RPM Community Forums

Mailing List Message of <rpm-devel>

Re: [CVS] RPM: rpm/ CHANGES rpm/rpmio/ rpmssl.c

From: Jeff Johnson <n3npq@mac.com>
Date: Fri 12 Dec 2008 - 23:27:31 CET
Message-id: <F292125E-B8AA-4F5B-99A7-19D4FCD31268@mac.com>
This check-in completes DSA/RSA verification with any of
	beecrypt/NSS/libgcrypt/openssl
at least through the signature(...) run-time probe.

There's still some simplifications that could be done if
anyone is interested.

Test cases are rather easy to generate frpm rpm CVS after build:
	cd lib
	make tpgp
	./tpgp --usecrypto XXX
where XXX = bc|nss|gc|ssl.

Edit the genpgp.sh script to use gnupg to generate Even Crazier Pubkeys
if that's yer pleasure.

Fixing the blessed RFC 4880 RSA V4 plaintext for *.rpm verification is  
next, then
perhaps ECDSA, PKCS#11 or PKCS#15 over the X-mas hacking holidays.

Enjoy!

73 de Jeff

On Dec 12, 2008, at 5:19 PM, Jeff Johnson wrote:

>  RPM Package Manager, CVS Repository
>  http://rpm5.org/cvs/
>   
> ____________________________________________________________________________
>
>  Server: rpm5.org                         Name:   Jeff Johnson
>  Root:   /v/rpm/cvs                       Email:  jbj@rpm5.org
>  Module: rpm                              Date:   12-Dec-2008 23:19:01
>  Branch: HEAD                             Handle: 2008121222190001
>
>  Modified files:
>    rpm                     CHANGES
>    rpm/rpmio               rpmssl.c
>
>  Log:
>    - rpmssl: functional RSA verify --usecrypto ssl for signature(...)
>    probe.
>
>  Summary:
>    Revision    Changes     Path
>    1.2680      +1  -0      rpm/CHANGES
>    2.18        +58 -25     rpm/rpmio/rpmssl.c
>   
> ____________________________________________________________________________
>
>  patch -p0 <<'@@ .'
>  Index: rpm/CHANGES
>   
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
>  $ cvs diff -u -r1.2679 -r1.2680 CHANGES
>  --- rpm/CHANGES	12 Dec 2008 17:12:11 -0000	1.2679
>  +++ rpm/CHANGES	12 Dec 2008 22:19:00 -0000	1.2680
>  @@ -1,5 +1,6 @@
>
>   5.2a2 -> 5.2a3:
>  +    - jbj: rpmssl: functional RSA verify --usecrypto ssl for  
> signature(...) probe.
>       - jbj: rpmgc: functional RSA verify --usecrypto gc for  
> signature(...) probe.
>       - jbj: rpmgc: bulldoze the RSA compost. still not working  
> yet ...
>       - jbj: rpmpgp: add ASN1 goop for SHA-224, add to bc/gc/nss/ssl.
>  @@ .
>  patch -p0 <<'@@ .'
>  Index: rpm/rpmio/rpmssl.c
>   
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
>  $ cvs diff -u -r2.17 -r2.18 rpmssl.c
>  --- rpm/rpmio/rpmssl.c	12 Dec 2008 16:40:03 -0000	2.17
>  +++ rpm/rpmio/rpmssl.c	12 Dec 2008 22:19:01 -0000	2.18
>  @@ -51,6 +51,24 @@
>   }
>
>   static
>  +void hexdump(const char * msg, unsigned char * b, size_t blen)
>  +{
>  +    static const char hex[] = "0123456789abcdef";
>  +
>  +    fprintf(stderr, "*** %s:", msg);
>  +    if (b != NULL)
>  +    while (blen > 0) {
>  +	fprintf(stderr, "%c%c",
>  +		hex[ (unsigned)((*b >> 4) & 0x0f) ],
>  +		hex[ (unsigned)((*b     ) & 0x0f) ]);
>  +	blen--;
>  +	b++;
>  +    }
>  +    fprintf(stderr, "\n");
>  +    return;
>  +}
>  +
>  +static
>   int rpmsslSetRSA(/*@only@*/ DIGEST_CTX ctx, pgpDig dig,  
> pgpDigParams sigp)
>   	/*@modifies dig @*/
>   {
>  @@ -127,6 +145,7 @@
>       xx = BN_hex2bn(&ssl->rsahm, hexstr);
>   /*@=moduncon =noeffectuncon @*/
>
>  +if (_pgp_debug < 0) fprintf(stderr, "*** rsahm: %s\n", hexstr);
>       hexstr = _free(hexstr);
>
>       /* Compare leading 16 bits of digest for quick check. */
>  @@ -138,19 +157,40 @@
>       return memcmp(signhash16, sigp->signhash16, sizeof(sigp- 
> >signhash16));
>   }
>
>  +static unsigned char * bn2buf(const char * msg, const BIGNUM * s,  
> size_t maxn)
>  +{
>  +    unsigned char * t = xcalloc(1, maxn);
>  +/*@-moduncon@*/
>  +    size_t nt = BN_bn2bin(s, t);
>  +/*@=moduncon@*/
>  +
>  +    if (nt < maxn) {
>  +	size_t pad = (maxn - nt);
>  +if (_pgp_debug < 0) fprintf(stderr, "\tmemmove(%p, %p, %u)\n", t 
> +pad, t, (unsigned)nt);
>  +	memmove(t+pad, t, nt);
>  +if (_pgp_debug < 0) fprintf(stderr, "\tmemset(%p, 0, %u)\n", t,  
> (unsigned)pad);
>  +	memset(t, 0, pad);
>  +    }
>  +if (_pgp_debug < 0) hexdump(msg, t, maxn);
>  +    return t;
>  +}
>  +
>   static
>   int rpmsslVerifyRSA(pgpDig dig)
>   	/*@*/
>   {
>       rpmssl ssl = dig->impl;
>  -    unsigned char * rsahm;
>  -    unsigned char * dbuf;
>  -    size_t nb, ll;
>  +/*@-moduncon@*/
>  +    size_t maxn = BN_num_bytes(ssl->rsa->n);
>  +    unsigned char * hm = bn2buf("hm", ssl->rsahm, maxn);
>  +    unsigned char *  c = bn2buf(" c", ssl->c, maxn);
>  +    size_t nb = RSA_public_decrypt((int)maxn, c, c, ssl->rsa,  
> RSA_PKCS1_PADDING);
>  +/*@=moduncon@*/
>  +    size_t i;
>       int rc = 0;
>       int xx;
>
>       /* Verify RSA signature. */
>  -/*@-moduncon@*/
>       /* XXX This is _NOT_ the correct openssl function to use:
>        *	rc = RSA_verify(type, m, m_len, sigbuf, siglen, ssl->rsa)
>        *
>  @@ -169,29 +209,22 @@
>        *	  return (j != hlen || memcmp(dbuf, hash, j));
>        *	}
>        */
>  -
>  -    nb = BN_num_bytes(ssl->rsahm);
>  -    rsahm = xmalloc(nb);
>  -    xx = BN_bn2bin(ssl->rsahm, rsahm);
>  -    ll = BN_num_bytes(ssl->rsa->n);
>  -    xx = (int)ll;	/* WRONG WRONG WRONG */
>  -    dbuf = xcalloc(1, ll);
>  -    /* XXX FIXME: what parameter goes into dbuf? */
>  -/*@-type@*/
>  -    while (xx < (int)ll)
>  -	memmove(&dbuf[1], dbuf, xx++), dbuf[0] = 0;
>  -/*@=type@*/
>  -    xx = RSA_public_decrypt((int)ll, dbuf, dbuf, ssl->rsa,  
> RSA_PKCS1_PADDING);
>  -/*@=moduncon@*/
>  -    rc = (xx == (int)nb && (memcmp(rsahm, dbuf, nb) == 0));
>  -    dbuf = _free(dbuf);
>  -    rsahm = _free(rsahm);
>  -
>  -    if (rc != 1) {
>  -	rpmlog(RPMLOG_WARNING, "RSA verification using openssl is not yet  
> implemented. rpmmsslVerifyRSA() will continue without verifying the  
> RSA signature.\n");
>  -	rc = 1;
>  +    for (i = 2; i < maxn; i++) {
>  +	if (hm[i] == 0xff)
>  +	    continue;
>  +	i++;
>  +if (_pgp_debug < 0) hexdump("HM", hm + i, (maxn - i));
>  +	break;
>       }
>
>  +if (_pgp_debug < 0) hexdump("HM", hm + (maxn - nb), nb);
>  +if (_pgp_debug < 0) hexdump(" C",  c, nb);
>  +
>  +    rc = ((maxn - i) == nb && (xx = memcmp(hm+i, c, nb)) == 0);
>  +
>  +    c = _free(c);
>  +    hm = _free(hm);
>  +
>       return rc;
>   }
>
>  @@ .
> ______________________________________________________________________
> RPM Package Manager                                    http://rpm5.org
> CVS Sources Repository                                rpm-cvs@rpm5.org



  • application/pkcs7-signature attachment: smime.p7s
Received on Fri Dec 12 23:28:38 2008
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.