From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Robinson Date: Tue, 14 Feb 2017 12:43:04 +0000 Subject: [U-Boot] [PATCH 1/2] rsa: Fix build with OpenSSL 1.1.x In-Reply-To: References: <20170213090037.29223-1-jelle@vdwaa.nl> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Mon, Feb 13, 2017 at 9:57 AM, Peter Robinson wrote: > On Mon, Feb 13, 2017 at 9:00 AM, Jelle van der Waa wrote: >> The rsa_st struct has been made opaque in 1.1.x, add forward compatible >> code to access the n, e, d members of rsa_struct. >> >> EVP_MD_CTX_cleanup has been removed in 1.1.x and EVP_MD_CTX_reset should be >> called to reinitialise an already created structure. > > You can add my tested by. Built on Fedora 26 with 1.1.0d. gcc 7 etc. Although it needs to be updated for 2017.03rc2 for tools/kwbimage.c as it now supports secure boot and I get the following errors on build: gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard -Wp,-MD,tools/.mxsimage.o.d -Itools -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -include /builddir/build/BUILD/u-boot-2017.03-rc2/include/libfdt_env.h -idirafterinclude -idirafter/builddir/build/BUILD/u-boot-2017.03-rc2/include -idirafter/builddir/build/BUILD/u-boot-2017.03-rc2/arch/arm/include -I/builddir/build/BUILD/u-boot-2017.03-rc2/lib/libfdt -I/builddir/build/BUILD/u-boot-2017.03-rc2/tools -DCONFIG_SYS_TEXT_BASE=0x00800000 -DUSE_HOSTCC -D__KERNEL_STRICT_NAMES -D_GNU_SOURCE -c -o tools/mxsimage.o /builddir/build/BUILD/u-boot-2017.03-rc2/tools/mxsimage.c /builddir/build/BUILD/u-boot-2017.03-rc2/tools/kwbimage.c: In function 'kwb_compute_pubkey_hash': /builddir/build/BUILD/u-boot-2017.03-rc2/tools/kwbimage.c:441:2: warning: implicit declaration of function 'EVP_MD_CTX_cleanup'; did you mean 'EVP_MD_CTX_create'? [-Wimplicit-function-declaration] EVP_MD_CTX_cleanup(ctx); ^~~~~~~~~~~~~~~~~~ EVP_MD_CTX_create /builddir/build/BUILD/u-boot-2017.03-rc2/tools/kwbimage.c: In function 'kwb_export_pubkey': /builddir/build/BUILD/u-boot-2017.03-rc2/tools/kwbimage.c:476:18: error: dereferencing pointer to incomplete type 'RSA {aka struct rsa_st}' if (!key || !key->e || !key->n || !dst) { ^~ /builddir/build/BUILD/u-boot-2017.03-rc2/tools/kwbimage.c:505:59: warning: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 'unsigned int' [-Wformat=] fprintf(stderr, "export pk failed: seq too large (%d, %lu)\n", ~~^ %u make[2]: *** [scripts/Makefile.host:116: tools/kwbimage.o] Error 1 >> lib/rsa/rsa-sign.c | 33 +++++++++++++++++++++++++++------ >> 1 file changed, 27 insertions(+), 6 deletions(-) >> >> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c >> index 8c6637e328..965fb00f95 100644 >> --- a/lib/rsa/rsa-sign.c >> +++ b/lib/rsa/rsa-sign.c >> @@ -20,6 +20,19 @@ >> #define HAVE_ERR_REMOVE_THREAD_STATE >> #endif >> >> +#if OPENSSL_VERSION_NUMBER < 0x10100000L >> +void RSA_get0_key(const RSA *r, >> + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) >> +{ >> + if (n != NULL) >> + *n = r->n; >> + if (e != NULL) >> + *e = r->e; >> + if (d != NULL) >> + *d = r->d; >> +} >> +#endif >> + >> static int rsa_err(const char *msg) >> { >> unsigned long sslErr = ERR_get_error(); >> @@ -409,7 +422,11 @@ static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo, >> ret = rsa_err("Could not obtain signature"); >> goto err_sign; >> } >> - EVP_MD_CTX_cleanup(context); >> + #if OPENSSL_VERSION_NUMBER < 0x10100000L >> + EVP_MD_CTX_cleanup(context); >> + #else >> + EVP_MD_CTX_reset(context); >> + #endif >> EVP_MD_CTX_destroy(context); >> EVP_PKEY_free(key); >> >> @@ -479,6 +496,7 @@ static int rsa_get_exponent(RSA *key, uint64_t *e) >> { >> int ret; >> BIGNUM *bn_te; >> + const BIGNUM *key_e; >> uint64_t te; >> >> ret = -EINVAL; >> @@ -487,17 +505,18 @@ static int rsa_get_exponent(RSA *key, uint64_t *e) >> if (!e) >> goto cleanup; >> >> - if (BN_num_bits(key->e) > 64) >> + RSA_get0_key(key, NULL, &key_e, NULL); >> + if (BN_num_bits(key_e) > 64) >> goto cleanup; >> >> - *e = BN_get_word(key->e); >> + *e = BN_get_word(key_e); >> >> - if (BN_num_bits(key->e) < 33) { >> + if (BN_num_bits(key_e) < 33) { >> ret = 0; >> goto cleanup; >> } >> >> - bn_te = BN_dup(key->e); >> + bn_te = BN_dup(key_e); >> if (!bn_te) >> goto cleanup; >> >> @@ -527,6 +546,7 @@ int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp, >> { >> BIGNUM *big1, *big2, *big32, *big2_32; >> BIGNUM *n, *r, *r_squared, *tmp; >> + const BIGNUM *key_n; >> BN_CTX *bn_ctx = BN_CTX_new(); >> int ret = 0; >> >> @@ -548,7 +568,8 @@ int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp, >> if (0 != rsa_get_exponent(key, exponent)) >> ret = -1; >> >> - if (!BN_copy(n, key->n) || !BN_set_word(big1, 1L) || >> + RSA_get0_key(key, NULL, &key_n, NULL); >> + if (!BN_copy(n, key_n) || !BN_set_word(big1, 1L) || >> !BN_set_word(big2, 2L) || !BN_set_word(big32, 32L)) >> ret = -1; >> >> -- >> 2.11.1 >> >> _______________________________________________ >> U-Boot mailing list >> U-Boot at lists.denx.de >> http://lists.denx.de/mailman/listinfo/u-boot