Note that with this patch it builds with OpenSSL 1.1, but not 1.0. It would not be hard to make it work with both, though, similar to https://github.com/ThomasHabets/simple-tpm-pk11/commit/354f0cf3a193dbe8b1151059a08b0598531b645c
(I hope Debian bugs accept attachments) -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "tho...@habets.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t;
From 6ec8e342f1aaaea0de8fe9aa349277e9f9abc2b9 Mon Sep 17 00:00:00 2001 From: Thomas Habets <hab...@google.com> Date: Tue, 1 Nov 2016 10:31:54 +0000 Subject: [PATCH 1/1] Add OpenSSL 1.1 support --- src/tcs/crypto/openssl/crypto.c | 11 +++---- src/trspi/crypto/openssl/hash.c | 17 +++++------ src/trspi/crypto/openssl/rsa.c | 41 +++++++++++++++----------- src/trspi/crypto/openssl/symmetric.c | 56 +++++++++++++++++++----------------- 4 files changed, 70 insertions(+), 55 deletions(-) diff --git a/src/tcs/crypto/openssl/crypto.c b/src/tcs/crypto/openssl/crypto.c index c02db27..b354f6f 100644 --- a/src/tcs/crypto/openssl/crypto.c +++ b/src/tcs/crypto/openssl/crypto.c @@ -31,13 +31,13 @@ TSS_RESULT Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) { - EVP_MD_CTX md_ctx; + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); unsigned int result_size; int rv; switch (HashType) { case TSS_HASH_SHA1: - rv = EVP_DigestInit(&md_ctx, EVP_sha1()); + rv = EVP_DigestInit(md_ctx, EVP_sha1()); break; default: rv = TCSERR(TSS_E_BAD_PARAMETER); @@ -50,19 +50,20 @@ Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) goto out; } - rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize); + rv = EVP_DigestUpdate(md_ctx, Buf, BufSize); if (rv != EVP_SUCCESS) { rv = TCSERR(TSS_E_INTERNAL_ERROR); goto out; } - result_size = EVP_MD_CTX_size(&md_ctx); - rv = EVP_DigestFinal(&md_ctx, Digest, &result_size); + result_size = EVP_MD_CTX_size(md_ctx); + rv = EVP_DigestFinal(md_ctx, Digest, &result_size); if (rv != EVP_SUCCESS) { rv = TCSERR(TSS_E_INTERNAL_ERROR); } else rv = TSS_SUCCESS; out: + EVP_MD_CTX_free(md_ctx); return rv; } diff --git a/src/trspi/crypto/openssl/hash.c b/src/trspi/crypto/openssl/hash.c index f6cf3dc..cdb2c11 100644 --- a/src/trspi/crypto/openssl/hash.c +++ b/src/trspi/crypto/openssl/hash.c @@ -56,13 +56,13 @@ int MGF1(unsigned char *, long, const unsigned char *, long); TSS_RESULT Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) { - EVP_MD_CTX md_ctx; + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); unsigned int result_size; int rv; switch (HashType) { case TSS_HASH_SHA1: - rv = EVP_DigestInit(&md_ctx, EVP_sha1()); + rv = EVP_DigestInit(md_ctx, EVP_sha1()); break; default: rv = TSPERR(TSS_E_BAD_PARAMETER); @@ -75,14 +75,14 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) goto err; } - rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize); + rv = EVP_DigestUpdate(md_ctx, Buf, BufSize); if (rv != EVP_SUCCESS) { rv = TSPERR(TSS_E_INTERNAL_ERROR); goto err; } - result_size = EVP_MD_CTX_size(&md_ctx); - rv = EVP_DigestFinal(&md_ctx, Digest, &result_size); + result_size = EVP_MD_CTX_size(md_ctx); + rv = EVP_DigestFinal(md_ctx, Digest, &result_size); if (rv != EVP_SUCCESS) { rv = TSPERR(TSS_E_INTERNAL_ERROR); goto err; @@ -94,6 +94,7 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) err: DEBUG_print_openssl_errors(); out: + EVP_MD_CTX_free(md_ctx); return rv; } @@ -112,7 +113,7 @@ Trspi_HashInit(Trspi_HashCtx *ctx, UINT32 HashType) break; } - if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL) + if ((ctx->ctx = EVP_MD_CTX_new()) == NULL) return TSPERR(TSS_E_OUTOFMEMORY); rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md); @@ -142,7 +143,7 @@ Trspi_HashUpdate(Trspi_HashCtx *ctx, UINT32 size, BYTE *data) rv = EVP_DigestUpdate(ctx->ctx, data, size); if (rv != EVP_SUCCESS) { DEBUG_print_openssl_errors(); - free(ctx->ctx); + EVP_MD_CTX_free(ctx->ctx); ctx->ctx = NULL; return TSPERR(TSS_E_INTERNAL_ERROR); } @@ -164,7 +165,7 @@ Trspi_HashFinal(Trspi_HashCtx *ctx, BYTE *digest) if (rv != EVP_SUCCESS) return TSPERR(TSS_E_INTERNAL_ERROR); - free(ctx->ctx); + EVP_MD_CTX_free(ctx->ctx); ctx->ctx = NULL; return TSS_SUCCESS; diff --git a/src/trspi/crypto/openssl/rsa.c b/src/trspi/crypto/openssl/rsa.c index 0bd1e89..78f99ed 100644 --- a/src/trspi/crypto/openssl/rsa.c +++ b/src/trspi/crypto/openssl/rsa.c @@ -67,12 +67,15 @@ Trspi_RSA_Encrypt(unsigned char *dataToEncrypt, /* in */ goto err; } - /* set the public key value in the OpenSSL object */ - rsa->n = BN_bin2bn(publicKey, keysize, rsa->n); - /* set the public exponent */ - rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e); - - if (rsa->n == NULL || rsa->e == NULL) { + BIGNUM *n, *e; + RSA_get0_key(rsa, (const BIGNUM**)&n, (const BIGNUM**)&e, NULL); + /* set the public key value and exponent in the OpenSSL object */ + RSA_set0_key(rsa, + BN_bin2bn(publicKey, keysize, n), + BN_bin2bn(exp, sizeof(exp), e), + NULL); + + if (n == NULL || e == NULL) { rv = TSPERR(TSS_E_OUTOFMEMORY); goto err; } @@ -145,12 +148,15 @@ Trspi_Verify(UINT32 HashType, BYTE *pHash, UINT32 iHashLength, break; } - /* set the public key value in the OpenSSL object */ - rsa->n = BN_bin2bn(pModulus, iKeyLength, rsa->n); - /* set the public exponent */ - rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e); + BIGNUM *n, *e; + RSA_get0_key(rsa, (const BIGNUM**)&n, (const BIGNUM**)&e, NULL); + /* set the public key value and exponent in the OpenSSL object */ + RSA_set0_key(rsa, + BN_bin2bn(pModulus, iKeyLength, n), + BN_bin2bn(exp, sizeof(exp), e), + NULL); - if (rsa->n == NULL || rsa->e == NULL) { + if (n == NULL || e == NULL) { rv = TSPERR(TSS_E_OUTOFMEMORY); goto err; } @@ -236,12 +242,15 @@ Trspi_RSA_Public_Encrypt(unsigned char *in, unsigned int inlen, break; } - /* set the public key value in the OpenSSL object */ - rsa->n = BN_bin2bn(pubkey, pubsize, rsa->n); - /* set the public exponent */ - rsa->e = BN_bin2bn(exp, e_size, rsa->e); + BIGNUM *n, *e2; + RSA_get0_key(rsa, (const BIGNUM**)&n, (const BIGNUM**)&e2, NULL); + /* set the public key value and exponent in the OpenSSL object */ + RSA_set0_key(rsa, + BN_bin2bn(pubkey, pubsize, n), + BN_bin2bn(exp, e_size, e2), + NULL); - if (rsa->n == NULL || rsa->e == NULL) { + if (n == NULL || e2 == NULL) { rv = TSPERR(TSS_E_OUTOFMEMORY); goto err; } diff --git a/src/trspi/crypto/openssl/symmetric.c b/src/trspi/crypto/openssl/symmetric.c index f5c3836..3efd42e 100644 --- a/src/trspi/crypto/openssl/symmetric.c +++ b/src/trspi/crypto/openssl/symmetric.c @@ -52,7 +52,7 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, UINT32 *out_len) { TSS_RESULT result = TSS_SUCCESS; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); UINT32 tmp; switch (alg) { @@ -64,33 +64,34 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, break; } - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX_init(ctx); - if (!EVP_EncryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) { + if (!EVP_EncryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (*out_len < in_len + EVP_CIPHER_CTX_block_size(&ctx) - 1) { + if (*out_len < in_len + EVP_CIPHER_CTX_block_size(ctx) - 1) { result = TSPERR(TSS_E_INTERNAL_ERROR); goto done; } - if (!EVP_EncryptUpdate(&ctx, out, (int *)out_len, in, in_len)) { + if (!EVP_EncryptUpdate(ctx, out, (int *)out_len, in, in_len)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (!EVP_EncryptFinal(&ctx, out + *out_len, (int *)&tmp)) { + if (!EVP_EncryptFinal(ctx, out + *out_len, (int *)&tmp)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } *out_len += tmp; done: - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_cleanup(ctx); + EVP_CIPHER_CTX_free(ctx); return result; } @@ -99,7 +100,7 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, UINT32 *out_len) { TSS_RESULT result = TSS_SUCCESS; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); UINT32 tmp; switch (alg) { @@ -111,28 +112,29 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, break; } - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX_init(ctx); - if (!EVP_DecryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) { + if (!EVP_DecryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, in, in_len)) { + if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, in, in_len)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) { + if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } *out_len += tmp; done: - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_cleanup(ctx); + EVP_CIPHER_CTX_free(ctx); return result; } @@ -255,7 +257,7 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 UINT32 *out_len) { TSS_RESULT result = TSS_SUCCESS; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); EVP_CIPHER *cipher; BYTE *def_iv = NULL, *outiv_ptr; UINT32 tmp; @@ -269,7 +271,7 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 if ((cipher = get_openssl_cipher(alg, mode)) == NULL) return TSPERR(TSS_E_INTERNAL_ERROR); - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX_init(ctx); /* If the iv passed in is NULL, create a new random iv and prepend it to the ciphertext */ iv_len = EVP_CIPHER_iv_length(cipher); @@ -289,25 +291,25 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 outiv_ptr = out; } - if (!EVP_EncryptInit(&ctx, (const EVP_CIPHER *)cipher, key, def_iv)) { + if (!EVP_EncryptInit(ctx, (const EVP_CIPHER *)cipher, key, def_iv)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(&ctx) * 2) - 1) { + if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(ctx) * 2) - 1) { LogDebug("Not enough space to do symmetric encryption"); result = TSPERR(TSS_E_INTERNAL_ERROR); goto done; } - if (!EVP_EncryptUpdate(&ctx, outiv_ptr, &outiv_len, in, in_len)) { + if (!EVP_EncryptUpdate(ctx, outiv_ptr, &outiv_len, in, in_len)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (!EVP_EncryptFinal(&ctx, outiv_ptr + outiv_len, (int *)&tmp)) { + if (!EVP_EncryptFinal(ctx, outiv_ptr + outiv_len, (int *)&tmp)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; @@ -320,7 +322,8 @@ done: *out_len += iv_len; free(def_iv); } - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_cleanup(ctx); + EVP_CIPHER_CTX_free(ctx); return result; } @@ -329,7 +332,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 UINT32 *out_len) { TSS_RESULT result = TSS_SUCCESS; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); EVP_CIPHER *cipher; BYTE *def_iv = NULL, *iniv_ptr; UINT32 tmp; @@ -341,7 +344,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 if ((cipher = get_openssl_cipher(alg, mode)) == NULL) return TSPERR(TSS_E_INTERNAL_ERROR); - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX_init(ctx); /* If the iv is NULL, assume that its prepended to the ciphertext */ if (iv == NULL) { @@ -361,19 +364,19 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 iniv_len = in_len; } - if (!EVP_DecryptInit(&ctx, cipher, key, def_iv)) { + if (!EVP_DecryptInit(ctx, cipher, key, def_iv)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, iniv_ptr, iniv_len)) { + if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, iniv_ptr, iniv_len)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; } - if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) { + if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) { result = TSPERR(TSS_E_INTERNAL_ERROR); DEBUG_print_openssl_errors(); goto done; @@ -383,6 +386,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 done: if (def_iv != iv) free(def_iv); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_cleanup(ctx); + EVP_CIPHER_CTX_free(ctx); return result; } -- 2.8.0.rc3.226.g39d4020