[packages/tpm-tools] - new, raw from fedora
adamg
adamg at pld-linux.org
Sun Sep 23 20:39:51 CEST 2018
commit 63715edb7f0dedd921a52c33f9b205ec591e9039
Author: Adam Gołębiowski <adamg at pld-linux.org>
Date: Sun Sep 23 20:35:22 2018 +0200
- new, raw from fedora
...ith-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch | 37 ++++
...ith-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch | 192 +++++++++++++++++++++
...e-OpenSSL-cipher-contexts-for-seal-unseal.patch | 89 ++++++++++
3 files changed, 318 insertions(+)
---
diff --git a/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch b/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch
new file mode 100644
index 0000000..ed43ed0
--- /dev/null
+++ b/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch
@@ -0,0 +1,37 @@
+From 3acd773846a85d142e919e2f4eeeee1acea5ca3a Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Mon, 20 Feb 2017 10:28:33 +0100
+Subject: [PATCH 1/3] Fix build with OpenSSL 1.1 due to EVP_PKEY being an
+ opaque struct
+
+With OpenSSL 1.1 the build fails with:
+data_import.c:375:26: error: dereferencing pointer to incomplete type
+'EVP_PKEY {aka struct evp_pkey_st}'
+
+The manual page[1] says:
+ Previous versions of this document suggested using
+ EVP_PKEY_type(pkey->type) to determine the type of a key. Since EVP_PKEY
+ is now opaque this is no longer possible: the equivalent is
+ EVP_PKEY_base_id(pkey).
+
+[1] https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_base_id.html
+---
+ src/data_mgmt/data_import.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c
+index f534717f02..d4d2052bc6 100644
+--- a/src/data_mgmt/data_import.c
++++ b/src/data_mgmt/data_import.c
+@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile,
+ goto out;
+ }
+
+- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) {
++ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) {
+ logError( TOKEN_RSA_KEY_ERROR );
+
+ X509_free( pX509 );
+--
+2.9.3
+
diff --git a/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch b/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch
new file mode 100644
index 0000000..68d14bf
--- /dev/null
+++ b/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch
@@ -0,0 +1,192 @@
+From 72fe7011fe981f90a04a62a3fb6ad33037390dff Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Mon, 20 Feb 2017 10:43:10 +0100
+Subject: [PATCH 2/3] Fix build with OpenSSL 1.1 due to RSA being an opaque
+ struct
+
+RSA is an opaque struct in OpenSSL 1.1. New getter functions must be
+used to access the key components. The functions were not present in
+OpenSSL 1.0, so add a compat header with the implementation of the
+needed functions as suggested by the OpenSSL wiki [1] in order to allow
+building tpm-tools with any version of OpenSSL.
+
+[1] https://wiki.openssl.org/index.php/1.1_API_Changes
+---
+ src/data_mgmt/Makefile.am | 3 ++-
+ src/data_mgmt/data_import.c | 52 ++++++++++++++++++++++---------------
+ src/data_mgmt/openssl_compat.h | 58 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 21 deletions(-)
+ create mode 100644 src/data_mgmt/openssl_compat.h
+
+diff --git a/src/data_mgmt/Makefile.am b/src/data_mgmt/Makefile.am
+index de505e48ef..9457618ab9 100644
+--- a/src/data_mgmt/Makefile.am
++++ b/src/data_mgmt/Makefile.am
+@@ -32,7 +32,8 @@ noinst_HEADERS = data_common.h \
+ data_init.h \
+ data_object.h \
+ data_passwd.h \
+- data_protect.h
++ data_protect.h \
++ openssl_compat.h
+
+ #
+ # Common build flags
+diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c
+index d4d2052bc6..532543f7d3 100644
+--- a/src/data_mgmt/data_import.c
++++ b/src/data_mgmt/data_import.c
+@@ -39,6 +39,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+
++#include "openssl_compat.h"
+
+ /*
+ * Global variables
+@@ -691,8 +692,11 @@ createRsaPubKeyObject( RSA *a_pRsa,
+
+ int rc = -1;
+
+- int nLen = BN_num_bytes( a_pRsa->n );
+- int eLen = BN_num_bytes( a_pRsa->e );
++ const BIGNUM *rsa_n, *rsa_e;
++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, NULL );
++
++ int nLen = BN_num_bytes( rsa_n );
++ int eLen = BN_num_bytes( rsa_e );
+
+ CK_RV rv;
+
+@@ -732,8 +736,8 @@ createRsaPubKeyObject( RSA *a_pRsa,
+ }
+
+ // Get binary representations of the RSA key information
+- BN_bn2bin( a_pRsa->n, n );
+- BN_bn2bin( a_pRsa->e, e );
++ BN_bn2bin( rsa_n, n );
++ BN_bn2bin( rsa_e, e );
+
+ // Create the RSA public key object
+ rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
+@@ -760,14 +764,22 @@ createRsaPrivKeyObject( RSA *a_pRsa,
+
+ int rc = -1;
+
+- int nLen = BN_num_bytes( a_pRsa->n );
+- int eLen = BN_num_bytes( a_pRsa->e );
+- int dLen = BN_num_bytes( a_pRsa->d );
+- int pLen = BN_num_bytes( a_pRsa->p );
+- int qLen = BN_num_bytes( a_pRsa->q );
+- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 );
+- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 );
+- int iqmpLen = BN_num_bytes( a_pRsa->iqmp );
++ const BIGNUM *rsa_n, *rsa_e, *rsa_d;
++ const BIGNUM *rsa_p, *rsa_q;
++ const BIGNUM *rsa_dmp1, *rsa_dmq1, *rsa_iqmp;
++
++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, &rsa_d );
++ RSA_get0_factors( a_pRsa, &rsa_p, &rsa_q );
++ RSA_get0_crt_params( a_pRsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp );
++
++ int nLen = BN_num_bytes( rsa_n );
++ int eLen = BN_num_bytes( rsa_e );
++ int dLen = BN_num_bytes( rsa_d );
++ int pLen = BN_num_bytes( rsa_p );
++ int qLen = BN_num_bytes( rsa_q );
++ int dmp1Len = BN_num_bytes( rsa_dmp1 );
++ int dmq1Len = BN_num_bytes( rsa_dmq1 );
++ int iqmpLen = BN_num_bytes( rsa_iqmp );
+
+ CK_RV rv;
+
+@@ -821,14 +833,14 @@ createRsaPrivKeyObject( RSA *a_pRsa,
+ }
+
+ // Get binary representations of the RSA key information
+- BN_bn2bin( a_pRsa->n, n );
+- BN_bn2bin( a_pRsa->e, e );
+- BN_bn2bin( a_pRsa->d, d );
+- BN_bn2bin( a_pRsa->p, p );
+- BN_bn2bin( a_pRsa->q, q );
+- BN_bn2bin( a_pRsa->dmp1, dmp1 );
+- BN_bn2bin( a_pRsa->dmq1, dmq1 );
+- BN_bn2bin( a_pRsa->iqmp, iqmp );
++ BN_bn2bin( rsa_n, n );
++ BN_bn2bin( rsa_e, e );
++ BN_bn2bin( rsa_d, d );
++ BN_bn2bin( rsa_p, p );
++ BN_bn2bin( rsa_q, q );
++ BN_bn2bin( rsa_dmp1, dmp1 );
++ BN_bn2bin( rsa_dmq1, dmq1 );
++ BN_bn2bin( rsa_iqmp, iqmp );
+
+ // Create the RSA private key object
+ rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
+diff --git a/src/data_mgmt/openssl_compat.h b/src/data_mgmt/openssl_compat.h
+new file mode 100644
+index 0000000000..2a60fdf492
+--- /dev/null
++++ b/src/data_mgmt/openssl_compat.h
+@@ -0,0 +1,58 @@
++/*
++ * Getter functions for OpenSSL < 1.1 compatibility. Based on code from:
++ * https://wiki.openssl.org/index.php/1.1_API_Changes#Adding_forward-compatible_code_to_older_versions
++ * and therefore:
++ * Copyright OpenSSL 2016
++ * Contents licensed under the terms of the OpenSSL license
++ * See http://www.openssl.org/source/license.html for details
++ */
++
++#ifndef __OPENSSL_COMPAT_H
++#define __OPENSSL_COMPAT_H
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++#include <openssl/engine.h>
++
++static inline void
++RSA_get0_key( const RSA *r,
++ const BIGNUM **n,
++ const BIGNUM **e,
++ const BIGNUM **d ) {
++
++ if ( n )
++ *n = r->n;
++ if ( e )
++ *e = r->e;
++ if ( d )
++ *d = r->d;
++}
++
++static inline void
++RSA_get0_factors( const RSA *r,
++ const BIGNUM **p,
++ const BIGNUM **q ) {
++
++ if ( p )
++ *p = r->p;
++ if ( q )
++ *q = r->q;
++}
++
++static inline void
++RSA_get0_crt_params( const RSA *r,
++ const BIGNUM **dmp1,
++ const BIGNUM **dmq1,
++ const BIGNUM **iqmp ) {
++
++ if ( dmp1 )
++ *dmp1 = r->dmp1;
++ if ( dmq1 )
++ *dmq1 = r->dmq1;
++ if ( iqmp )
++ *iqmp = r->iqmp;
++}
++
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#endif /* __OPENSSL_COMPAT_H */
+--
+2.9.3
+
diff --git a/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch b/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch
new file mode 100644
index 0000000..1f18e8b
--- /dev/null
+++ b/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch
@@ -0,0 +1,89 @@
+From c229bb590250bd9769cb5a63918ab0f6c9386be7 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Mon, 20 Feb 2017 12:00:39 +0100
+Subject: [PATCH 3/3] Allocate OpenSSL cipher contexts for seal/unseal
+
+Cipher contexts need to be allocated before using EVP_EncryptInit or
+EVP_DecryptInit. Using a NULL context is invalid.
+
+Fixes: f50ab0949438 ("Support OpenSSL 1.1.0")
+---
+ lib/tpm_unseal.c | 12 ++++++++++--
+ src/cmds/tpm_sealdata.c | 11 +++++++++--
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c
+index fc4a84906a..005dab7f8f 100644
+--- a/lib/tpm_unseal.c
++++ b/lib/tpm_unseal.c
+@@ -86,7 +86,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size,
+ int srkSecretLen;
+ unsigned char* res_data = NULL;
+ int res_size = 0;
+-
++ EVP_CIPHER_CTX *ctx = NULL;
+ BIO *bdata = NULL, *b64 = NULL, *bmem = NULL;
+ int bioRc;
+
+@@ -408,7 +408,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size,
+ }
+
+ /* Decode and decrypt the encrypted data */
+- EVP_CIPHER_CTX *ctx = NULL;
++ ctx = EVP_CIPHER_CTX_new();
++ if ( ctx == NULL ) {
++ rc = TPMSEAL_STD_ERROR;
++ tpm_errno = ENOMEM;
++ goto tss_out;
++ }
+ EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV);
+
+ /* Create a base64 BIO to decode the encrypted data */
+@@ -459,6 +464,9 @@ out:
+ } else
+ free(res_data);
+
++ if (ctx)
++ EVP_CIPHER_CTX_free(ctx);
++
+ return rc;
+ }
+
+diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c
+index a2157f34b1..e25244a0f4 100644
+--- a/src/cmds/tpm_sealdata.c
++++ b/src/cmds/tpm_sealdata.c
+@@ -118,7 +118,7 @@ int main(int argc, char **argv)
+ char *passwd = NULL;
+ int pswd_len;
+ BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
+-
++ EVP_CIPHER_CTX *ctx = NULL;
+ BIO *bin = NULL, *bdata=NULL, *b64=NULL;
+
+ initIntlSys();
+@@ -343,7 +343,11 @@ int main(int argc, char **argv)
+ BIO_puts(bdata, TPMSEAL_ENC_STRING);
+ bdata = BIO_push(b64, bdata);
+
+- EVP_CIPHER_CTX *ctx = NULL;
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL) {
++ logError(_("Unable to allocate cipher context\n"));
++ goto out_close;
++ }
+ EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV);
+
+ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) {
+@@ -375,5 +379,8 @@ out:
+ BIO_free(bdata);
+ if (b64)
+ BIO_free(b64);
++ if (ctx)
++ EVP_CIPHER_CTX_free(ctx);
++
+ return iRc;
+ }
+--
+2.9.3
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/tpm-tools.git/commitdiff/bbdb5be04803ae2c7b4dc36c25ac6c8580231297
More information about the pld-cvs-commit
mailing list