Note that with this patch it builds with OpenSSL 1.1, but not 1.0. It
would not be hard to make it work with both, though, similar to
https://github.com/ThomasHabets/simple-tpm-pk11/commit/354f0cf3a193dbe8b1151059a08b0598531b645c
(I hope Debian bugs accept attachments)
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "tho...@habets.se" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt"; };
char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
From 6ec8e342f1aaaea0de8fe9aa349277e9f9abc2b9 Mon Sep 17 00:00:00 2001
From: Thomas Habets <hab...@google.com>
Date: Tue, 1 Nov 2016 10:31:54 +0000
Subject: [PATCH 1/1] Add OpenSSL 1.1 support
---
src/tcs/crypto/openssl/crypto.c | 11 +++----
src/trspi/crypto/openssl/hash.c | 17 +++++------
src/trspi/crypto/openssl/rsa.c | 41 +++++++++++++++-----------
src/trspi/crypto/openssl/symmetric.c | 56 +++++++++++++++++++-----------------
4 files changed, 70 insertions(+), 55 deletions(-)
diff --git a/src/tcs/crypto/openssl/crypto.c b/src/tcs/crypto/openssl/crypto.c
index c02db27..b354f6f 100644
--- a/src/tcs/crypto/openssl/crypto.c
+++ b/src/tcs/crypto/openssl/crypto.c
@@ -31,13 +31,13 @@
TSS_RESULT
Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
{
- EVP_MD_CTX md_ctx;
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
unsigned int result_size;
int rv;
switch (HashType) {
case TSS_HASH_SHA1:
- rv = EVP_DigestInit(&md_ctx, EVP_sha1());
+ rv = EVP_DigestInit(md_ctx, EVP_sha1());
break;
default:
rv = TCSERR(TSS_E_BAD_PARAMETER);
@@ -50,19 +50,20 @@ Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
goto out;
}
- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
+ rv = EVP_DigestUpdate(md_ctx, Buf, BufSize);
if (rv != EVP_SUCCESS) {
rv = TCSERR(TSS_E_INTERNAL_ERROR);
goto out;
}
- result_size = EVP_MD_CTX_size(&md_ctx);
- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size);
+ result_size = EVP_MD_CTX_size(md_ctx);
+ rv = EVP_DigestFinal(md_ctx, Digest, &result_size);
if (rv != EVP_SUCCESS) {
rv = TCSERR(TSS_E_INTERNAL_ERROR);
} else
rv = TSS_SUCCESS;
out:
+ EVP_MD_CTX_free(md_ctx);
return rv;
}
diff --git a/src/trspi/crypto/openssl/hash.c b/src/trspi/crypto/openssl/hash.c
index f6cf3dc..cdb2c11 100644
--- a/src/trspi/crypto/openssl/hash.c
+++ b/src/trspi/crypto/openssl/hash.c
@@ -56,13 +56,13 @@ int MGF1(unsigned char *, long, const unsigned char *, long);
TSS_RESULT
Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
{
- EVP_MD_CTX md_ctx;
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
unsigned int result_size;
int rv;
switch (HashType) {
case TSS_HASH_SHA1:
- rv = EVP_DigestInit(&md_ctx, EVP_sha1());
+ rv = EVP_DigestInit(md_ctx, EVP_sha1());
break;
default:
rv = TSPERR(TSS_E_BAD_PARAMETER);
@@ -75,14 +75,14 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
goto err;
}
- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
+ rv = EVP_DigestUpdate(md_ctx, Buf, BufSize);
if (rv != EVP_SUCCESS) {
rv = TSPERR(TSS_E_INTERNAL_ERROR);
goto err;
}
- result_size = EVP_MD_CTX_size(&md_ctx);
- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size);
+ result_size = EVP_MD_CTX_size(md_ctx);
+ rv = EVP_DigestFinal(md_ctx, Digest, &result_size);
if (rv != EVP_SUCCESS) {
rv = TSPERR(TSS_E_INTERNAL_ERROR);
goto err;
@@ -94,6 +94,7 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
err:
DEBUG_print_openssl_errors();
out:
+ EVP_MD_CTX_free(md_ctx);
return rv;
}
@@ -112,7 +113,7 @@ Trspi_HashInit(Trspi_HashCtx *ctx, UINT32 HashType)
break;
}
- if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL)
+ if ((ctx->ctx = EVP_MD_CTX_new()) == NULL)
return TSPERR(TSS_E_OUTOFMEMORY);
rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md);
@@ -142,7 +143,7 @@ Trspi_HashUpdate(Trspi_HashCtx *ctx, UINT32 size, BYTE *data)
rv = EVP_DigestUpdate(ctx->ctx, data, size);
if (rv != EVP_SUCCESS) {
DEBUG_print_openssl_errors();
- free(ctx->ctx);
+ EVP_MD_CTX_free(ctx->ctx);
ctx->ctx = NULL;
return TSPERR(TSS_E_INTERNAL_ERROR);
}
@@ -164,7 +165,7 @@ Trspi_HashFinal(Trspi_HashCtx *ctx, BYTE *digest)
if (rv != EVP_SUCCESS)
return TSPERR(TSS_E_INTERNAL_ERROR);
- free(ctx->ctx);
+ EVP_MD_CTX_free(ctx->ctx);
ctx->ctx = NULL;
return TSS_SUCCESS;
diff --git a/src/trspi/crypto/openssl/rsa.c b/src/trspi/crypto/openssl/rsa.c
index 0bd1e89..78f99ed 100644
--- a/src/trspi/crypto/openssl/rsa.c
+++ b/src/trspi/crypto/openssl/rsa.c
@@ -67,12 +67,15 @@ Trspi_RSA_Encrypt(unsigned char *dataToEncrypt, /* in */
goto err;
}
- /* set the public key value in the OpenSSL object */
- rsa->n = BN_bin2bn(publicKey, keysize, rsa->n);
- /* set the public exponent */
- rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e);
-
- if (rsa->n == NULL || rsa->e == NULL) {
+ BIGNUM *n, *e;
+ RSA_get0_key(rsa, (const BIGNUM**)&n, (const BIGNUM**)&e, NULL);
+ /* set the public key value and exponent in the OpenSSL object */
+ RSA_set0_key(rsa,
+ BN_bin2bn(publicKey, keysize, n),
+ BN_bin2bn(exp, sizeof(exp), e),
+ NULL);
+
+ if (n == NULL || e == NULL) {
rv = TSPERR(TSS_E_OUTOFMEMORY);
goto err;
}
@@ -145,12 +148,15 @@ Trspi_Verify(UINT32 HashType, BYTE *pHash, UINT32 iHashLength,
break;
}
- /* set the public key value in the OpenSSL object */
- rsa->n = BN_bin2bn(pModulus, iKeyLength, rsa->n);
- /* set the public exponent */
- rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e);
+ BIGNUM *n, *e;
+ RSA_get0_key(rsa, (const BIGNUM**)&n, (const BIGNUM**)&e, NULL);
+ /* set the public key value and exponent in the OpenSSL object */
+ RSA_set0_key(rsa,
+ BN_bin2bn(pModulus, iKeyLength, n),
+ BN_bin2bn(exp, sizeof(exp), e),
+ NULL);
- if (rsa->n == NULL || rsa->e == NULL) {
+ if (n == NULL || e == NULL) {
rv = TSPERR(TSS_E_OUTOFMEMORY);
goto err;
}
@@ -236,12 +242,15 @@ Trspi_RSA_Public_Encrypt(unsigned char *in, unsigned int inlen,
break;
}
- /* set the public key value in the OpenSSL object */
- rsa->n = BN_bin2bn(pubkey, pubsize, rsa->n);
- /* set the public exponent */
- rsa->e = BN_bin2bn(exp, e_size, rsa->e);
+ BIGNUM *n, *e2;
+ RSA_get0_key(rsa, (const BIGNUM**)&n, (const BIGNUM**)&e2, NULL);
+ /* set the public key value and exponent in the OpenSSL object */
+ RSA_set0_key(rsa,
+ BN_bin2bn(pubkey, pubsize, n),
+ BN_bin2bn(exp, e_size, e2),
+ NULL);
- if (rsa->n == NULL || rsa->e == NULL) {
+ if (n == NULL || e2 == NULL) {
rv = TSPERR(TSS_E_OUTOFMEMORY);
goto err;
}
diff --git a/src/trspi/crypto/openssl/symmetric.c b/src/trspi/crypto/openssl/symmetric.c
index f5c3836..3efd42e 100644
--- a/src/trspi/crypto/openssl/symmetric.c
+++ b/src/trspi/crypto/openssl/symmetric.c
@@ -52,7 +52,7 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
UINT32 *out_len)
{
TSS_RESULT result = TSS_SUCCESS;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
UINT32 tmp;
switch (alg) {
@@ -64,33 +64,34 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
break;
}
- EVP_CIPHER_CTX_init(&ctx);
+ EVP_CIPHER_CTX_init(ctx);
- if (!EVP_EncryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) {
+ if (!EVP_EncryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (*out_len < in_len + EVP_CIPHER_CTX_block_size(&ctx) - 1) {
+ if (*out_len < in_len + EVP_CIPHER_CTX_block_size(ctx) - 1) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
goto done;
}
- if (!EVP_EncryptUpdate(&ctx, out, (int *)out_len, in, in_len)) {
+ if (!EVP_EncryptUpdate(ctx, out, (int *)out_len, in, in_len)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (!EVP_EncryptFinal(&ctx, out + *out_len, (int *)&tmp)) {
+ if (!EVP_EncryptFinal(ctx, out + *out_len, (int *)&tmp)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
*out_len += tmp;
done:
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_cleanup(ctx);
+ EVP_CIPHER_CTX_free(ctx);
return result;
}
@@ -99,7 +100,7 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
UINT32 *out_len)
{
TSS_RESULT result = TSS_SUCCESS;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
UINT32 tmp;
switch (alg) {
@@ -111,28 +112,29 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
break;
}
- EVP_CIPHER_CTX_init(&ctx);
+ EVP_CIPHER_CTX_init(ctx);
- if (!EVP_DecryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) {
+ if (!EVP_DecryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, in, in_len)) {
+ if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, in, in_len)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) {
+ if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
*out_len += tmp;
done:
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_cleanup(ctx);
+ EVP_CIPHER_CTX_free(ctx);
return result;
}
@@ -255,7 +257,7 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
UINT32 *out_len)
{
TSS_RESULT result = TSS_SUCCESS;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_CIPHER *cipher;
BYTE *def_iv = NULL, *outiv_ptr;
UINT32 tmp;
@@ -269,7 +271,7 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
if ((cipher = get_openssl_cipher(alg, mode)) == NULL)
return TSPERR(TSS_E_INTERNAL_ERROR);
- EVP_CIPHER_CTX_init(&ctx);
+ EVP_CIPHER_CTX_init(ctx);
/* If the iv passed in is NULL, create a new random iv and prepend it to the ciphertext */
iv_len = EVP_CIPHER_iv_length(cipher);
@@ -289,25 +291,25 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
outiv_ptr = out;
}
- if (!EVP_EncryptInit(&ctx, (const EVP_CIPHER *)cipher, key, def_iv)) {
+ if (!EVP_EncryptInit(ctx, (const EVP_CIPHER *)cipher, key, def_iv)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(&ctx) * 2) - 1) {
+ if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(ctx) * 2) - 1) {
LogDebug("Not enough space to do symmetric encryption");
result = TSPERR(TSS_E_INTERNAL_ERROR);
goto done;
}
- if (!EVP_EncryptUpdate(&ctx, outiv_ptr, &outiv_len, in, in_len)) {
+ if (!EVP_EncryptUpdate(ctx, outiv_ptr, &outiv_len, in, in_len)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (!EVP_EncryptFinal(&ctx, outiv_ptr + outiv_len, (int *)&tmp)) {
+ if (!EVP_EncryptFinal(ctx, outiv_ptr + outiv_len, (int *)&tmp)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
@@ -320,7 +322,8 @@ done:
*out_len += iv_len;
free(def_iv);
}
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_cleanup(ctx);
+ EVP_CIPHER_CTX_free(ctx);
return result;
}
@@ -329,7 +332,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
UINT32 *out_len)
{
TSS_RESULT result = TSS_SUCCESS;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_CIPHER *cipher;
BYTE *def_iv = NULL, *iniv_ptr;
UINT32 tmp;
@@ -341,7 +344,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
if ((cipher = get_openssl_cipher(alg, mode)) == NULL)
return TSPERR(TSS_E_INTERNAL_ERROR);
- EVP_CIPHER_CTX_init(&ctx);
+ EVP_CIPHER_CTX_init(ctx);
/* If the iv is NULL, assume that its prepended to the ciphertext */
if (iv == NULL) {
@@ -361,19 +364,19 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
iniv_len = in_len;
}
- if (!EVP_DecryptInit(&ctx, cipher, key, def_iv)) {
+ if (!EVP_DecryptInit(ctx, cipher, key, def_iv)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, iniv_ptr, iniv_len)) {
+ if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, iniv_ptr, iniv_len)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
}
- if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) {
+ if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) {
result = TSPERR(TSS_E_INTERNAL_ERROR);
DEBUG_print_openssl_errors();
goto done;
@@ -383,6 +386,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
done:
if (def_iv != iv)
free(def_iv);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_cleanup(ctx);
+ EVP_CIPHER_CTX_free(ctx);
return result;
}
--
2.8.0.rc3.226.g39d4020
