1*4882a593SmuzhiyunFrom 2e730b2259c701f16d473dbfb7e58e86a6e71b01 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Kurtz <djkurtz@chromium.org> 3*4882a593SmuzhiyunDate: Fri, 18 Jan 2019 13:04:59 +0200 4*4882a593SmuzhiyunSubject: [PATCH] Update for openssl 1.1 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunOpenSSL 1.1 has made significant non-backwards compatible changes to its 7*4882a593SmuzhiyunAPI as outlined in: 8*4882a593Smuzhiyunhttps://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunBRANCH=none 11*4882a593SmuzhiyunBUG=chromium:738114 12*4882a593SmuzhiyunTEST=cros_workon --host start vboot_reference 13*4882a593SmuzhiyunTEST=w/ openssl-1.0.2k: sudo emerge vboot_reference 14*4882a593SmuzhiyunTEST=w/ openssl-1.1.0e: sudo emerge vboot_reference 15*4882a593Smuzhiyun => both build ok 16*4882a593Smuzhiyun $ futility version 17*4882a593Smuzhiyun => command runs without error 18*4882a593SmuzhiyunTEST=cros_workon --board=soraka start vboot_reference coreboot 19*4882a593SmuzhiyunTEST=w/ openssl-1.0.2k: emerge-soraka vboot_reference coreboot 20*4882a593SmuzhiyunTEST=w/ openssl-1.1.0e: emerge-soraka vboot_reference coreboot 21*4882a593Smuzhiyun => All build ok 22*4882a593Smuzhiyun 23*4882a593SmuzhiyunChange-Id: I37cfc8cbb04a092eab7b0b3224f475b82609447c 24*4882a593SmuzhiyunReviewed-on: https://chromium-review.googlesource.com/557739 25*4882a593SmuzhiyunCommit-Ready: Daniel Kurtz <djkurtz@chromium.org> 26*4882a593SmuzhiyunTested-by: Daniel Kurtz <djkurtz@chromium.org> 27*4882a593SmuzhiyunReviewed-by: Randall Spangler <rspangler@chromium.org> 28*4882a593SmuzhiyunReviewed-by: Mike Frysinger <vapier@chromium.org> 29*4882a593Smuzhiyun 30*4882a593Smuzhiyun(cherry-picked from bce7904376beee2912932433a4634c1c25afe2f5) 31*4882a593SmuzhiyunSigned-off-by: Vadim Kochan <vadim4j@gmail.com> 32*4882a593Smuzhiyun--- 33*4882a593Smuzhiyun futility/cmd_create.c | 5 ++++- 34*4882a593Smuzhiyun futility/vb2_helper.c | 7 +++++-- 35*4882a593Smuzhiyun host/include/openssl_compat.h | 26 ++++++++++++++++++++++++++ 36*4882a593Smuzhiyun host/lib/util_misc.c | 7 +++++-- 37*4882a593Smuzhiyun host/lib21/host_key.c | 8 +++++++- 38*4882a593Smuzhiyun utility/dumpRSAPublicKey.c | 19 ++++++++++++++----- 39*4882a593Smuzhiyun 6 files changed, 61 insertions(+), 11 deletions(-) 40*4882a593Smuzhiyun create mode 100644 host/include/openssl_compat.h 41*4882a593Smuzhiyun 42*4882a593Smuzhiyundiff --git a/futility/cmd_create.c b/futility/cmd_create.c 43*4882a593Smuzhiyunindex 143ea9ae..80d3fd90 100644 44*4882a593Smuzhiyun--- a/futility/cmd_create.c 45*4882a593Smuzhiyun+++ b/futility/cmd_create.c 46*4882a593Smuzhiyun@@ -13,6 +13,7 @@ 47*4882a593Smuzhiyun #include "2common.h" 48*4882a593Smuzhiyun #include "2id.h" 49*4882a593Smuzhiyun #include "2rsa.h" 50*4882a593Smuzhiyun+#include "openssl_compat.h" 51*4882a593Smuzhiyun #include "util_misc.h" 52*4882a593Smuzhiyun #include "vb2_common.h" 53*4882a593Smuzhiyun #include "vb2_struct.h" 54*4882a593Smuzhiyun@@ -170,6 +171,7 @@ static int vb2_make_keypair() 55*4882a593Smuzhiyun enum vb2_signature_algorithm sig_alg; 56*4882a593Smuzhiyun uint8_t *pubkey_buf = 0; 57*4882a593Smuzhiyun int has_priv = 0; 58*4882a593Smuzhiyun+ const BIGNUM *rsa_d; 59*4882a593Smuzhiyun 60*4882a593Smuzhiyun FILE *fp; 61*4882a593Smuzhiyun int ret = 1; 62*4882a593Smuzhiyun@@ -193,7 +195,8 @@ static int vb2_make_keypair() 63*4882a593Smuzhiyun goto done; 64*4882a593Smuzhiyun } 65*4882a593Smuzhiyun /* Public keys doesn't have the private exponent */ 66*4882a593Smuzhiyun- has_priv = !!rsa_key->d; 67*4882a593Smuzhiyun+ RSA_get0_key(rsa_key, NULL, NULL, &rsa_d); 68*4882a593Smuzhiyun+ has_priv = !!rsa_d; 69*4882a593Smuzhiyun if (!has_priv) 70*4882a593Smuzhiyun fprintf(stderr, "%s has a public key only.\n", infile); 71*4882a593Smuzhiyun 72*4882a593Smuzhiyundiff --git a/futility/vb2_helper.c b/futility/vb2_helper.c 73*4882a593Smuzhiyunindex 51a78375..c6cc0fdd 100644 74*4882a593Smuzhiyun--- a/futility/vb2_helper.c 75*4882a593Smuzhiyun+++ b/futility/vb2_helper.c 76*4882a593Smuzhiyun@@ -11,6 +11,7 @@ 77*4882a593Smuzhiyun #include "2common.h" 78*4882a593Smuzhiyun #include "2id.h" 79*4882a593Smuzhiyun #include "2rsa.h" 80*4882a593Smuzhiyun+#include "openssl_compat.h" 81*4882a593Smuzhiyun #include "util_misc.h" 82*4882a593Smuzhiyun #include "vb2_common.h" 83*4882a593Smuzhiyun #include "vb2_struct.h" 84*4882a593Smuzhiyun@@ -216,6 +217,7 @@ int ft_show_pem(const char *name, uint8_t *buf, uint32_t len, void *data) 85*4882a593Smuzhiyun uint8_t *keyb, *digest; 86*4882a593Smuzhiyun uint32_t keyb_len; 87*4882a593Smuzhiyun int i, bits; 88*4882a593Smuzhiyun+ const BIGNUM *rsa_key_n, *rsa_key_d; 89*4882a593Smuzhiyun 90*4882a593Smuzhiyun /* We're called only after ft_recognize_pem, so this should work. */ 91*4882a593Smuzhiyun rsa_key = rsa_from_buffer(buf, len); 92*4882a593Smuzhiyun@@ -223,10 +225,11 @@ int ft_show_pem(const char *name, uint8_t *buf, uint32_t len, void *data) 93*4882a593Smuzhiyun DIE; 94*4882a593Smuzhiyun 95*4882a593Smuzhiyun /* Use to presence of the private exponent to decide if it's public */ 96*4882a593Smuzhiyun- printf("%s Key file: %s\n", rsa_key->d ? "Private" : "Public", 97*4882a593Smuzhiyun+ RSA_get0_key(rsa_key, &rsa_key_n, NULL, &rsa_key_d); 98*4882a593Smuzhiyun+ printf("%s Key file: %s\n", rsa_key_d ? "Private" : "Public", 99*4882a593Smuzhiyun name); 100*4882a593Smuzhiyun 101*4882a593Smuzhiyun- bits = BN_num_bits(rsa_key->n); 102*4882a593Smuzhiyun+ bits = BN_num_bits(rsa_key_n); 103*4882a593Smuzhiyun printf(" Key length: %d\n", bits); 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun if (vb_keyb_from_rsa(rsa_key, &keyb, &keyb_len)) { 106*4882a593Smuzhiyundiff --git a/host/include/openssl_compat.h b/host/include/openssl_compat.h 107*4882a593Smuzhiyunnew file mode 100644 108*4882a593Smuzhiyunindex 00000000..7771f32a 109*4882a593Smuzhiyun--- /dev/null 110*4882a593Smuzhiyun+++ b/host/include/openssl_compat.h 111*4882a593Smuzhiyun@@ -0,0 +1,26 @@ 112*4882a593Smuzhiyun+/* Copyright 2017 The Chromium OS Authors. All rights reserved. 113*4882a593Smuzhiyun+ * Use of this source code is governed by a BSD-style license that can be 114*4882a593Smuzhiyun+ * found in the LICENSE file. 115*4882a593Smuzhiyun+ */ 116*4882a593Smuzhiyun+ 117*4882a593Smuzhiyun+#ifndef VBOOT_REFERENCE_OPENSSL_COMPAT_H_ 118*4882a593Smuzhiyun+#define VBOOT_REFERENCE_OPENSSL_COMPAT_H_ 119*4882a593Smuzhiyun+ 120*4882a593Smuzhiyun+#include <openssl/rsa.h> 121*4882a593Smuzhiyun+ 122*4882a593Smuzhiyun+#if OPENSSL_VERSION_NUMBER < 0x10100000L 123*4882a593Smuzhiyun+ 124*4882a593Smuzhiyun+static inline void RSA_get0_key(const RSA *rsa, const BIGNUM **n, 125*4882a593Smuzhiyun+ const BIGNUM **e, const BIGNUM **d) 126*4882a593Smuzhiyun+{ 127*4882a593Smuzhiyun+ if (n != NULL) 128*4882a593Smuzhiyun+ *n = rsa->n; 129*4882a593Smuzhiyun+ if (e != NULL) 130*4882a593Smuzhiyun+ *e = rsa->e; 131*4882a593Smuzhiyun+ if (d != NULL) 132*4882a593Smuzhiyun+ *d = rsa->d; 133*4882a593Smuzhiyun+} 134*4882a593Smuzhiyun+ 135*4882a593Smuzhiyun+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 136*4882a593Smuzhiyun+ 137*4882a593Smuzhiyun+#endif /* VBOOT_REFERENCE_OPENSSL_COMPAT_H_ */ 138*4882a593Smuzhiyundiff --git a/host/lib/util_misc.c b/host/lib/util_misc.c 139*4882a593Smuzhiyunindex 03ec683f..f0a1f7ad 100644 140*4882a593Smuzhiyun--- a/host/lib/util_misc.c 141*4882a593Smuzhiyun+++ b/host/lib/util_misc.c 142*4882a593Smuzhiyun@@ -15,6 +15,7 @@ 143*4882a593Smuzhiyun 144*4882a593Smuzhiyun #include "cryptolib.h" 145*4882a593Smuzhiyun #include "host_common.h" 146*4882a593Smuzhiyun+#include "openssl_compat.h" 147*4882a593Smuzhiyun #include "util_misc.h" 148*4882a593Smuzhiyun #include "vboot_common.h" 149*4882a593Smuzhiyun 150*4882a593Smuzhiyun@@ -58,6 +59,7 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, 151*4882a593Smuzhiyun BIGNUM *N0inv = NULL, *R = NULL, *RR = NULL; 152*4882a593Smuzhiyun BIGNUM *RRTemp = NULL, *NnumBits = NULL; 153*4882a593Smuzhiyun BIGNUM *n = NULL, *rr = NULL; 154*4882a593Smuzhiyun+ const BIGNUM *rsa_private_key_n; 155*4882a593Smuzhiyun BN_CTX *bn_ctx = BN_CTX_new(); 156*4882a593Smuzhiyun uint32_t n0invout; 157*4882a593Smuzhiyun uint32_t bufsize; 158*4882a593Smuzhiyun@@ -65,7 +67,7 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, 159*4882a593Smuzhiyun int retval = 1; 160*4882a593Smuzhiyun 161*4882a593Smuzhiyun /* Size of RSA key in 32-bit words */ 162*4882a593Smuzhiyun- nwords = BN_num_bits(rsa_private_key->n) / 32; 163*4882a593Smuzhiyun+ nwords = RSA_size(rsa_private_key) / 4; 164*4882a593Smuzhiyun 165*4882a593Smuzhiyun bufsize = (2 + nwords + nwords) * sizeof(uint32_t); 166*4882a593Smuzhiyun outbuf = malloc(bufsize); 167*4882a593Smuzhiyun@@ -94,7 +96,8 @@ int vb_keyb_from_rsa(struct rsa_st *rsa_private_key, 168*4882a593Smuzhiyun NEW_BIGNUM(B); 169*4882a593Smuzhiyun #undef NEW_BIGNUM 170*4882a593Smuzhiyun 171*4882a593Smuzhiyun- BN_copy(N, rsa_private_key->n); 172*4882a593Smuzhiyun+ RSA_get0_key(rsa_private_key, &rsa_private_key_n, NULL, NULL); 173*4882a593Smuzhiyun+ BN_copy(N, rsa_private_key_n); 174*4882a593Smuzhiyun BN_set_word(Big1, 1L); 175*4882a593Smuzhiyun BN_set_word(Big2, 2L); 176*4882a593Smuzhiyun BN_set_word(Big32, 32L); 177*4882a593Smuzhiyundiff --git a/host/lib21/host_key.c b/host/lib21/host_key.c 178*4882a593Smuzhiyunindex f7ea1622..f9419ad3 100644 179*4882a593Smuzhiyun--- a/host/lib21/host_key.c 180*4882a593Smuzhiyun+++ b/host/lib21/host_key.c 181*4882a593Smuzhiyun@@ -17,6 +17,7 @@ 182*4882a593Smuzhiyun #include "host_common.h" 183*4882a593Smuzhiyun #include "host_key2.h" 184*4882a593Smuzhiyun #include "host_misc.h" 185*4882a593Smuzhiyun+#include "openssl_compat.h" 186*4882a593Smuzhiyun 187*4882a593Smuzhiyun struct vb2_text_vs_enum vb2_text_vs_algorithm[] = { 188*4882a593Smuzhiyun {"RSA1024 SHA1", VB2_ALG_RSA1024_SHA1}, 189*4882a593Smuzhiyun@@ -544,7 +545,12 @@ int vb2_public_key_hash(struct vb2_public_key *key, 190*4882a593Smuzhiyun 191*4882a593Smuzhiyun enum vb2_signature_algorithm vb2_rsa_sig_alg(struct rsa_st *rsa) 192*4882a593Smuzhiyun { 193*4882a593Smuzhiyun- int bits = BN_num_bits(rsa->n); 194*4882a593Smuzhiyun+ const BIGNUM *e, *n; 195*4882a593Smuzhiyun+ int exp, bits; 196*4882a593Smuzhiyun+ 197*4882a593Smuzhiyun+ RSA_get0_key(rsa, &n, &e, NULL); 198*4882a593Smuzhiyun+ exp = BN_get_word(e); 199*4882a593Smuzhiyun+ bits = BN_num_bits(n); 200*4882a593Smuzhiyun 201*4882a593Smuzhiyun switch (bits) { 202*4882a593Smuzhiyun case 1024: 203*4882a593Smuzhiyundiff --git a/utility/dumpRSAPublicKey.c b/utility/dumpRSAPublicKey.c 204*4882a593Smuzhiyunindex b3b7b96b..a17b159e 100644 205*4882a593Smuzhiyun--- a/utility/dumpRSAPublicKey.c 206*4882a593Smuzhiyun+++ b/utility/dumpRSAPublicKey.c 207*4882a593Smuzhiyun@@ -14,14 +14,20 @@ 208*4882a593Smuzhiyun #include <string.h> 209*4882a593Smuzhiyun #include <unistd.h> 210*4882a593Smuzhiyun 211*4882a593Smuzhiyun+#include "openssl_compat.h" 212*4882a593Smuzhiyun+ 213*4882a593Smuzhiyun /* Command line tool to extract RSA public keys from X.509 certificates 214*4882a593Smuzhiyun * and output a pre-processed version of keys for use by RSA verification 215*4882a593Smuzhiyun * routines. 216*4882a593Smuzhiyun */ 217*4882a593Smuzhiyun 218*4882a593Smuzhiyun int check(RSA* key) { 219*4882a593Smuzhiyun- int public_exponent = BN_get_word(key->e); 220*4882a593Smuzhiyun- int modulus = BN_num_bits(key->n); 221*4882a593Smuzhiyun+ const BIGNUM *n, *e; 222*4882a593Smuzhiyun+ int public_exponent, modulus; 223*4882a593Smuzhiyun+ 224*4882a593Smuzhiyun+ RSA_get0_key(key, &n, &e, NULL); 225*4882a593Smuzhiyun+ public_exponent = BN_get_word(e); 226*4882a593Smuzhiyun+ modulus = BN_num_bits(n); 227*4882a593Smuzhiyun 228*4882a593Smuzhiyun if (public_exponent != 65537) { 229*4882a593Smuzhiyun fprintf(stderr, "WARNING: Public exponent should be 65537 (but is %d).\n", 230*4882a593Smuzhiyun@@ -40,7 +46,8 @@ int check(RSA* key) { 231*4882a593Smuzhiyun */ 232*4882a593Smuzhiyun void output(RSA* key) { 233*4882a593Smuzhiyun int i, nwords; 234*4882a593Smuzhiyun- BIGNUM *N = key->n; 235*4882a593Smuzhiyun+ const BIGNUM *key_n; 236*4882a593Smuzhiyun+ BIGNUM *N = NULL; 237*4882a593Smuzhiyun BIGNUM *Big1 = NULL, *Big2 = NULL, *Big32 = NULL, *BigMinus1 = NULL; 238*4882a593Smuzhiyun BIGNUM *B = NULL; 239*4882a593Smuzhiyun BIGNUM *N0inv= NULL, *R = NULL, *RR = NULL, *RRTemp = NULL, *NnumBits = NULL; 240*4882a593Smuzhiyun@@ -48,14 +55,15 @@ void output(RSA* key) { 241*4882a593Smuzhiyun BN_CTX *bn_ctx = BN_CTX_new(); 242*4882a593Smuzhiyun uint32_t n0invout; 243*4882a593Smuzhiyun 244*4882a593Smuzhiyun- N = key->n; 245*4882a593Smuzhiyun /* Output size of RSA key in 32-bit words */ 246*4882a593Smuzhiyun- nwords = BN_num_bits(N) / 32; 247*4882a593Smuzhiyun+ nwords = RSA_size(key) / 4; 248*4882a593Smuzhiyun if (-1 == write(1, &nwords, sizeof(nwords))) 249*4882a593Smuzhiyun goto failure; 250*4882a593Smuzhiyun 251*4882a593Smuzhiyun 252*4882a593Smuzhiyun /* Initialize BIGNUMs */ 253*4882a593Smuzhiyun+ RSA_get0_key(key, &key_n, NULL, NULL); 254*4882a593Smuzhiyun+ N = BN_dup(key_n); 255*4882a593Smuzhiyun Big1 = BN_new(); 256*4882a593Smuzhiyun Big2 = BN_new(); 257*4882a593Smuzhiyun Big32 = BN_new(); 258*4882a593Smuzhiyun@@ -120,6 +128,7 @@ void output(RSA* key) { 259*4882a593Smuzhiyun 260*4882a593Smuzhiyun failure: 261*4882a593Smuzhiyun /* Free BIGNUMs. */ 262*4882a593Smuzhiyun+ BN_free(N); 263*4882a593Smuzhiyun BN_free(Big1); 264*4882a593Smuzhiyun BN_free(Big2); 265*4882a593Smuzhiyun BN_free(Big32); 266*4882a593Smuzhiyun-- 267*4882a593Smuzhiyun2.14.1 268*4882a593Smuzhiyun 269