY API, allowing to generate more types of OpenSSL supported signatures.
This is done to enable EC-RDSA signatures, which are already supported in the
Kernel. With some small fixes.

All patches tested on x86_64 to not break anything.

Changes since v6:
- Remove "Make sure sig buffer is always MAX_SIGNATURE_SIZE" commit. Instead,
  change assumption of sign_hash_v2() about @sig size.

With and without this change, the sha family is working properly, but
with this patch set, I'm now seeing "sign_hash_v2: signing failed:
(invalid digest)" for gost/streebog.  Previously it worked.

Sounds strange. For me it's working good for streebog now and then.

  = Testing algo gost2012_256-A hash streebog256 =
  test.txt: verification is OK
  ...

Maybe somehow your test env is getting broken?

I test on Debian 9, manually compiled openssl and then gost-engine
from git. Env is like this:

  PATH=$HOME/src/openssl/apps:$HOME/src/ima-evm-utils/src/.libs:$PATH
  LD_LIBRARY_PATH=$HOME/src/openssl:$HOME/src/ima-evm-utils/src/.libs
  OPENSSL_CONF=$HOME/src/gost-engine/build/openssl.conf
  OPENSSL_ENGINES=$HOME/src/gost-engine/build/bin

ima-evm-utils is ./configure'd with

  export OPENSSL_LIBS="-L$HOME/src/openssl -lssl -lcrypto"

and then make'd without install, and test run.

Ok.  I'm using a version, which I built when you first sent the
patches for the crypto engine support.

Mimi