This repository was archived by the owner on Sep 30, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path0001-backport-to-OpenSSL-1.0.2.patch
More file actions
297 lines (281 loc) · 9.91 KB
/
Copy path0001-backport-to-OpenSSL-1.0.2.patch
File metadata and controls
297 lines (281 loc) · 9.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
From e1d5cca98f3ed30613635b6fd718c92044294adb Mon Sep 17 00:00:00 2001
From: Jan Luebbe <jlu@pengutronix.de>
Date: Tue, 1 Dec 2020 12:47:37 +0100
Subject: [PATCH] backport to OpenSSL 1.0.2
This is partially a revert of commit
3c6470ba7c2adbf51e5eaf4601e4affbab0c15c5.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
configure.ac | 2 +-
m4/ax_check_openssl.m4 | 124 +++++++++++++++++++++++++++++++++++++++++
src/signature.c | 36 ++++++++++--
src/verity_hash.c | 10 ++++
4 files changed, 167 insertions(+), 5 deletions(-)
create mode 100644 m4/ax_check_openssl.m4
diff --git a/configure.ac b/configure.ac
index 7ba36bff8ee1..df04c49fb741 100644
--- a/configure.ac
+++ b/configure.ac
@@ -84,7 +84,7 @@ AS_IF([test "x$enable_json" != "xno"], [
AC_DEFINE([ENABLE_JSON], [0])
])
-PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1])
+AX_CHECK_OPENSSL([],[AC_MSG_ERROR([OpenSSL not found])])
AC_ARG_ENABLE([gpt],
AS_HELP_STRING([--enable-gpt], [Enable GPT support])
diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4
new file mode 100644
index 000000000000..a87c5a6b6f93
--- /dev/null
+++ b/m4/ax_check_openssl.m4
@@ -0,0 +1,124 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+# Look for OpenSSL in a number of default spots, or in a user-selected
+# spot (via --with-openssl). Sets
+#
+# OPENSSL_INCLUDES to the include directives required
+# OPENSSL_LIBS to the -l directives required
+# OPENSSL_LDFLAGS to the -L or -R flags required
+#
+# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
+#
+# This macro sets OPENSSL_INCLUDES such that source files should use the
+# openssl/ directory in include directives:
+#
+# #include <openssl/hmac.h>
+#
+# LICENSE
+#
+# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
+# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 8
+
+AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
+AC_DEFUN([AX_CHECK_OPENSSL], [
+ found=false
+ AC_ARG_WITH([openssl],
+ [AS_HELP_STRING([--with-openssl=DIR],
+ [root of the OpenSSL directory])],
+ [
+ case "$withval" in
+ "" | y | ye | yes | n | no)
+ AC_MSG_ERROR([Invalid --with-openssl value])
+ ;;
+ *) ssldirs="$withval"
+ ;;
+ esac
+ ], [
+ # if pkg-config is installed and openssl has installed a .pc file,
+ # then use that information and don't search ssldirs
+ AC_PATH_PROG([PKG_CONFIG], [pkg-config])
+ if test x"$PKG_CONFIG" != x""; then
+ OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
+ if test $? = 0; then
+ OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
+ OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
+ found=true
+ fi
+ fi
+
+ # no such luck; use some default ssldirs
+ if ! $found; then
+ ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
+ fi
+ ]
+ )
+
+
+ # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+ # an 'openssl' subdirectory
+
+ if ! $found; then
+ OPENSSL_INCLUDES=
+ for ssldir in $ssldirs; do
+ AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
+ if test -f "$ssldir/include/openssl/ssl.h"; then
+ OPENSSL_INCLUDES="-I$ssldir/include"
+ OPENSSL_LDFLAGS="-L$ssldir/lib"
+ OPENSSL_LIBS="-lssl -lcrypto"
+ found=true
+ AC_MSG_RESULT([yes])
+ break
+ else
+ AC_MSG_RESULT([no])
+ fi
+ done
+
+ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+ # it will just work!
+ fi
+
+ # try the preprocessor and linker with our new flags,
+ # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+ AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
+ echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
+ "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
+
+ save_LIBS="$LIBS"
+ save_LDFLAGS="$LDFLAGS"
+ save_CPPFLAGS="$CPPFLAGS"
+ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+ LIBS="$OPENSSL_LIBS $LIBS"
+ CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
+ [
+ AC_MSG_RESULT([yes])
+ $1
+ ], [
+ AC_MSG_RESULT([no])
+ $2
+ ])
+ CPPFLAGS="$save_CPPFLAGS"
+ LDFLAGS="$save_LDFLAGS"
+ LIBS="$save_LIBS"
+
+ AC_SUBST([OPENSSL_INCLUDES])
+ AC_SUBST([OPENSSL_LIBS])
+ AC_SUBST([OPENSSL_LDFLAGS])
+])
diff --git a/src/signature.c b/src/signature.c
index a4a2b14e20dc..a643a9650160 100644
--- a/src/signature.c
+++ b/src/signature.c
@@ -1,3 +1,5 @@
+#include <stdint.h>
+
#include <openssl/asn1.h>
#include <openssl/cms.h>
#include <openssl/conf.h>
@@ -7,10 +9,19 @@
#include <openssl/crypto.h>
#include <openssl/engine.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include "context.h"
#include "signature.h"
+/* Define for OpenSSL 1.0.x backwards compatiblity.
+ * We use newer get0 names to be clear about memory ownership and to not use
+ * API deprecated in OpenSSL 1.1.x */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define X509_get0_notAfter X509_get_notAfter
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
GQuark r_signature_error_quark(void)
{
return g_quark_from_static_string("r_signature_error_quark");
@@ -23,9 +34,15 @@ static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *const_x,
* the ex_ variables have already been calculated by other code when
* we are in this callback. */
X509 *x = (X509 *)const_x;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ uint32_t ex_flags = x->ex_flags;
+ uint32_t ex_kusage = (x->ex_flags & EXFLAG_KUSAGE) ? x->ex_kusage : UINT32_MAX;
+ uint32_t ex_xkusage = (x->ex_flags & EXFLAG_XKUSAGE) ? x->ex_xkusage : UINT32_MAX;
+#else
uint32_t ex_flags = X509_get_extension_flags(x);
uint32_t ex_kusage = X509_get_key_usage(x);
uint32_t ex_xkusage = X509_get_extended_key_usage(x);
+#endif
if (ca) {
/* If extended key usage is present, it must contain codeSigning for all
@@ -56,7 +73,11 @@ static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *const_x,
gboolean signature_init(GError **error)
{
int ret, id;
-
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ OPENSSL_config(NULL);
+ OpenSSL_add_all_algorithms();
+ ERR_load_crypto_strings();
+#else
g_return_val_if_fail(error == FALSE || *error == NULL, FALSE);
ret = OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
@@ -74,6 +95,7 @@ gboolean signature_init(GError **error)
(flags & ERR_TXT_STRING) ? data : ERR_error_string(err, NULL));
return FALSE;
}
+#endif
id = X509_PURPOSE_get_count() + 1;
if (X509_PURPOSE_get_by_id(id) >= 0) {
@@ -86,7 +108,9 @@ gboolean signature_init(GError **error)
}
/* X509_TRUST_OBJECT_SIGN maps to the Code Signing ID (via OpenSSL's NID_code_sign) */
- ret = X509_PURPOSE_add(id, X509_TRUST_OBJECT_SIGN, 0, check_purpose_code_sign, "Code signing", "codesign", NULL);
+ /* X509_PURPOSE_add calls BUF_strdup on the string arguments and they
+ * are const in newer OpenSSL versions. */
+ ret = X509_PURPOSE_add(id, X509_TRUST_OBJECT_SIGN, 0, check_purpose_code_sign, (char *)"Code signing", (char *)"codesign", NULL);
if (!ret) {
unsigned long err;
const gchar *data;
@@ -439,8 +463,12 @@ X509_STORE* setup_x509_store(const gchar *capath, const gchar *cadir, GError **e
/* Enable purpose checking if configured */
if (check_purpose) {
- const X509_PURPOSE *xp = X509_PURPOSE_get0(X509_PURPOSE_get_by_sname(check_purpose));
- if (!xp || !X509_STORE_set_purpose(store, X509_PURPOSE_get_id(xp))) {
+ /* X509_PURPOSE_get0 calls only strcmp on the string argument and
+ * it is const in newer OpenSSL versions. */
+ const X509_PURPOSE *xp = X509_PURPOSE_get0(X509_PURPOSE_get_by_sname((char *)check_purpose));
+ /* X509_PURPOSE_get_id calls only returns an int field of the
+ * X509_PURPOSE it is const in newer OpenSSL versions. */
+ if (!xp || !X509_STORE_set_purpose(store, X509_PURPOSE_get_id((X509_PURPOSE *)xp))) {
g_set_error(
error,
R_SIGNATURE_ERROR,
diff --git a/src/verity_hash.c b/src/verity_hash.c
index bc53e21952db..58493bc832d5 100644
--- a/src/verity_hash.c
+++ b/src/verity_hash.c
@@ -23,6 +23,7 @@
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
+#include <inttypes.h>
#include <glib.h>
#include <openssl/bio.h>
@@ -80,11 +81,18 @@ static int verify_hash_block(
{
/* SHA256, version 1 only */
EVP_MD_CTX *mdctx;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ EVP_MD_CTX mdctx_stack;
+#endif
uint8_t tmp[EVP_MAX_MD_SIZE];
unsigned int tmp_size = 0;
int r = 0;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ mdctx = &mdctx_stack;
+#else
mdctx = EVP_MD_CTX_new();
+#endif
if (EVP_DigestInit(mdctx, EVP_sha256()) != 1) {
g_message("init failed");
r = -EINVAL;
@@ -116,7 +124,9 @@ static int verify_hash_block(
out:
if (r)
ERR_print_errors_fp(stderr);
+#if !(OPENSSL_VERSION_NUMBER < 0x10100000L)
EVP_MD_CTX_free(mdctx);
+#endif
return r;
}
--
2.20.1