date:20170515

[tboot-devel] [PATCH 4/4] Support OpenSSL 1.1.0+ for ECDSA signature verification

2017-05-15 Thread ben

From: ben-skyportsystems 

The OpenSSL API has changed such that raw access to ECDSA_SIG structs
is not permitted.  A compile-time check is added to determine whether
to access data members directly or via the new API.

Signed-off-by: Ben Warren 
---
 lcptools-v2/crtpollist.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/lcptools-v2/crtpollist.c b/lcptools-v2/crtpollist.c
index a70ff5f..3fad3f3 100644
--- a/lcptools-v2/crtpollist.c
+++ b/lcptools-v2/crtpollist.c
@@ -387,8 +387,14 @@ static bool ecdsa_sign_tpm20_list_data(lcp_policy_list_t2 
*pollist, EC_KEY *ecke
 
 BIGNUM *r = BN_new();
 BIGNUM *s = BN_new();
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to ECDSA_SIG 
stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x1010L
+ECDSA_SIG_get0(ecdsasig, (const BIGNUM **), (const BIGNUM **));
+#else
 r = ecdsasig->r;
 s = ecdsasig->s;
+#endif
 unsigned int BN_r_size = BN_num_bytes(r);
 unsigned int BN_s_size = BN_num_bytes(s); 
 unsigned char key_r[BN_r_size];
@@ -407,6 +413,8 @@ static bool ecdsa_sign_tpm20_list_data(lcp_policy_list_t2 
*pollist, EC_KEY *ecke
 display_tpm20_signature("", sig, pollist->sig_alg, false);
 }
 
+BN_free(r);
+BN_free(s);
 return true;
 }
 return false;
-- 
2.6.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

[tboot-devel] [PATCH 3/4] Support OpenSSL 1.1.0+ for RSA key manipulation

2017-05-15 Thread ben

From: ben-skyportsystems 

The OpenSSL API has changed such that raw access to RSA structs
is not permitted.  A compile-time check is added to determine
whether to access data members directly or via the new API.

Signed-off-by: Ben Warren 
---
 lcptools-v2/crtpollist.c | 11 ++-
 lcptools-v2/lcputils.c   | 30 +++---
 lcptools/crtpollist.c| 11 ++-
 lcptools/lcputils2.c | 21 ++---
 4 files changed, 65 insertions(+), 8 deletions(-)

diff --git a/lcptools-v2/crtpollist.c b/lcptools-v2/crtpollist.c
index 4abf48d..a70ff5f 100644
--- a/lcptools-v2/crtpollist.c
+++ b/lcptools-v2/crtpollist.c
@@ -161,8 +161,16 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char 
*file)
 memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
 sig->rsa_signature.pubkey_size = keysize;
 
+BIGNUM *modulus = BN_new();
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x1010L
+RSA_get0_key(pubkey, (const BIGNUM **), NULL, NULL);
+#else
+modulus = pubkey->n;
+#endif
 unsigned char key[keysize];
-BN_bn2bin(pubkey->n, key);
+BN_bn2bin(modulus, key);
 /* openssl key is big-endian and policy requires little-endian, so reverse
bytes */
 for ( unsigned int i = 0; i < keysize; i++ )
@@ -174,6 +182,7 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char 
*file)
 }
 
 LOG("read rsa pubkey succeed!\n");
+BN_free(modulus);
 RSA_free(pubkey);
 return sig;
 }
diff --git a/lcptools-v2/lcputils.c b/lcptools-v2/lcputils.c
index a102172..96d3608 100644
--- a/lcptools-v2/lcputils.c
+++ b/lcptools-v2/lcputils.c
@@ -370,14 +370,24 @@ bool verify_signature(const uint8_t *data, size_t 
data_size,
 ERROR("Error: failed to allocate key\n");
 return false;
 }
-rsa_pubkey->n = BN_bin2bn(key, pubkey_size, NULL);
+
+BIGNUM *modulus = BN_new();
+BIGNUM *exponent = BN_new();
+modulus = BN_bin2bn(key, pubkey_size, NULL);
 
 /* uses fixed exponent (LCP_SIG_EXPONENT) */
 char exp[32];
 snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
-rsa_pubkey->e = NULL;
-BN_dec2bn(_pubkey->e, exp);
+BN_dec2bn(, exp);
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x1010L
+RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
+#else
+rsa_pubkey->n = modulus;
+rsa_pubkey->e = exponent;
 rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+#endif
 
 uint16_t hashalg = TPM_ALG_SHA1;
 lcp_mle_element_t2 *mle;
@@ -397,6 +407,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
 tb_hash_t digest;
 if ( !hash_buffer(data, data_size, , hashalg) ) {
 ERROR("Error: failed to hash list\n");
+BN_free(modulus);
+BN_free(exponent);
 RSA_free(rsa_pubkey);
 return false;
 }
@@ -439,6 +451,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
 ERROR("Error: failed to verify list: %s\n", 
 ERR_error_string(ERR_get_error(), NULL));
 ERR_free_strings();
+BN_free(modulus);
+BN_free(exponent);
 RSA_free(rsa_pubkey);
 return false;
 }
@@ -453,6 +467,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
 ERROR("Error: failed to verify list: %s\n", 
 ERR_error_string(ERR_get_error(), NULL));
 ERR_free_strings();
+BN_free(modulus);
+BN_free(exponent);
 RSA_free(rsa_pubkey);
 return false;
 }
@@ -467,6 +483,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
 ERROR("Error: failed to verify list: %s\n", 
 ERR_error_string(ERR_get_error(), NULL));
 ERR_free_strings();
+BN_free(modulus);
+BN_free(exponent);
 RSA_free(rsa_pubkey);
 return false;
 }
@@ -481,6 +499,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
 ERROR("Error: failed to verify list: %s\n", 
 ERR_error_string(ERR_get_error(), NULL));
 ERR_free_strings();
+BN_free(modulus);
+BN_free(exponent);
 RSA_free(rsa_pubkey);
 return false;
 }
@@ -488,9 +508,13 @@ bool verify_signature(const uint8_t *data, size_t 
data_size,
 
 default :
 LOG("unknown hash alg\n");
+BN_free(modulus);
+BN_free(exponent);
 return false;
 }
 
+BN_free(modulus);
+BN_free(exponent);
 RSA_free(rsa_pubkey);
 return true;
 }
diff --git a/lcptools/crtpollist.c b/lcptools/crtpollist.c
index e4e2474..c0a84c0 100644
--- a/lcptools/crtpollist.c
+++ b/lcptools/crtpollist.c
@@ -156,8 +156,16 @@ static lcp_signature_t

[tboot-devel] [PATCH 2/4] Remove unnecessary public key modulus size check

2017-05-15 Thread ben

From: ben-skyportsystems 

The OpenSSL function RSA_size() returns the size of the modulus.
The variable 'keysize' is set to the return value of this function.  The
subsequent comparison of modulus size to keysize thus compares a
variable to itself.

Signed-off-by: Ben Warren 
---
 lcptools-v2/crtpollist.c | 7 +--
 lcptools/crtpollist.c| 7 +--
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/lcptools-v2/crtpollist.c b/lcptools-v2/crtpollist.c
index ed94c5d..4abf48d 100644
--- a/lcptools-v2/crtpollist.c
+++ b/lcptools-v2/crtpollist.c
@@ -160,12 +160,7 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char 
*file)
 
 memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
 sig->rsa_signature.pubkey_size = keysize;
-if ( (unsigned int)BN_num_bytes(pubkey->n) != keysize ) {
-ERROR("Error: modulus size not match key size\n");
-free(sig);
-RSA_free(pubkey);
-return NULL;
-}
+
 unsigned char key[keysize];
 BN_bn2bin(pubkey->n, key);
 /* openssl key is big-endian and policy requires little-endian, so reverse
diff --git a/lcptools/crtpollist.c b/lcptools/crtpollist.c
index caf4897..e4e2474 100644
--- a/lcptools/crtpollist.c
+++ b/lcptools/crtpollist.c
@@ -155,12 +155,7 @@ static lcp_signature_t *read_pubkey_file(const char *file)
 
 memset(sig, 0, sizeof(*sig) + 2*keysize);
 sig->pubkey_size = keysize;
-if ( (unsigned int)BN_num_bytes(pubkey->n) != keysize ) {
-ERROR("Error: modulus size not match key size\n");
-free(sig);
-RSA_free(pubkey);
-return NULL;
-}
+
 unsigned char key[keysize];
 BN_bn2bin(pubkey->n, key);
 /* openssl key is big-endian and policy requires little-endian, so reverse
-- 
2.6.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

[tboot-devel] [PATCH 0/4] Make code compatible with OpenSSL 1.1.0+

2017-05-15 Thread ben

From: Ben Warren 

One major change with OpenSSL 1.1.0 is that access to many raw data structures
is removed.  This patch set does version checking where necessary to use the
appropriate API.

Compile-tested against OpenSSL v1.0.2d and v1.1.0e

ben-skyportsystems (4):
  Manage OpenSSL EVP_MD_CTX objects as pointers
  Remove unnecessary public key modulus size check
  Support OpenSSL 1.1.0+ for RSA key manipulation
  Support OpenSSL 1.1.0+ for ECDSA signature verification

 lcptools-v2/crtpollist.c | 26 +++---
 lcptools-v2/hash.c   | 36 
 lcptools-v2/lcputils.c   | 30 +++---
 lcptools/crtpollist.c| 18 +++---
 lcptools/hash.c  | 18 ++
 lcptools/lcputils2.c | 21 ++---
 lcptools/mlehash.c   | 10 ++
 tb_polgen/commands.c | 26 --
 tb_polgen/hash.c | 18 ++
 9 files changed, 137 insertions(+), 66 deletions(-)

-- 
2.6.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

[tboot-devel] [PATCH 1/4] Manage OpenSSL EVP_MD_CTX objects as pointers

2017-05-15 Thread ben

From: ben-skyportsystems 

Newer versions of OpenSSL (v1.1.0+) do not allow direct manipulation of
evp_md_ctx structs, so manage the object lifecycles by functions.

Signed-off-by: Ben Warren 
---
 lcptools-v2/hash.c   | 36 
 lcptools/hash.c  | 18 ++
 lcptools/mlehash.c   | 10 ++
 tb_polgen/commands.c | 26 --
 tb_polgen/hash.c | 18 ++
 5 files changed, 62 insertions(+), 46 deletions(-)

diff --git a/lcptools-v2/hash.c b/lcptools-v2/hash.c
index e8e8d72..0fbaecc 100644
--- a/lcptools-v2/hash.c
+++ b/lcptools-v2/hash.c
@@ -82,33 +82,36 @@ bool hash_buffer(const unsigned char* buf, size_t size, 
tb_hash_t *hash,
 return false;
 
 if ( hash_alg == TB_HALG_SHA1 ) {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 
 md = EVP_sha1();
-EVP_DigestInit(, md);
-EVP_DigestUpdate(, buf, size);
-EVP_DigestFinal(, hash->sha1, NULL);
+EVP_DigestInit(ctx, md);
+EVP_DigestUpdate(ctx, buf, size);
+EVP_DigestFinal(ctx, hash->sha1, NULL);
+EVP_MD_CTX_destroy(ctx);
 return true;
 }
 else if (hash_alg == TB_HALG_SHA256) {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 
 md = EVP_sha256();
-EVP_DigestInit(, md);
-EVP_DigestUpdate(, buf, size);
-EVP_DigestFinal(, hash->sha256, NULL);
+EVP_DigestInit(ctx, md);
+EVP_DigestUpdate(ctx, buf, size);
+EVP_DigestFinal(ctx, hash->sha256, NULL);
+EVP_MD_CTX_destroy(ctx);
 return true;
 }
 else if (hash_alg == TB_HALG_SHA384) {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 
 md = EVP_sha384();
-EVP_DigestInit(, md);
-EVP_DigestUpdate(, buf, size);
-EVP_DigestFinal(, hash->sha384, NULL);
+EVP_DigestInit(ctx, md);
+EVP_DigestUpdate(ctx, buf, size);
+EVP_DigestFinal(ctx, hash->sha384, NULL);
+EVP_MD_CTX_destroy(ctx);
 return true;
 }
 else
@@ -129,15 +132,16 @@ bool extend_hash(tb_hash_t *hash1, const tb_hash_t 
*hash2, uint16_t hash_alg)
 return false;
 
 if ( hash_alg == TB_HALG_SHA1 ) {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 
 memcpy(buf, &(hash1->sha1), sizeof(hash1->sha1));
 memcpy(buf + sizeof(hash1->sha1), &(hash2->sha1), sizeof(hash1->sha1));
 md = EVP_sha1();
-EVP_DigestInit(, md);
-EVP_DigestUpdate(, buf, 2*sizeof(hash1->sha1));
-EVP_DigestFinal(, hash1->sha1, NULL);
+EVP_DigestInit(ctx, md);
+EVP_DigestUpdate(ctx, buf, 2*sizeof(hash1->sha1));
+EVP_DigestFinal(ctx, hash1->sha1, NULL);
+EVP_MD_CTX_destroy(ctx);
 return true;
 }
 else
diff --git a/lcptools/hash.c b/lcptools/hash.c
index 8f666ac..86338ea 100644
--- a/lcptools/hash.c
+++ b/lcptools/hash.c
@@ -74,13 +74,14 @@ bool hash_buffer(const unsigned char* buf, size_t size, 
tb_hash_t *hash,
 return false;
 
 if ( hash_alg == TB_HALG_SHA1_LG ) {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 
 md = EVP_sha1();
-EVP_DigestInit(, md);
-EVP_DigestUpdate(, buf, size);
-EVP_DigestFinal(, hash->sha1, NULL);
+EVP_DigestInit(ctx, md);
+EVP_DigestUpdate(ctx, buf, size);
+EVP_DigestFinal(ctx, hash->sha1, NULL);
+EVP_MD_CTX_destroy(ctx);
 return true;
 }
 else
@@ -101,15 +102,16 @@ bool extend_hash(tb_hash_t *hash1, const tb_hash_t 
*hash2, uint16_t hash_alg)
 return false;
 
 if ( hash_alg == TB_HALG_SHA1_LG ) {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 
 memcpy(buf, &(hash1->sha1), sizeof(hash1->sha1));
 memcpy(buf + sizeof(hash1->sha1), &(hash2->sha1), sizeof(hash1->sha1));
 md = EVP_sha1();
-EVP_DigestInit(, md);
-EVP_DigestUpdate(, buf, 2*sizeof(hash1->sha1));
-EVP_DigestFinal(, hash1->sha1, NULL);
+EVP_DigestInit(ctx, md);
+EVP_DigestUpdate(ctx, buf, 2*sizeof(hash1->sha1));
+EVP_DigestFinal(ctx, hash1->sha1, NULL);
+EVP_MD_CTX_destroy(ctx);
 return true;
 }
 else
diff --git a/lcptools/mlehash.c b/lcptools/mlehash.c
index dc9ddb1..e727c29 100644
--- a/lcptools/mlehash.c
+++ b/lcptools/mlehash.c
@@ -336,7 +336,7 @@ int main(int argc, char* argv[])
 bool help = false;
 char *mle_file;
 extern int optind;/* current index of get_opt() */
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx = EVP_MD_CTX_create();
 const EVP_MD *md;
 char *cmdline = NULL;
 
@@ -418,10 +418,10 @@ int main(int argc,

[tboot-devel] [PATCH 4/4] Support OpenSSL 1.1.0+ for ECDSA signature verification

[tboot-devel] [PATCH 3/4] Support OpenSSL 1.1.0+ for RSA key manipulation

[tboot-devel] [PATCH 2/4] Remove unnecessary public key modulus size check

[tboot-devel] [PATCH 0/4] Make code compatible with OpenSSL 1.1.0+

[tboot-devel] [PATCH 1/4] Manage OpenSSL EVP_MD_CTX objects as pointers

5 matches

Site Navigation

Mail list logo

Footer information