From 2e730b2259c701f16d473dbfb7e58e86a6e71b01 Mon Sep 17 00:00:00 2001 From: Daniel Kurtz Date: Fri, 18 Jan 2019 13:04:59 +0200 Subject: [PATCH] Update for openssl 1.1 OpenSSL 1.1 has made significant non-backwards compatible changes to its API as outlined in: https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes BRANCH=none BUG=chromium:738114 TEST=cros_workon --host start vboot_reference TEST=w/ openssl-1.0.2k: sudo emerge vboot_reference TEST=w/ openssl-1.1.0e: sudo emerge vboot_reference => both build ok $ futility version => command runs without error TEST=cros_workon --board=soraka start vboot_reference coreboot TEST=w/ openssl-1.0.2k: emerge-soraka vboot_reference coreboot TEST=w/ openssl-1.1.0e: emerge-soraka vboot_reference coreboot => All build ok Change-Id: I37cfc8cbb04a092eab7b0b3224f475b82609447c Reviewed-on: https://chromium-review.googlesource.com/557739 Commit-Ready: Daniel Kurtz Tested-by: Daniel Kurtz Reviewed-by: Randall Spangler Reviewed-by: Mike Frysinger (cherry-picked from bce7904376beee2912932433a4634c1c25afe2f5) Signed-off-by: Vadim Kochan --- futility/cmd_create.c | 5 ++++- futility/vb2_helper.c | 7 +++++-- host/include/openssl_compat.h | 26 ++++++++++++++++++++++++++ host/lib/util_misc.c | 7 +++++-- host/lib21/host_key.c | 8 +++++++- utility/dumpRSAPublicKey.c | 19 ++++++++++++++----- 6 files changed, 61 insertions(+), 11 deletions(-) create mode 100644 host/include/openssl_compat.h diff --git a/futility/cmd_create.c b/futility/cmd_create.c index 143ea9ae..80d3fd90 100644 --- a/futility/cmd_create.c +++ b/futility/cmd_create.c @@ -13,6 +13,7 @@ #include "2common.h" #include "2id.h" #include "2rsa.h" +#include "openssl_compat.h" #include "util_misc.h" #include "vb2_common.h" #include "vb2_struct.h" @@ -170,6 +171,7 @@ static int vb2_make_keypair() enum vb2_signature_algorithm sig_alg; uint8_t *pubkey_buf = 0; int has_priv = 0; + const BIGNUM *rsa_d; FILE *fp; int ret = 1; @@ -193,7 +195,8 @@ static int vb2_make_keypair() goto done; } /* Public keys doesn't have the private exponent */ - has_priv = !!rsa_key->d; + RSA_get0_key(rsa_key, NULL, NULL, &rsa_d); + has_priv = !!rsa_d; if (!has_priv) fprintf(stderr, "%s has a public key only.\n", infile); diff --git a/futility/vb2_helper.c b/futility/vb2_helper.c index 51a78375..c6cc0fdd 100644 --- a/futility/vb2_helper.c +++ b/futility/vb2_helper.c @@ -11,6 +11,7 @@ #include "2common.h" #include "2id.h" #include "2rsa.h" +#include "openssl_compat.h" #include "util_misc.h" #include "vb2_common.h" #include "vb2_struct.h" @@ -216,6 +217,7 @@ int ft_show_pem(const char *name, uint8_t *buf, uint32_t len, void *data) uint8_t *keyb, *digest; uint32_t keyb_len; int i, bits; + const BIGNUM *rsa_key_n, *rsa_key_d; /* We're called only after ft_recognize_pem, so this should work. */ rsa_key = rsa_from_buffer(buf, len); @@ -223,10 +225,11 @@ int ft_show_pem(const char *name, uint8_t *buf, uint32_t len, void *data) DIE; /* Use to presence of the private exponent to decide if it's public */ - printf("%s Key file: %s\n", rsa_key->d ? "Private" : "Public", + RSA_get0_key(rsa_key, &rsa_key_n, NULL, &rsa_key_d); + printf("%s Key file: %s\n", rsa_key_d ? "Private" : "Public", name); - bits = BN_num_bits(rsa_key->n); + bits = BN_num_bits(rsa_key_n); printf(" Key length: %d\n", bits); if (vb_keyb_from_rsa(rsa_key, &keyb, &keyb_len)) { diff --git a/host/include/openssl_compat.h b/host/include/openssl_compat.h new file mode 100644 index 00000000..7771f32a --- /dev/null +++ b/host/include/openssl_compat.h @@ -0,0 +1,26 @@ +/* Copyright 2017 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#ifndef VBOOT_REFERENCE_OPENSSL_COMPAT_H_ +#define VBOOT_REFERENCE_OPENSSL_COMPAT_H_ + +#include + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +static inline void RSA_get0_key(const RSA *rsa, const BIGNUM **n, + const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = rsa->n; + if (e != NULL) + *e = rsa->e; + if (d != NULL) + *d = rsa->d; +} + +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + +#endif /* VBOOT_REFERENCE_OPENSSL_COMPAT_H_ */ diff --git a/host/lib/util_misc.c b/host/lib/util_misc.c index 03ec683f..f0a1f7ad 100644 --- a/host/lib/util_misc.c +++ b/host/lib/util_misc.c @@ -15,6 +15,7 @@ #include "cryptolib.h" #include "host_common.h" +#include "openssl_compat.h" #include "util_misc.h" #include "vboot_common.h" @@ -58,6 +59,7 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, BIGNUM *N0inv = NULL, *R = NULL, *RR = NULL; BIGNUM *RRTemp = NULL, *NnumBits = NULL; BIGNUM *n = NULL, *rr = NULL; + const BIGNUM *rsa_private_key_n; BN_CTX *bn_ctx = BN_CTX_new(); uint32_t n0invout; uint32_t bufsize; @@ -65,7 +67,7 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, int retval = 1; /* Size of RSA key in 32-bit words */ - nwords = BN_num_bits(rsa_private_key->n) / 32; + nwords = RSA_size(rsa_private_key) / 4; bufsize = (2 + nwords + nwords) * sizeof(uint32_t); outbuf = malloc(bufsize); @@ -94,7 +96,8 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, NEW_BIGNUM(B); #undef NEW_BIGNUM - BN_copy(N, rsa_private_key->n); + RSA_get0_key(rsa_private_key, &rsa_private_key_n, NULL, NULL); + BN_copy(N, rsa_private_key_n); BN_set_word(Big1, 1L); BN_set_word(Big2, 2L); BN_set_word(Big32, 32L); diff --git a/host/lib21/host_key.c b/host/lib21/host_key.c index f7ea1622..f9419ad3 100644 --- a/host/lib21/host_key.c +++ b/host/lib21/host_key.c @@ -17,6 +17,7 @@ #include "host_common.h" #include "host_key2.h" #include "host_misc.h" +#include "openssl_compat.h" struct vb2_text_vs_enum vb2_text_vs_algorithm[] = { {"RSA1024 SHA1", VB2_ALG_RSA1024_SHA1}, @@ -544,7 +545,12 @@ int vb2_public_key_hash(struct vb2_public_key *key, enum vb2_signature_algorithm vb2_rsa_sig_alg(struct rsa_st *rsa) { - int bits = BN_num_bits(rsa->n); + const BIGNUM *e, *n; + int exp, bits; + + RSA_get0_key(rsa, &n, &e, NULL); + exp = BN_get_word(e); + bits = BN_num_bits(n); switch (bits) { case 1024: diff --git a/utility/dumpRSAPublicKey.c b/utility/dumpRSAPublicKey.c index b3b7b96b..a17b159e 100644 --- a/utility/dumpRSAPublicKey.c +++ b/utility/dumpRSAPublicKey.c @@ -14,14 +14,20 @@ #include #include +#include "openssl_compat.h" + /* Command line tool to extract RSA public keys from X.509 certificates * and output a pre-processed version of keys for use by RSA verification * routines. */ int check(RSA* key) { - int public_exponent = BN_get_word(key->e); - int modulus = BN_num_bits(key->n); + const BIGNUM *n, *e; + int public_exponent, modulus; + + RSA_get0_key(key, &n, &e, NULL); + public_exponent = BN_get_word(e); + modulus = BN_num_bits(n); if (public_exponent != 65537) { fprintf(stderr, "WARNING: Public exponent should be 65537 (but is %d).\n", @@ -40,7 +46,8 @@ int check(RSA* key) { */ void output(RSA* key) { int i, nwords; - BIGNUM *N = key->n; + const BIGNUM *key_n; + BIGNUM *N = NULL; BIGNUM *Big1 = NULL, *Big2 = NULL, *Big32 = NULL, *BigMinus1 = NULL; BIGNUM *B = NULL; BIGNUM *N0inv= NULL, *R = NULL, *RR = NULL, *RRTemp = NULL, *NnumBits = NULL; @@ -48,14 +55,15 @@ void output(RSA* key) { BN_CTX *bn_ctx = BN_CTX_new(); uint32_t n0invout; - N = key->n; /* Output size of RSA key in 32-bit words */ - nwords = BN_num_bits(N) / 32; + nwords = RSA_size(key) / 4; if (-1 == write(1, &nwords, sizeof(nwords))) goto failure; /* Initialize BIGNUMs */ + RSA_get0_key(key, &key_n, NULL, NULL); + N = BN_dup(key_n); Big1 = BN_new(); Big2 = BN_new(); Big32 = BN_new(); @@ -120,6 +128,7 @@ void output(RSA* key) { failure: /* Free BIGNUMs. */ + BN_free(N); BN_free(Big1); BN_free(Big2); BN_free(Big32); -- 2.14.1