[tboot-devel] [PATCH 3/4] Support OpenSSL 1.1.0+ for RSA key manipulation

ben Mon, 15 May 2017 14:13:42 -0700

From: ben-skyportsystems <b...@skyportsystems.com>

The OpenSSL API has changed such that raw access to RSA structs
is not permitted.  A compile-time check is added to determine
whether to access data members directly or via the new API.


Signed-off-by: Ben Warren <b...@skyportsystems.com>
---
 lcptools-v2/crtpollist.c | 11 ++++++++++-
 lcptools-v2/lcputils.c   | 30 +++++++++++++++++++++++++++---
 lcptools/crtpollist.c    | 11 ++++++++++-
 lcptools/lcputils2.c     | 21 ++++++++++++++++++---
 4 files changed, 65 insertions(+), 8 deletions(-)

diff --git a/lcptools-v2/crtpollist.c b/lcptools-v2/crtpollist.c
index 4abf48d..a70ff5f 100644
--- a/lcptools-v2/crtpollist.c
+++ b/lcptools-v2/crtpollist.c
@@ -161,8 +161,16 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char 
*file)
     memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
     sig->rsa_signature.pubkey_size = keysize;
 
+    BIGNUM *modulus = BN_new();
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+#else
+    modulus = pubkey->n;
+#endif
     unsigned char key[keysize];
-    BN_bn2bin(pubkey->n, key);
+    BN_bn2bin(modulus, key);
     /* openssl key is big-endian and policy requires little-endian, so reverse
        bytes */
     for ( unsigned int i = 0; i < keysize; i++ )
@@ -174,6 +182,7 @@ static lcp_signature_t2 *read_rsa_pubkey_file(const char 
*file)
     }
 
     LOG("read rsa pubkey succeed!\n");
+    BN_free(modulus);
     RSA_free(pubkey);
     return sig;
 }
diff --git a/lcptools-v2/lcputils.c b/lcptools-v2/lcputils.c
index a102172..96d3608 100644
--- a/lcptools-v2/lcputils.c
+++ b/lcptools-v2/lcputils.c
@@ -370,14 +370,24 @@ bool verify_signature(const uint8_t *data, size_t 
data_size,
         ERROR("Error: failed to allocate key\n");
         return false;
     }
-    rsa_pubkey->n = BN_bin2bn(key, pubkey_size, NULL);
+
+    BIGNUM *modulus = BN_new();
+    BIGNUM *exponent = BN_new();
+    modulus = BN_bin2bn(key, pubkey_size, NULL);
 
     /* uses fixed exponent (LCP_SIG_EXPONENT) */
     char exp[32];
     snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
-    rsa_pubkey->e = NULL;
-    BN_dec2bn(&rsa_pubkey->e, exp);
+    BN_dec2bn(&exponent, exp);
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
+#else
+    rsa_pubkey->n = modulus;
+    rsa_pubkey->e = exponent;
     rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+#endif
 
     uint16_t hashalg = TPM_ALG_SHA1;
     lcp_mle_element_t2 *mle;
@@ -397,6 +407,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
     tb_hash_t digest;
     if ( !hash_buffer(data, data_size, &digest, hashalg) ) {
         ERROR("Error: failed to hash list\n");
+        BN_free(modulus);
+        BN_free(exponent);
         RSA_free(rsa_pubkey);
         return false;
     }
@@ -439,6 +451,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
+            BN_free(modulus);
+            BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -453,6 +467,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
+            BN_free(modulus);
+            BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -467,6 +483,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
+            BN_free(modulus);
+            BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -481,6 +499,8 @@ bool verify_signature(const uint8_t *data, size_t data_size,
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
+            BN_free(modulus);
+            BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -488,9 +508,13 @@ bool verify_signature(const uint8_t *data, size_t 
data_size,
 
     default :
         LOG("unknown hash alg\n");
+        BN_free(modulus);
+        BN_free(exponent);
         return false;
     }
 
+    BN_free(modulus);
+    BN_free(exponent);
     RSA_free(rsa_pubkey);
     return true;
 }
diff --git a/lcptools/crtpollist.c b/lcptools/crtpollist.c
index e4e2474..c0a84c0 100644
--- a/lcptools/crtpollist.c
+++ b/lcptools/crtpollist.c
@@ -156,8 +156,16 @@ static lcp_signature_t *read_pubkey_file(const char *file)
     memset(sig, 0, sizeof(*sig) + 2*keysize);
     sig->pubkey_size = keysize;
 
+    BIGNUM *modulus = BN_new();
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+#else
+    modulus = pubkey->n;
+#endif
     unsigned char key[keysize];
-    BN_bn2bin(pubkey->n, key);
+    BN_bn2bin(modulus, key);
     /* openssl key is big-endian and policy requires little-endian, so reverse
        bytes */
     for ( unsigned int i = 0; i < keysize; i++ )
@@ -168,6 +176,7 @@ static lcp_signature_t *read_pubkey_file(const char *file)
         display_signature("    ", sig, false);
     }
 
+    BN_free(modulus);
     RSA_free(pubkey);
     return sig;
 }
diff --git a/lcptools/lcputils2.c b/lcptools/lcputils2.c
index 4fefaba..bc9f5e3 100644
--- a/lcptools/lcputils2.c
+++ b/lcptools/lcputils2.c
@@ -274,19 +274,30 @@ bool verify_signature(const uint8_t *data, size_t 
data_size,
         ERROR("Error: failed to allocate key\n");
         return false;
     }
-    rsa_pubkey->n = BN_bin2bn(key, pubkey_size, NULL);
+    BIGNUM *modulus = BN_new();
+    BIGNUM *exponent = BN_new();
+    modulus = BN_bin2bn(key, pubkey_size, NULL);
 
     /* uses fixed exponent (LCP_SIG_EXPONENT) */
     char exp[32];
     snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
-    rsa_pubkey->e = NULL;
-    BN_dec2bn(&rsa_pubkey->e, exp);
+    BN_dec2bn(&exponent, exp);
+
+/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
+#else
+    rsa_pubkey->n = modulus;
+    rsa_pubkey->e = exponent;
     rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+#endif
 
     /* first create digest of data */
     tb_hash_t digest;
     if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) {
         ERROR("Error: failed to hash list\n");
+        BN_free(modulus);
+        BN_free(exponent);
         RSA_free(rsa_pubkey);
         return false;
     }
@@ -327,10 +338,14 @@ bool verify_signature(const uint8_t *data, size_t 
data_size,
         ERROR("Error: failed to verify list: %s\n", 
               ERR_error_string(ERR_get_error(), NULL));
         ERR_free_strings();
+        BN_free(modulus);
+        BN_free(exponent);
         RSA_free(rsa_pubkey);
         return false;
     }
 
+    BN_free(modulus);
+    BN_free(exponent);
     RSA_free(rsa_pubkey);
     return true;
 }
-- 
2.6.4


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

[tboot-devel] [PATCH 3/4] Support OpenSSL 1.1.0+ for RSA key manipulation

Reply via email to