From: ben-skyportsystems <b...@skyportsystems.com> The OpenSSL API has changed such that raw access to RSA structs is not permitted. A compile-time check is added to determine whether to access data members directly or via the new API.
Signed-off-by: Ben Warren <b...@skyportsystems.com> --- lcptools-v2/crtpollist.c | 11 ++++++++++- lcptools-v2/lcputils.c | 30 +++++++++++++++++++++++++++--- lcptools/crtpollist.c | 11 ++++++++++- lcptools/lcputils2.c | 21 ++++++++++++++++++--- 4 files changed, 65 insertions(+), 8 deletions(-) diff --git a/lcptools-v2/crtpollist.c b/lcptools-v2/crtpollist.c index 4abf48d..a70ff5f 100644 --- a/lcptools-v2/crtpollist.c +++ b/lcptools-v2/crtpollist.c @@ -161,8 +161,16 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char *file) memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize); sig->rsa_signature.pubkey_size = keysize; + BIGNUM *modulus = BN_new(); + +/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); +#else + modulus = pubkey->n; +#endif unsigned char key[keysize]; - BN_bn2bin(pubkey->n, key); + BN_bn2bin(modulus, key); /* openssl key is big-endian and policy requires little-endian, so reverse bytes */ for ( unsigned int i = 0; i < keysize; i++ ) @@ -174,6 +182,7 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char *file) } LOG("read rsa pubkey succeed!\n"); + BN_free(modulus); RSA_free(pubkey); return sig; } diff --git a/lcptools-v2/lcputils.c b/lcptools-v2/lcputils.c index a102172..96d3608 100644 --- a/lcptools-v2/lcputils.c +++ b/lcptools-v2/lcputils.c @@ -370,14 +370,24 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to allocate key\n"); return false; } - rsa_pubkey->n = BN_bin2bn(key, pubkey_size, NULL); + + BIGNUM *modulus = BN_new(); + BIGNUM *exponent = BN_new(); + modulus = BN_bin2bn(key, pubkey_size, NULL); /* uses fixed exponent (LCP_SIG_EXPONENT) */ char exp[32]; snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT); - rsa_pubkey->e = NULL; - BN_dec2bn(&rsa_pubkey->e, exp); + BN_dec2bn(&exponent, exp); + +/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); +#else + rsa_pubkey->n = modulus; + rsa_pubkey->e = exponent; rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; +#endif uint16_t hashalg = TPM_ALG_SHA1; lcp_mle_element_t2 *mle; @@ -397,6 +407,8 @@ bool verify_signature(const uint8_t *data, size_t data_size, tb_hash_t digest; if ( !hash_buffer(data, data_size, &digest, hashalg) ) { ERROR("Error: failed to hash list\n"); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -439,6 +451,8 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -453,6 +467,8 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -467,6 +483,8 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -481,6 +499,8 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -488,9 +508,13 @@ bool verify_signature(const uint8_t *data, size_t data_size, default : LOG("unknown hash alg\n"); + BN_free(modulus); + BN_free(exponent); return false; } + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return true; } diff --git a/lcptools/crtpollist.c b/lcptools/crtpollist.c index e4e2474..c0a84c0 100644 --- a/lcptools/crtpollist.c +++ b/lcptools/crtpollist.c @@ -156,8 +156,16 @@ static lcp_signature_t *read_pubkey_file(const char *file) memset(sig, 0, sizeof(*sig) + 2*keysize); sig->pubkey_size = keysize; + BIGNUM *modulus = BN_new(); + +/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); +#else + modulus = pubkey->n; +#endif unsigned char key[keysize]; - BN_bn2bin(pubkey->n, key); + BN_bn2bin(modulus, key); /* openssl key is big-endian and policy requires little-endian, so reverse bytes */ for ( unsigned int i = 0; i < keysize; i++ ) @@ -168,6 +176,7 @@ static lcp_signature_t *read_pubkey_file(const char *file) display_signature(" ", sig, false); } + BN_free(modulus); RSA_free(pubkey); return sig; } diff --git a/lcptools/lcputils2.c b/lcptools/lcputils2.c index 4fefaba..bc9f5e3 100644 --- a/lcptools/lcputils2.c +++ b/lcptools/lcputils2.c @@ -274,19 +274,30 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to allocate key\n"); return false; } - rsa_pubkey->n = BN_bin2bn(key, pubkey_size, NULL); + BIGNUM *modulus = BN_new(); + BIGNUM *exponent = BN_new(); + modulus = BN_bin2bn(key, pubkey_size, NULL); /* uses fixed exponent (LCP_SIG_EXPONENT) */ char exp[32]; snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT); - rsa_pubkey->e = NULL; - BN_dec2bn(&rsa_pubkey->e, exp); + BN_dec2bn(&exponent, exp); + +/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); +#else + rsa_pubkey->n = modulus; + rsa_pubkey->e = exponent; rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; +#endif /* first create digest of data */ tb_hash_t digest; if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) { ERROR("Error: failed to hash list\n"); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -327,10 +338,14 @@ bool verify_signature(const uint8_t *data, size_t data_size, ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return false; } + BN_free(modulus); + BN_free(exponent); RSA_free(rsa_pubkey); return true; } -- 2.6.4 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel