[Rpm-maint] [rpm-software-management/rpm] rpmsign --signfiles fails when using libimaevm version < 3 (Issue #2124)
RyanSGoldberg
notifications at github.com
Wed Jul 13 14:35:21 UTC 2022
Description of problem:
I'm running the following on fedora 35: `rpmsign --addsign --signfiles --fskpath=key.pem -D "_gpg_name example at redhat.com" FOO.rpm`,which fails silently when using libimaevm.so.2. The first per-file signature within the RPM is the following (the other signatures are similar)
```
00000340: 6333 3200 0000 0000 0030 3330 3230 3432 c32......0302042
00000350: 3933 3865 3763 3630 3366 3730 3030 3030 938e7c603f700000
00000360: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000370: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
...
00000b20: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000b30: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000b40: 3030 3030 3030 3030 3000 3033 3032 3034 000000000.030204
```
The output of the above with increased verbosity is
```
ufdio: 1 reads, 17654 total bytes in 0.000005 secs
ufdio: 1 reads, 5684 total bytes in 0.000002 secs
ufdio: 1 reads, 17654 total bytes in 0.000009 secs
FOO.rpm:
D: Expected size: 9590 = lead(96)+sigs(2296)+pad(0)+data(7198)
D: Actual size: 9590
hash(sha1): eac6089981ceac355c6bb7dc376c449a4b159e707527ae91f7f0c1f1b8bbd5aa
evm/ima signature: 1023 bytes
hash(sha1): 7781770ddc4aeefca0241d7d2462c7201af5b514ff56c2deae3daef0e857973d
evm/ima signature: 1023 bytes
hash(sha1): 678b87e217a415f05e43460e2c7b668245b412e2b4f18a75aa7399d9774ed0b4
evm/ima signature: 1023 bytes
D: GPG sig size: 458
ufdio: 1 reads, 458 total bytes in 0.000004 secs
D: Got 458 bytes of GPG sig
D: Signature: size(8960)+pad(0)
ufdio: 16 reads, 26430 total bytes in 0.000030 secs
fdio: 4 writes, 16254 total bytes in 0.000021 secs
```
>From the openssl documentation "EVP_PKEY_sign() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm."
so
```
if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
goto err;
```
in sign_hash_v2 in libimaevm.c won't catch this case (where EVP_PKEY_sign is returning -1).
The faluire point is in pkey_rsa_sign where `tbslen != (size_t)EVP_MD_size(rctx->md)` which in this case is that 32 != 20.
The call to rpmDigestLength in rpmsignfiles.c returns SHA256 for the digest (32 B) but the MD size expects SHA1 (20B).
Taking a look at GDB's output at this point:
```
sign_hash_v2 (sig=0x7fffffffd811 "", keyfile=0x5555555d99b0 "signing.pem", size=32,
hash=0x55555559bfd0 "\352\306\b\231\201ά5\\k\267\334\067lD\232K\025\236pu'\256\221\367\360\301\361\270\273ժw\201w\r\334J\356\374\240$\035}$b\307 \032\365\265\024\377V\302ޮ=\256\360\350W\227=",
algo=0x7ffff7fa937c "sha256") at /usr/src/debug/ima-evm-utils-1.3.2-3.fc35.x86_64/src/libimaevm.c:899
899 if (!hash) {
(gdb) s
904 if (size < 0) {
(gdb)
909 if (!sig) {
(gdb)
914 if (!algo) {
(gdb)
919 log_info("hash(%s): ", imaevm_params.hash_algo);
(gdb)
warning: Source file is more recent than executable.
105 return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt,
(gdb)
919 log_info("hash(%s): ", imaevm_params.hash_algo);
(gdb)
hash(sha1): 36 return ret;
(gdb)
```
`imaevm_params.hash_algo` is "sha1" but should be `algo` which is correctly "sha256". This issue
```
if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
goto err;
```
is likely the stem of the problem. It has been fixed in later versions of the source but causes signing issues when using imaevm versions < 3
As a possible solution, its a bit hacky but you might just be able to do something like this in rpmSignFiles in rpmsignfiles.c
```
diglen = rpmDigestLength(algo);
algoname = hash_algo_name[algo];
imaevm_params.hash_algo = algoname;
```
Version-Release number of selected component (if applicable):
RPM version 4.17.0
libimaevm.so.2
ima-evm-utils-1.3.2-3.fc35.x86_64.rpm
Additional info:
When running the above using libimaevm.so.3 it works as expected (as tried in both fedora 36 and rhel 9)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2124
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2124 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220713/871fc6a4/attachment-0001.html>
More information about the Rpm-maint
mailing list