rsa: use new openssl API to create signature

Previous implementation of the rsa signature was using the openssl API EVP_Sign*, but the new openssl API EVP_DigestSign* is more flexible. So we move to this new API. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>

rsa: use new openssl API to create signature
Previous implementation of the rsa signature was using the openssl API EVP_Sign*, but the new openssl API EVP_DigestSign* is more flexible. So we move to this new API. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Philippe Reynes · Tom Rini
1 parent c8c0242f1c
Showing 1 changed file with 11 additions and 6 deletions Side-by-side Diff
lib/rsa/rsa-sign.c
@@ -393,7 +393,8 @@
 {
 	EVP_PKEY *key;
 	EVP_MD_CTX *context;
-	int size, ret = 0;
+	int ret = 0;
+	size_t size;
 	uint8_t *sig;
 	int i;
  
@@ -409,7 +410,7 @@
 	size = EVP_PKEY_size(key);
 	sig = malloc(size);
 	if (!sig) {
-		fprintf(stderr, "Out of memory for signature (%d bytes)\n",
+		fprintf(stderr, "Out of memory for signature (%zu bytes)\n",
 			size);
 		ret = -ENOMEM;
 		goto err_alloc;
  
  
  
@@ -421,22 +422,26 @@
 		goto err_create;
 	}
 	EVP_MD_CTX_init(context);
-	if (!EVP_SignInit(context, checksum_algo->calculate_sign())) {
+	if (EVP_DigestSignInit(context, NULL,
+			       checksum_algo->calculate_sign(),
+			       NULL, key) <= 0) {
 		ret = rsa_err("Signer setup failed");
 		goto err_sign;
 	}
  
 	for (i = 0; i < region_count; i++) {
-		if (!EVP_SignUpdate(context, region[i].data, region[i].size)) {
+		if (!EVP_DigestSignUpdate(context, region[i].data,
+					  region[i].size)) {
 			ret = rsa_err("Signing data failed");
 			goto err_sign;
 		}
 	}
  
-	if (!EVP_SignFinal(context, sig, sig_size, key)) {
+	if (!EVP_DigestSignFinal(context, sig, &size)) {
 		ret = rsa_err("Could not obtain signature");
 		goto err_sign;
 	}
+
 	#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
 		(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)
 		EVP_MD_CTX_cleanup(context);
@@ -446,7 +451,7 @@
 	EVP_MD_CTX_destroy(context);
 	EVP_PKEY_free(key);
  
-	debug("Got signature: %d bytes, expected %d\n", *sig_size, size);
+	debug("Got signature: %d bytes, expected %zu\n", *sig_size, size);
 	*sigp = sig;
 	*sig_size = size;
...	...	@@ -393,7 +393,8 @@
393	393	{
394	394	EVP_PKEY *key;
395	395	EVP_MD_CTX *context;
396		- int size, ret = 0;
	396	+ int ret = 0;
	397	+ size_t size;
397	398	uint8_t *sig;
398	399	int i;
399	400
...	...	@@ -409,7 +410,7 @@
409	410	size = EVP_PKEY_size(key);
410	411	sig = malloc(size);
411	412	if (!sig) {
412		- fprintf(stderr, "Out of memory for signature (%d bytes)\n",
	413	+ fprintf(stderr, "Out of memory for signature (%zu bytes)\n",
413	414	size);
414	415	ret = -ENOMEM;
415	416	goto err_alloc;
416	417
417	418
418	419
...	...	@@ -421,22 +422,26 @@
421	422	goto err_create;
422	423	}
423	424	EVP_MD_CTX_init(context);
424		- if (!EVP_SignInit(context, checksum_algo->calculate_sign())) {
	425	+ if (EVP_DigestSignInit(context, NULL,
	426	+ checksum_algo->calculate_sign(),
	427	+ NULL, key) <= 0) {
425	428	ret = rsa_err("Signer setup failed");
426	429	goto err_sign;
427	430	}
428	431
429	432	for (i = 0; i < region_count; i++) {
430		- if (!EVP_SignUpdate(context, region[i].data, region[i].size)) {
	433	+ if (!EVP_DigestSignUpdate(context, region[i].data,
	434	+ region[i].size)) {
431	435	ret = rsa_err("Signing data failed");
432	436	goto err_sign;
433	437	}
434	438	}
435	439
436		- if (!EVP_SignFinal(context, sig, sig_size, key)) {
	440	+ if (!EVP_DigestSignFinal(context, sig, &size)) {
437	441	ret = rsa_err("Could not obtain signature");
438	442	goto err_sign;
439	443	}
	444	+
440	445	#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
441	446	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)
442	447	EVP_MD_CTX_cleanup(context);
...	...	@@ -446,7 +451,7 @@
446	451	EVP_MD_CTX_destroy(context);
447	452	EVP_PKEY_free(key);
448	453
449		- debug("Got signature: %d bytes, expected %d\n", *sig_size, size);
	454	+ debug("Got signature: %d bytes, expected %zu\n", *sig_size, size);
450	455	*sigp = sig;
451	456	*sig_size = size;
452	457