Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.6:Update
tboot
tboot-OpenSSL3-support.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tboot-OpenSSL3-support.patch of Package tboot
# HG changeset patch # User Pawel Randzio <pawel.randzio@intel.com> # Date 1639146463 -3600 # Fri Dec 10 15:27:43 2021 +0100 # Node ID 1d7d6d196bb17546a74cd51f3fadf246f4054722 # Parent 5bf5c12411d3a4a7e0a552203b40bfe59d5c7789 Add OpenSSL 3.0.0 support in lcptools-v2 diff -r 5bf5c12411d3 -r 1d7d6d196bb1 lcptools-v2/lcputils.c --- a/lcptools-v2/lcputils.c Wed Sep 15 16:53:34 2021 +0200 +++ b/lcptools-v2/lcputils.c Fri Dec 10 15:27:43 2021 +0100 @@ -50,6 +50,12 @@ #include <openssl/ecdsa.h> #include <openssl/ec.h> #include <openssl/evp.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include <openssl/core.h> + #include <openssl/decoder.h> + #include <openssl/crypto.h> + #include <openssl/param_build.h> +#endif #include <safe_lib.h> #include <snprintf_s.h> #define PRINT printf @@ -512,77 +518,164 @@ int status; EVP_PKEY_CTX *evp_context = NULL; EVP_PKEY *evp_key = NULL; - RSA *rsa_pubkey = NULL; BIGNUM *modulus = NULL; BIGNUM *exponent = NULL; tb_hash_t *digest = NULL; unsigned char exp_arr[] = {0x01, 0x00, 0x01}; + unsigned char *decrypted_sig = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t dcpt_sig_len; + #else + RSA *rsa_pubkey = NULL; + #endif LOG("[verify_rsa_signature]\n"); if (data == NULL || pubkey == NULL || signature == NULL) { ERROR("Error: list data, pubkey or signature buffer not defined.\n"); return false; } - uint8_t decrypted_sig[pubkey->size]; - - //1. Create public key - rsa_pubkey = RSA_new(); - if ( rsa_pubkey == NULL ) { - ERROR("Error: failed to allocate key\n"); - status = 0; - goto EXIT; - } - + modulus = BN_bin2bn(pubkey->data, pubkey->size, NULL); exponent = BN_bin2bn(exp_arr, 3, NULL); - if (modulus == NULL) { - goto OPENSSL_ERROR; - } - if (exponent == NULL) { + if ( modulus == NULL || exponent == NULL ) { + ERROR("Error: failed to convert modulus and/or exponent.\n"); goto OPENSSL_ERROR; } - #if OPENSSL_VERSION_NUMBER >= 0x10100000L - RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + evp_context = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + if ( evp_context == NULL) { + ERROR("Error: failed to initialize CTX from name.\n"); + goto OPENSSL_ERROR; + } + + OSSL_PARAM_BLD *params_build = OSSL_PARAM_BLD_new(); + if ( params_build == NULL ) { + ERROR("Error: failed to set up parameter builder.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_BN(params_build, "n", modulus) ) { + ERROR("Error: failed to push modulus into param build.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_BN(params_build, "e", exponent) ) { + ERROR("Error: failed to push exponent into param build.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_BN(params_build, "d", NULL) ) { + ERROR("Error: failed to push NULL into param build.\n"); + goto OPENSSL_ERROR; + } + + OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(params_build); + if ( params == NULL ) { + ERROR("Error: failed to construct parameters from builder.\n"); + goto OPENSSL_ERROR; + } + + if ( EVP_PKEY_fromdata_init(evp_context) <= 0 ) { + ERROR("Error: failed to initialize key creation.\n"); + goto OPENSSL_ERROR; + } + + if ( EVP_PKEY_fromdata(evp_context, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0 ) { + ERROR("Error: failed to create key.\n"); + goto OPENSSL_ERROR; + } + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(params_build); + EVP_PKEY_CTX_free(evp_context); + evp_context = NULL; #else - rsa_pubkey->n = modulus; - rsa_pubkey->e = exponent; - rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; + rsa_pubkey = RSA_new(); + if ( rsa_pubkey == NULL ) { + ERROR("Error: failed to allocate key\n"); + status = 0; + goto EXIT; + } + + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); + #else + rsa_pubkey->n = modulus; + rsa_pubkey->e = exponent; + rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; + #endif #endif if (MAJOR_VER(list_ver) != MAJOR_VER(LCP_TPM20_POLICY_LIST2_1_VERSION_300)) { - //Decrypt signature - we will need to to find hashalg - status = RSA_public_decrypt(pubkey->size, signature->data, decrypted_sig, - rsa_pubkey, RSA_NO_PADDING); - if (status <= 0) { - ERROR("Error: failed to decrypt signature.\n"); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + + evp_context = EVP_PKEY_CTX_new(evp_key, NULL); + if ( evp_context == NULL ) { + ERROR("Error: failed to instatiate CTX.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_encrypt_init(evp_context) <= 0 ) { + ERROR("Error: failed to initialize signature decryption.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_CTX_set_rsa_padding(evp_context, RSA_NO_PADDING) <= 0 ) { + ERROR("Error: failed to set RSA padding.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_encrypt(evp_context, NULL, &dcpt_sig_len, signature->data, pubkey->size) <= 0 ) { + ERROR("Error: failed to retrieve decrypted signature length.\n"); + goto OPENSSL_ERROR; + } + decrypted_sig = OPENSSL_malloc(dcpt_sig_len); + if ( decrypted_sig == NULL ) { + ERROR("Error: failed to allocate memory for decrypted signature.\n"); + status = 0; + goto EXIT; + } + if ( EVP_PKEY_encrypt(evp_context, decrypted_sig, &dcpt_sig_len, signature->data, pubkey->size) <= 0 ) { + ERROR("Error: failed to decrypt signature.\n"); + goto OPENSSL_ERROR; + } + if ( verbose ) { + LOG("Decrypted signature: \n"); + print_hex("", decrypted_sig, dcpt_sig_len); + } + EVP_PKEY_CTX_free(evp_context); + evp_context = NULL; + #else + decrypted_sig = OPENSSL_malloc(pubkey->size); + status = RSA_public_decrypt(pubkey->size, signature->data, decrypted_sig, rsa_pubkey, RSA_NO_PADDING); + if (status <= 0) { + ERROR("Error: failed to decrypt signature.\n"); + goto OPENSSL_ERROR; + } + if ( verbose ) { + LOG("Decrypted signature: \n"); + print_hex("", decrypted_sig, pubkey->size); + } + #endif + //In older lists we need to get hashAlg from signature data. + hashAlg = pkcs_get_hashalg((const unsigned char *) decrypted_sig); + OPENSSL_free((void *) decrypted_sig); + } + + #if OPENSSL_VERSION_NUMBER < 0x30000000L + evp_key = EVP_PKEY_new(); + if ( evp_key == NULL) { goto OPENSSL_ERROR; } - if (verbose) { - LOG("Decrypted signature: \n"); - print_hex("", decrypted_sig, pubkey->size); + + status = EVP_PKEY_set1_RSA(evp_key, rsa_pubkey); + if (status <= 0) { + goto OPENSSL_ERROR; } - //In older lists we need to get hashAlg from signature data. - hashAlg = pkcs_get_hashalg((const unsigned char *) decrypted_sig); - } + #endif - evp_key = EVP_PKEY_new(); - if ( evp_key == NULL) { + evp_context = EVP_PKEY_CTX_new(evp_key, NULL); + if ( evp_context == NULL ) { + ERROR("Error: failed to initialize CTX from pkey.\n"); goto OPENSSL_ERROR; } - status = EVP_PKEY_set1_RSA(evp_key, rsa_pubkey); - if (status <= 0) { - goto OPENSSL_ERROR; - } - - evp_context = EVP_PKEY_CTX_new(evp_key, NULL); - if ( evp_context == NULL) { - goto OPENSSL_ERROR; - } - - status = EVP_PKEY_verify_init(evp_context); - if ( status <= 0) { + if ( EVP_PKEY_verify_init(evp_context) <= 0) { + ERROR("Error: failed to initialize verification."); goto OPENSSL_ERROR; } @@ -596,44 +689,38 @@ goto EXIT; } if ( status <= 0) { + ERROR("Error: failed to set rsa padding.\n"); goto OPENSSL_ERROR; } - switch ( hashAlg) { - case TPM_ALG_SHA1: - if ( EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha1()) <= 0 ) { - goto OPENSSL_ERROR; - } - break; - case TPM_ALG_SHA256: - if ( EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha256()) <= 0 ) { - goto OPENSSL_ERROR; - } - break; - case TPM_ALG_SHA384: - if ( EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha384()) <= 0 ) { - goto OPENSSL_ERROR; - } - break; - default: + if ( hashAlg == TPM_ALG_SHA1 ) { + status = EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha1()); + } else if ( hashAlg == TPM_ALG_SHA256 ) { + status = EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha256()); + } else if ( hashAlg == TPM_ALG_SHA384 ) { + status = EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha384()); + } else { ERROR("Error: Unknown hash alg.\n"); status = 0; goto EXIT; } + if ( status <= 0 ) { + ERROR("Error: failed to set signature message digest.\n"); + goto OPENSSL_ERROR; + } + digest = malloc(get_lcp_hash_size(hashAlg)); if (digest == NULL) { ERROR("Error: failed to allocate digest"); status = 0; goto EXIT; } - status = hash_buffer((const unsigned char *) data->data, data->size, digest, - hashAlg); - if (!status) { + if ( !hash_buffer((const unsigned char *) data->data, data->size, digest, hashAlg) ) { ERROR("Error: failed to hash list contents.\n"); + status = 0; goto EXIT; } - status = EVP_PKEY_verify(evp_context, signature->data, pubkey->size, - (const unsigned char *) digest, get_lcp_hash_size(hashAlg)); + status = EVP_PKEY_verify(evp_context, signature->data, pubkey->size, (const unsigned char *) digest, get_lcp_hash_size(hashAlg)); if (status < 0) { //Error occurred goto OPENSSL_ERROR; } @@ -646,12 +733,14 @@ ERR_free_strings(); status = 0; EXIT: + #if OPENSSL_VERSION_NUMBER < 0x30000000L + if (rsa_pubkey != NULL) + OPENSSL_free((void *) rsa_pubkey); + #endif if (evp_context != NULL) OPENSSL_free((void *) evp_context); if (evp_key != NULL) OPENSSL_free((void *) evp_key); - if (rsa_pubkey != NULL) - OPENSSL_free((void *) rsa_pubkey); if (modulus != NULL) OPENSSL_free((void *) modulus); if (exponent != NULL) @@ -686,102 +775,183 @@ Out: true/false on verification success or failure */ - //Stuff to make key with: + int result; BIGNUM *x = NULL; BIGNUM *y = NULL; - EC_KEY *ec_key = NULL; - EC_GROUP *ec_group = NULL; EVP_PKEY *evp_key = NULL; - const EVP_MD *mdtype; //Is freed when context is freed - - //Der encoded signature: + const EVP_MD *mdtype; const unsigned char *der_encoded_sig = NULL; int encoded_len; int curveId = 0; - - //Contexts: - EVP_MD_CTX *mctx = NULL; //Message Digest Context - EVP_PKEY_CTX *pctx = NULL; //Key context - - //Other: - int result; - + EVP_MD_CTX *mctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + const EC_GROUP *ec_group = NULL; + EC_POINT *ec_point = NULL; + unsigned char *point_buffer = NULL; + size_t pt_buf_len; + BN_CTX *bctx = NULL; + const char *curveName = NULL; + #else + EC_KEY *ec_key = NULL; + EC_GROUP *ec_group = NULL; + #endif + LOG("[verify_ec_signature]\n"); - if (data == NULL || pubkey_x == NULL || pubkey_y == NULL || - sig_r == NULL || sig_s == NULL) { - ERROR("Error: one or more buffers are not defined.\n"); - return false; - } - ec_key = EC_KEY_new(); - if (ec_key == NULL) { - ERROR("Error: failed to generate EC_KEY.\n"); - result = 0; - goto EXIT; + if ( data == NULL || pubkey_x == NULL || pubkey_y == NULL || sig_r == NULL || sig_s == NULL ) { + ERROR("Error: one or more buffers are not defined.\n"); + return false; } - evp_key = EVP_PKEY_new(); - if (evp_key == NULL) { - ERROR("Error: failed to generate EC_KEY.\n"); - result = 0; - goto EXIT; - } - switch (hashalg) - { - case TPM_ALG_SM3_256: + + if ( hashalg == TPM_ALG_SM3_256 ) { curveId = NID_sm2; mdtype = EVP_sm3(); - break; - case TPM_ALG_SHA256: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + curveName = SN_sm2; + #endif + } else if ( hashalg == TPM_ALG_SHA256 ) { curveId = NID_secp256k1; mdtype = EVP_sha256(); - break; - case TPM_ALG_SHA384: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + curveName = SN_secp256k1; + #endif + } else if ( hashalg == TPM_ALG_SHA384 ) { curveId = NID_secp384r1; mdtype = EVP_sha384(); - break; - default: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + curveName = SN_secp384r1; + #endif + } else { ERROR("Error: unsupported hashalg.\n"); result = 0; goto EXIT; } + ec_group = EC_GROUP_new_by_curve_name(curveId); - if (ec_group == NULL) { - ERROR("Error: failed to generate new EC_GROUP.\n"); + if ( ec_group == NULL ) { + ERROR("Error: failed to create new EC group.\n"); goto OPENSSL_ERROR; } - result = EC_KEY_set_group(ec_key, ec_group); - if ( result <= 0) { - ERROR("Failed to set EC Key group.\n"); - goto OPENSSL_ERROR; - } + x = BN_bin2bn(pubkey_x->data, pubkey_x->size, NULL); y = BN_bin2bn(pubkey_y->data, pubkey_y->size, NULL); if ( x == NULL || y == NULL ) { - ERROR("Failed to convert buffer to OpenSSL BN.\n"); + ERROR("Error: Failed to convert binary pubkey to BIGNUM x and/or y.\n"); goto OPENSSL_ERROR; } - result = EC_KEY_set_public_key_affine_coordinates(ec_key, x, y); - if ( result <= 0) { - ERROR("Failed to set key coordinates.\n"); - goto OPENSSL_ERROR; - } - result = EVP_PKEY_assign_EC_KEY(evp_key, ec_key); - if (result <= 0) { - ERROR("Error: failed to assign EC KEY to EVP structure.\n"); - goto OPENSSL_ERROR; - } + + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + ec_point = EC_POINT_new(ec_group); + if ( ec_point == NULL ) { + ERROR("Error: failed to create new EC point.\n"); + goto OPENSSL_ERROR; + } + + bctx = BN_CTX_new(); + if ( bctx == NULL ) { + ERROR("Error: Failed to create BIGNUM context.\n"); + goto OPENSSL_ERROR; + } + + if ( EC_POINT_set_affine_coordinates(ec_group, ec_point, x, y, bctx) <= 0 ) { + ERROR("Error: failed to set affine coordinates.\n"); + goto OPENSSL_ERROR; + } + + BN_CTX_free(bctx); + bctx = NULL; + bctx = BN_CTX_new(); + + pt_buf_len = EC_POINT_point2oct(ec_group, ec_point, POINT_CONVERSION_COMPRESSED, NULL, 0, bctx); + point_buffer = OPENSSL_malloc(pt_buf_len); + if ( point_buffer == NULL ) { + ERROR("Error: failed to allocate point buffer.\n"); + goto OPENSSL_ERROR; + } + + if ( EC_POINT_point2oct(ec_group, ec_point, POINT_CONVERSION_COMPRESSED, point_buffer, pt_buf_len, bctx) <= 0 ) { + ERROR("Error: failed to convert EC point into octal string.\n"); + goto OPENSSL_ERROR; + } + + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); + if ( ctx == NULL ) { + ERROR("Error: failed to initialize key creation CTX.\n"); + goto OPENSSL_ERROR; + } + + OSSL_PARAM_BLD *params_build = OSSL_PARAM_BLD_new(); + if ( params_build == NULL ) { + ERROR("Error: failed to set up parameter builder.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_utf8_string(params_build, "group", curveName, 0) ) { + ERROR("Error: failed to push group into param build.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_octet_string(params_build, "pub", point_buffer, pt_buf_len) ) { + ERROR("Error: failed to push pubkey into param build.\n"); + goto OPENSSL_ERROR; + } + OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(params_build); + if ( params == NULL ) { + ERROR("Error: failed to construct params from build.\n"); + goto OPENSSL_ERROR; + } + + if ( EVP_PKEY_fromdata_init(ctx) <= 0 ) { + ERROR("ERROR: failed to initialize key creation from data.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + ERROR("Error: failed to create EC_KEY.\n"); + result = 0; + goto EXIT; + } + OSSL_PARAM_BLD_free(params_build); + OSSL_PARAM_free(params); + EVP_PKEY_CTX_free(ctx); + BN_CTX_free(bctx); + #else + ec_key = EC_KEY_new(); + if (ec_key == NULL) { + ERROR("Error: failed to generate EC_KEY.\n"); + result = 0; + goto EXIT; + } + evp_key = EVP_PKEY_new(); + if (evp_key == NULL) { + ERROR("Error: failed to generate EC_KEY.\n"); + result = 0; + goto EXIT; + } + if ( EC_KEY_set_group(ec_key, ec_group) <= 0) { + ERROR("Failed to set EC Key group.\n"); + goto OPENSSL_ERROR; + } + if ( EC_KEY_set_public_key_affine_coordinates(ec_key, x, y) <= 0) { + ERROR("Failed to set key coordinates.\n"); + goto OPENSSL_ERROR; + } + + if ( EVP_PKEY_assign_EC_KEY(evp_key, ec_key) <= 0) { + ERROR("Error: failed to assign EC KEY to EVP structure.\n"); + goto OPENSSL_ERROR; + } + if (sigalg == TPM_ALG_SM2) { + if ( EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2) <= 0 ) { + ERROR("Error: failed to set EVP KEY alias to SM2.\n"); + goto OPENSSL_ERROR; + } + } + #endif + mctx = EVP_MD_CTX_new(); if (mctx == NULL) { ERROR("Error: failed to generate message digest context.\n"); result = 0; goto EXIT; } - if (sigalg == TPM_ALG_SM2) { - result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2); - if (result <= 0) { - ERROR("Error: failed to set EVP KEY alias to SM2.\n"); - goto OPENSSL_ERROR; - } - } pctx = EVP_PKEY_CTX_new(evp_key, NULL); if (pctx == NULL) { ERROR("Error: failed to generate key context.\n"); @@ -789,8 +959,7 @@ goto EXIT; } if (sigalg == TPM_ALG_SM2) { - result = EVP_PKEY_CTX_set1_id(pctx, SM2_ID, SM2_ID_LEN); - if (result <= 0) { + if ( EVP_PKEY_CTX_set1_id(pctx, SM2_ID, SM2_ID_LEN) <= 0 ) { ERROR("Error: failed to set sm2 id.\n"); goto OPENSSL_ERROR; } @@ -802,26 +971,24 @@ result = 0; goto EXIT; } - result = EVP_DigestVerifyInit(mctx, NULL, mdtype, NULL, evp_key); - if (result <= 0) { - ERROR("Error: error while verifying.\n"); + if ( EVP_DigestVerifyInit(mctx, NULL, mdtype, NULL, evp_key) <= 0 ) { + ERROR("Error: error while verifying (init).\n"); goto OPENSSL_ERROR; } - if (verbose) { + if ( verbose ) { LOG("Data that was signed:\n"); print_hex(" ", data->data, data->size); } - result = EVP_DigestVerifyUpdate(mctx, data->data, data->size); - if (result <= 0) { - ERROR("Error: error while verifying.\n"); + if ( EVP_DigestVerifyUpdate(mctx, data->data, data->size) <= 0) { + ERROR("Error: error while verifying (update).\n"); goto OPENSSL_ERROR; } result = EVP_DigestVerifyFinal(mctx, der_encoded_sig, encoded_len); if (result < 0) { - ERROR("Error: error while verifying.\n"); + ERROR("Error: error while verifying (final)\tError code = %d.\n", result); goto OPENSSL_ERROR; } - goto EXIT; + goto EXIT; OPENSSL_ERROR: ERR_load_crypto_strings(); ERROR("OpenSSL error: %s\n",ERR_error_string(ERR_get_error(), NULL)); @@ -829,8 +996,23 @@ result = 0; EXIT: //cleanup: - if (ec_key != NULL) { - OPENSSL_free((void *) ec_key); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (ec_point != NULL) { + OPENSSL_free((void *) ec_point); + } + if (point_buffer != NULL) { + OPENSSL_free((void *) point_buffer); + } + if (curveName != NULL) { + OPENSSL_free((void *) curveName); + } + #else + if (ec_key != NULL) { + OPENSSL_free((void *) ec_key); + } + #endif + if (ec_group != NULL) { + OPENSSL_free((void *) ec_group); } if (evp_key != NULL) { OPENSSL_free((void *) evp_key); @@ -841,11 +1023,8 @@ if (y != NULL) { OPENSSL_free((void *) y); } - if (ec_group != NULL) { - OPENSSL_free((void *) ec_group); - } if (der_encoded_sig != NULL) { - OPENSSL_free((void *)der_encoded_sig); + OPENSSL_free((void *) der_encoded_sig); } if (mctx != NULL) { OPENSSL_free(mctx); @@ -871,7 +1050,6 @@ */ int result; size_t sig_length; - EC_KEY *ec_key = NULL; EVP_PKEY *evp_key = NULL; EVP_MD_CTX *mctx = NULL; EVP_PKEY_CTX *pctx = NULL; @@ -880,6 +1058,9 @@ const BIGNUM *sig_r = NULL; //Is freed when ECDSA_SIG is freed const BIGNUM *sig_s = NULL; //Is freed when ECDSA_SIG is freed const unsigned char *signature_block = NULL; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + EC_KEY *ec_key = NULL; + #endif LOG("[ec_sign_data]\n"); if (data == NULL || r == NULL || s == NULL) { @@ -891,37 +1072,49 @@ ERROR("Error: failed to allocate message digest context.\n"); goto OPENSSL_ERROR; } - fp = fopen(privkey_file, "r"); + fp = fopen(privkey_file, "rb"); if ( fp == NULL ) { ERROR("Error: failed to open file %s: %s\n", privkey_file, strerror(errno)); result = 0; goto EXIT; } - ec_key = PEM_read_ECPrivateKey(fp, NULL, NULL, NULL); - if (ec_key == NULL) { - ERROR("Error: failed to allocate EC key.\n"); - goto OPENSSL_ERROR; - } + + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_DECODER_CTX *dctx; + dctx = OSSL_DECODER_CTX_new_for_pkey(&evp_key, "PEM", NULL, "EC", OSSL_KEYMGMT_SELECT_PRIVATE_KEY, NULL, NULL); + if ( dctx == NULL ) { + goto OPENSSL_ERROR; + } + if ( !OSSL_DECODER_from_fp(dctx, fp) ) { + goto OPENSSL_ERROR; + } + OSSL_DECODER_CTX_free(dctx); + #else + ec_key = PEM_read_ECPrivateKey(fp, NULL, NULL, NULL); + if (ec_key == NULL) { + ERROR("Error: failed to allocate EC key.\n"); + goto OPENSSL_ERROR; + } + evp_key = EVP_PKEY_new(); + if (evp_key == NULL) { + ERROR("Error: failed to allocate EVP key.\n"); + goto OPENSSL_ERROR; + } + result = EVP_PKEY_assign_EC_KEY(evp_key, ec_key); + if (result <= 0) { + ERROR("Error: failed to assign EC key to EVP structure.\n"); + goto OPENSSL_ERROR; + } + if (sigalg == TPM_ALG_SM2) { + result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2); + if (result <= 0) { + ERROR("Error: failed to assign SM2 alias to EVP key.\n"); + goto OPENSSL_ERROR; + } + } + #endif fclose(fp); fp = NULL; - evp_key = EVP_PKEY_new(); - if (evp_key == NULL) { - ERROR("Error: failed to allocate EVP key.\n"); - goto OPENSSL_ERROR; - } - result = EVP_PKEY_assign_EC_KEY(evp_key, ec_key); - if (result <= 0) { - ERROR("Error: failed to assign EC key to EVP structure.\n"); - goto OPENSSL_ERROR; - } - - if (sigalg == TPM_ALG_SM2) { - result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2); - if (result <= 0) { - ERROR("Error: failed to assign SM2 alias to EVP key.\n"); - goto OPENSSL_ERROR; - } - } pctx = EVP_PKEY_CTX_new(evp_key, NULL); if (pctx == NULL) { @@ -999,9 +1192,11 @@ ERR_free_strings(); result = 0; EXIT: - if (ec_key != NULL) { - OPENSSL_free((void *) ec_key); - } + #if OPENSSL_VERSION_NUMBER < 0x30000000L + if (ec_key != NULL) { + OPENSSL_free((void *) ec_key); + } + #endif if (evp_key != NULL) { OPENSSL_free((void *) evp_key); } @@ -1185,8 +1380,9 @@ uint8_t der_oid = 0x06; size_t oid_size; - if (data == NULL) + if (data == NULL) { return TPM_ALG_NULL; + } data += 2; //Skip 00 01 //Skip 0xFFs padding and 00 after it @@ -1195,8 +1391,9 @@ } while (*data == 0xFF); //Then move to der_oid data += 5; - if (*data != der_oid) + if (*data != der_oid) { return TPM_ALG_NULL; + } data += 1; //Read oid size: oid_size = *data; diff -r 5bf5c12411d3 -r 1d7d6d196bb1 lcptools-v2/pollist2.c --- a/lcptools-v2/pollist2.c Wed Sep 15 16:53:34 2021 +0200 +++ b/lcptools-v2/pollist2.c Fri Dec 10 15:27:43 2021 +0100 @@ -45,6 +45,10 @@ #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/bn.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include <openssl/decoder.h> + #include <openssl/core.h> +#endif #define PRINT printf #include "../include/config.h" #include "../include/hash.h" @@ -93,8 +97,7 @@ if ( MAJOR_VER(version) == 1 ){ LOG("read_policy_list_file: version=0x0100\n"); bool no_sigblock; - if ( !verify_tpm12_policy_list(&(pollist->tpm12_policy_list), - len, &no_sigblock, true) ) { + if ( !verify_tpm12_policy_list(&(pollist->tpm12_policy_list), len, &no_sigblock, true) ) { free(pollist); return NULL; } @@ -815,14 +818,31 @@ lcp_signature_t2 *read_rsa_pubkey_file(const char *file) { LOG("read_rsa_pubkey_file\n"); - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "rb"); if ( fp == NULL ) { ERROR("Error: failed to open .pem file %s: %s\n", file, strerror(errno)); return NULL; } - RSA *pubkey = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *pubkey = NULL; + OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey(&pubkey, "PEM", NULL, "RSA", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, NULL, NULL); + if ( dctx == NULL ) { + ERROR("Error: no suitable potential decoders found\n"); + fclose(fp); + return NULL; + } + if ( !OSSL_DECODER_from_fp(dctx, fp) ) { + ERROR("Error: decoding failure\n"); + fclose(fp); + return NULL; + } + OSSL_DECODER_CTX_free(dctx); + #else + RSA *pubkey = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL); + #endif + if ( pubkey == NULL ) { ERR_load_crypto_strings(); ERROR("Error: failed to read .pem file %s: %s\n", file, @@ -832,10 +852,14 @@ return NULL; } - unsigned int keysize = RSA_size(pubkey); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + unsigned int keysize = EVP_PKEY_get_size(pubkey); + #else + unsigned int keysize = RSA_size(pubkey); + #endif if ( keysize == 0 ) { ERROR("Error: public key size is 0\n"); - RSA_free(pubkey); + OPENSSL_free((void *) pubkey); fclose(fp); return NULL; } @@ -843,17 +867,21 @@ lcp_signature_t2 *sig = malloc(sizeof(lcp_rsa_signature_t) + 2*keysize); if ( sig == NULL ) { ERROR("Error: failed to allocate sig\n"); - RSA_free(pubkey); + OPENSSL_free((void *) pubkey); fclose(fp); return NULL; } - const BIGNUM *modulus = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + BIGNUM *modulus = NULL; + #else + const BIGNUM *modulus = NULL; + #endif memset_s(sig, sizeof(lcp_rsa_signature_t) + 2*keysize, 0); sig->rsa_signature.pubkey_size = keysize; - /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA - stuct */ - #if OPENSSL_VERSION_NUMBER >= 0x10100000L + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY_get_bn_param(pubkey, "n", &modulus); + #elif OPENSSL_VERSION_NUMBER >= 0x10100000L RSA_get0_key(pubkey, &modulus, NULL, NULL); #else modulus = pubkey->n; @@ -872,7 +900,7 @@ } LOG("read rsa pubkey succeed!\n"); - RSA_free(pubkey); + OPENSSL_free((void *) pubkey); fclose(fp); return sig; } @@ -881,52 +909,83 @@ { lcp_signature_t2 *sig = NULL; FILE *fp = NULL; - const EC_KEY *pubkey = NULL; - const EC_POINT *pubpoint = NULL; - const EC_GROUP *pubgroup = NULL; BIGNUM *x = NULL; BIGNUM *y = NULL; - BN_CTX *ctx = NULL; uint8_t *qx = NULL; uint8_t *qy = NULL; - uint16_t keySize; uint16_t keySizeBytes; int result; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + const EC_KEY *pubkey = NULL; + const EC_POINT *pubpoint = NULL; + const EC_GROUP *pubgroup = NULL; + BN_CTX *ctx = NULL; + #else + EVP_PKEY *pubkey; + #endif LOG("read ecdsa pubkey file for list signature.\n"); - fp = fopen(pubkey_file, "r"); + fp = fopen(pubkey_file, "rb"); if ( fp == NULL) { ERROR("ERROR: cannot open file.\n"); goto ERROR; } - pubkey = PEM_read_EC_PUBKEY(fp, NULL, NULL, NULL); - if ( pubkey == NULL ) { - goto OPENSSL_ERROR; - } - //Close the file - fclose(fp); - fp = NULL; + + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_DECODER_CTX *dctx; + dctx = OSSL_DECODER_CTX_new_for_pkey(&pubkey, "PEM", NULL, "EC", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, NULL, NULL); + if ( dctx == NULL ) { + goto OPENSSL_ERROR; + } + if ( !OSSL_DECODER_from_fp(dctx, fp) ) { + goto OPENSSL_ERROR; + } + OSSL_DECODER_CTX_free(dctx); + + if ( pubkey == NULL ) { + goto OPENSSL_ERROR; + } + + fclose(fp); + fp = NULL; - pubpoint = EC_KEY_get0_public_key(pubkey); - if ( pubpoint == NULL ) { - goto OPENSSL_ERROR; - } - pubgroup = EC_KEY_get0_group(pubkey); - if ( pubgroup == NULL ) { - goto OPENSSL_ERROR; - } + EVP_PKEY_get_bn_param(pubkey, "qx", &x); + EVP_PKEY_get_bn_param(pubkey, "qy", &y); + if ( x == NULL || y == NULL ) { + goto OPENSSL_ERROR; + } + #else + pubkey = PEM_read_EC_PUBKEY(fp, NULL, NULL, NULL); + if ( pubkey == NULL ) { + goto OPENSSL_ERROR; + } + + fclose(fp); + fp = NULL; - x = BN_new(); - y = BN_new(); - ctx = BN_CTX_new(); - if ( x == NULL|| y == NULL || ctx == NULL) { - goto OPENSSL_ERROR; - } - result = EC_POINT_get_affine_coordinates_GFp(pubgroup, pubpoint, x, y, ctx); - if (result <= 0) { - goto OPENSSL_ERROR; - } + pubpoint = EC_KEY_get0_public_key(pubkey); + if ( pubpoint == NULL ) { + goto OPENSSL_ERROR; + } + pubgroup = EC_KEY_get0_group(pubkey); + if ( pubgroup == NULL ) { + goto OPENSSL_ERROR; + } + + x = BN_new(); + y = BN_new(); + ctx = BN_CTX_new(); + if ( x == NULL|| y == NULL || ctx == NULL) { + goto OPENSSL_ERROR; + } + + result = EC_POINT_get_affine_coordinates_GFp(pubgroup, pubpoint, x, y, ctx); + if (result <= 0) { + goto OPENSSL_ERROR; + } + #endif + keySize = BN_num_bytes(x)*8; if (BN_num_bytes(x) != BN_num_bytes(y)) { ERROR("ERROR: key coordinates are not the same length."); @@ -951,12 +1010,6 @@ goto ERROR; } - if ( keySize/8 != BN_num_bytes(x) || keySize/8 != BN_num_bytes(y) ) { - ERROR("ERROR: keySize 0x%X is not 0x%X or 0x%X.\n", keySizeBytes, - MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE); - goto ERROR; - } - sig = calloc(1, sizeof(lcp_ecc_signature_t)+(4*keySizeBytes)); //qx, qy, r and s if (sig == NULL) { ERROR("Error: failed to allocate signature.\n"); @@ -996,11 +1049,13 @@ free(qx); free(qy); OPENSSL_free((void *) pubkey); - OPENSSL_free((void *) pubpoint); - OPENSSL_free((void *) pubgroup); - OPENSSL_free((void *) ctx); OPENSSL_free((void *) x); OPENSSL_free((void *) y); + #if OPENSSL_VERSION_NUMBER < 0x30000000L + OPENSSL_free((void *) pubpoint); + OPENSSL_free((void *) pubgroup); + OPENSSL_free((void *) ctx); + #endif return sig; //Errors: @@ -1020,16 +1075,18 @@ free(qy); if (pubkey != NULL) OPENSSL_free((void *) pubkey); - if (pubpoint != NULL) - OPENSSL_free((void *) pubpoint); - if (pubgroup != NULL) - OPENSSL_free((void *) pubgroup); - if (ctx != NULL) - OPENSSL_free((void *) ctx); if (x != NULL) OPENSSL_free((void *) x); if (y != NULL) OPENSSL_free((void *) y); + #if OPENSSL_VERSION_NUMBER < 0x30000000L + if (pubpoint != NULL) + OPENSSL_free((void *) pubpoint); + if (pubgroup != NULL) + OPENSSL_free((void *) pubgroup); + if (ctx != NULL) + OPENSSL_free((void *) ctx); + #endif return NULL; } bool ec_sign_list2_data(lcp_policy_list_t2 *pollist, const char *privkey) diff -r 5bf5c12411d3 -r 1d7d6d196bb1 lcptools-v2/pollist2_1.c --- a/lcptools-v2/pollist2_1.c Wed Sep 15 16:53:34 2021 +0200 +++ b/lcptools-v2/pollist2_1.c Fri Dec 10 15:27:43 2021 +0100 @@ -48,6 +48,10 @@ #include <openssl/ecdsa.h> #include <openssl/ec.h> #include <openssl/evp.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include <openssl/decoder.h> + #include <openssl/core.h> +#endif #include "../include/hash.h" #include "../include/uuid.h" #include "../include/lcp3.h" @@ -1527,9 +1531,13 @@ Out: Pointer to signature structure. */ { - const BIGNUM *modulus = NULL; FILE *fp = NULL; - RSA *pubkey = NULL; + BIGNUM *modulus = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *pubkey = NULL; + #else + RSA *pubkey = NULL; + #endif lcp_signature_2_1 *sig = NULL; unsigned char *key = NULL; @@ -1537,14 +1545,26 @@ int result = 0; LOG("read_rsa_pubkey_file_2_1\n"); - fp = fopen(file, "r"); + fp = fopen(file, "rb"); if ( fp == NULL ) { ERROR("Error: failed to open .pem file %s: %s\n", file, strerror(errno)); return NULL; } - pubkey = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_DECODER_CTX *dctx; + dctx = OSSL_DECODER_CTX_new_for_pkey(&pubkey, "PEM", NULL, "RSA", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, NULL, NULL); + if ( dctx == NULL ) { + goto OPENSSL_ERROR; + } + if ( !OSSL_DECODER_from_fp(dctx, fp) ) { + goto OPENSSL_ERROR; + } + OSSL_DECODER_CTX_free(dctx); + #else + pubkey = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL); + #endif if ( pubkey == NULL ) { goto OPENSSL_ERROR; } @@ -1552,7 +1572,11 @@ fclose(fp); fp = NULL; - keysize = RSA_size(pubkey); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + keysize = EVP_PKEY_get_size(pubkey); + #else + keysize = RSA_size(pubkey); + #endif if ( keysize != 256 && keysize != 384 ) { ERROR("Error: public key size %d is not supported\n", keysize); goto ERROR; @@ -1564,14 +1588,17 @@ goto ERROR; } - #if OPENSSL_VERSION_NUMBER >= 0x10100000L - RSA_get0_key(pubkey, &modulus, NULL, NULL); - if (modulus == NULL) { - goto OPENSSL_ERROR; - } + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY_get_bn_param(pubkey, "n", &modulus); + #elif OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_get0_key(pubkey, (const BIGNUM **) &modulus, NULL, NULL); #else modulus = pubkey->n; #endif + if (modulus == NULL) { + goto OPENSSL_ERROR; + } + //Allocate for the key key = malloc(keysize); if (key == NULL) { @@ -1609,9 +1636,7 @@ free(key); return sig; OPENSSL_ERROR: - ERR_load_CRYPTO_strings(); ERROR("OpenSSL error: %s\n", ERR_error_string(ERR_get_error(), NULL)); - ERR_free_strings(); goto ERROR; ERROR: if (fp != NULL) @@ -1744,12 +1769,8 @@ int result; lcp_signature_2_1 *sig = NULL; FILE *fp = NULL; - const EC_KEY *pubkey = NULL; - const EC_POINT *pubpoint = NULL; - const EC_GROUP *pubgroup = NULL; BIGNUM *x = NULL; BIGNUM *y = NULL; - BN_CTX *ctx = NULL; uint16_t bytes_in_x; uint16_t bytes_in_y; uint16_t keySize; @@ -1758,43 +1779,74 @@ uint8_t qy[MAX_ECC_KEY_SIZE]; uint8_t qx_le[MAX_ECC_KEY_SIZE]; uint8_t qy_le[MAX_ECC_KEY_SIZE]; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + const EC_KEY *pubkey = NULL; + const EC_POINT *pubpoint = NULL; + const EC_GROUP *pubgroup = NULL; + BN_CTX *ctx = NULL; + #else + EVP_PKEY *pubkey = NULL; + #endif - LOG("read ecdsa pubkey file for signature 2.1.\n"); - fp = fopen(pubkey_file, "r"); + fp = fopen(pubkey_file, "rb"); if ( fp == NULL) { ERROR("ERROR: cannot open file.\n"); goto ERROR; } - pubkey = PEM_read_EC_PUBKEY(fp, NULL, NULL, NULL); - if ( pubkey == NULL ) { - goto OPENSSL_ERROR; - } + + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_DECODER_CTX *dctx; + dctx = OSSL_DECODER_CTX_new_for_pkey(&pubkey, "PEM", NULL, "EC", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, NULL, NULL); + if ( dctx == NULL ) { + goto OPENSSL_ERROR; + } + if ( !OSSL_DECODER_from_fp(dctx, fp) ) { + goto OPENSSL_ERROR; + } + OSSL_DECODER_CTX_free(dctx); + + if ( pubkey == NULL ) { + goto OPENSSL_ERROR; + } + + EVP_PKEY_get_bn_param(pubkey, "qx", &x); + EVP_PKEY_get_bn_param(pubkey, "qy", &y); + if ( x == NULL|| y == NULL ) { + goto OPENSSL_ERROR; + } + #else + pubkey = PEM_read_EC_PUBKEY(fp, NULL, NULL, NULL); + if ( pubkey == NULL ) { + goto OPENSSL_ERROR; + } + + pubpoint = EC_KEY_get0_public_key(pubkey); + if ( pubpoint == NULL ) { + goto OPENSSL_ERROR; + } + pubgroup = EC_KEY_get0_group(pubkey); + if ( pubgroup == NULL ) { + goto OPENSSL_ERROR; + } + + x = BN_new(); + y = BN_new(); + if ( x == NULL|| y == NULL ) { + goto OPENSSL_ERROR; + } + ctx = BN_CTX_new(); + if ( ctx == NULL ) { + goto OPENSSL_ERROR; + } + result = EC_POINT_get_affine_coordinates_GFp(pubgroup, pubpoint, x, y, ctx); + if (result <= 0) { + goto OPENSSL_ERROR; + } + #endif //Close the file fclose(fp); fp = NULL; - pubpoint = EC_KEY_get0_public_key(pubkey); - if ( pubpoint == NULL ) { - goto OPENSSL_ERROR; - } - pubgroup = EC_KEY_get0_group(pubkey); - if ( pubgroup == NULL ) { - goto OPENSSL_ERROR; - } - - x = BN_new(); - y = BN_new(); - if ( x == NULL|| y == NULL ) { - goto OPENSSL_ERROR; - } - ctx = BN_CTX_new(); - if ( ctx == NULL ) { - goto OPENSSL_ERROR; - } - result = EC_POINT_get_affine_coordinates_GFp(pubgroup, pubpoint, x, y, ctx); - if (result <= 0) { - goto OPENSSL_ERROR; - } bytes_in_x = BN_num_bytes(x); bytes_in_y = BN_num_bytes(y); @@ -1865,11 +1917,13 @@ } //Free resources: OPENSSL_free((void *) pubkey); - OPENSSL_free((void *) pubpoint); - OPENSSL_free((void *) pubgroup); - OPENSSL_free((void *) ctx); OPENSSL_free((void *) x); OPENSSL_free((void *) y); + #if OPENSSL_VERSION_NUMBER < 0x30000000L + OPENSSL_free((void *) pubpoint); + OPENSSL_free((void *) pubgroup); + OPENSSL_free((void *) ctx); + #endif return sig; //ERROR handling: OPENSSL_ERROR: @@ -1884,16 +1938,18 @@ free(sig); if (pubkey != NULL) OPENSSL_free((void *) pubkey); - if (pubpoint != NULL) - OPENSSL_free((void *) pubpoint); - if (pubgroup != NULL) - OPENSSL_free((void *) pubgroup); - if (ctx != NULL) - OPENSSL_free((void *) ctx); if (x != NULL) OPENSSL_free((void *) x); if (y != NULL) OPENSSL_free((void *) y); + #if OPENSSL_VERSION_NUMBER < 0x30000000L + if (pubpoint != NULL) + OPENSSL_free((void *) pubpoint); + if (pubgroup != NULL) + OPENSSL_free((void *) pubgroup); + if (ctx != NULL) + OPENSSL_free((void *) ctx); + #endif return NULL; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor