From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 868A1C4338F for ; Wed, 28 Jul 2021 19:16:59 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id ACC9260F00 for ; Wed, 28 Jul 2021 19:16:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org ACC9260F00 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D27EB82D1C; Wed, 28 Jul 2021 21:16:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Su2v7Bs+"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 433E682D73; Wed, 28 Jul 2021 21:16:54 +0200 (CEST) Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AA01182CDA for ; Wed, 28 Jul 2021 21:16:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=mr.nuke.me@gmail.com Received: by mail-ot1-x330.google.com with SMTP id z6-20020a9d24860000b02904d14e47202cso3229579ota.4 for ; Wed, 28 Jul 2021 12:16:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=vqJtllY4bB+Iz8Ia28TCuJ/pPRYMiSiSMqE0fhTkoxc=; b=Su2v7Bs+y6vntvfyRNGGScOvo6ST8N6wNzpo8H3tGkrpfWIcH7T587lujUATTSUwja 6L3ftBzS01kpdvBM+WpfEu/aMCqhMOuM2JS6FeerI/0FKGQu3ZZJBbUlCfi7yyUwSn+h teMMGgUjynTeQvbCGlaA3tkFuxXOOwmB4Au1DmbjEKN3qkOk+vG39oi6RYFsuFd9CF6N E5ThefCuf9/INopw2k5v8oesCONc+ZmG3YqB+7c91qVAZoZFyeQeu+4GpvnTZV2e39yY APEki7N7USpqHDMP5WYBX7rWWQ+f5ngZnWTFGgNz2v3URnXbMovSMWaTqksm4+RZ4pUP ktsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=vqJtllY4bB+Iz8Ia28TCuJ/pPRYMiSiSMqE0fhTkoxc=; b=nWd4J1UcgxBz1a3Ax63yCfg8CNiTq/7qbKcBAffyN8eK0v4dF3w74dfLj+l/e6UfRh 41ZCI0qeU+K9wZTTAnYBV4CRFQ11o7wPCF4LP34vHkwNCgRxrmUwUDC+3Cj7mEBrPEGe 3G58r4cy11VoEGUZLSIDElPEAND4wpWrgM4BcXaGqMtOAduXexiDfPHtR4LoNT/cV+MC xIPwlY+e+Gk8+2jv4m2Afz9RvQHmsPpb1m1/guJUlBDnuMktM+qVNfClXRxcKVOa3fS1 y2zKjH+X3DtoftVOBED3jk+udvX/hEzRxZVEt6qCClywaEc6AxPA1px0R1MXEIC890/0 7Ojg== X-Gm-Message-State: AOAM5321iemz0ysCUQ+6O1VQKt+BPjecM1+76cAcs/PtXjm+QhFflwDY R/WBucO7WtawckWO1cvd5L0= X-Google-Smtp-Source: ABdhPJwwkTbswA6nQfmyRh6v0pJYGrwDxBWS62uPpccYHOL4nMvnTKnevcbAG9JhPDxDreyJ35a93Q== X-Received: by 2002:a05:6830:929:: with SMTP id v41mr1058794ott.16.1627499809200; Wed, 28 Jul 2021 12:16:49 -0700 (PDT) Received: from nuclearis3.gtech (c-98-195-139-126.hsd1.tx.comcast.net. [98.195.139.126]) by smtp.gmail.com with ESMTPSA id b70sm157793oii.24.2021.07.28.12.16.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jul 2021 12:16:48 -0700 (PDT) Subject: Re: [PATCH 1/1] lib/ecdsa: Fix LibreSSL before v2.7.0 To: Artem Panfilov , u-boot@lists.denx.de Cc: Simon Glass References: <20210728181023.25067-1-panfilov.artyom@gmail.com> From: "Alex G." Message-ID: Date: Wed, 28 Jul 2021 14:16:47 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <20210728181023.25067-1-panfilov.artyom@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On 7/28/21 1:10 PM, Artem Panfilov wrote: > Fix LibreSSL compilation for versions before v2.7.0. > > Fix following compilation issue when CONFIG_TOOLS_LIBCRYPTO is enabled: > tools/lib/ecdsa/ecdsa-libcrypto.o: In function `prepare_ctx': > ecdsa-libcrypto.c:(.text+0x94): undefined reference to > `OPENSSL_init_ssl' > ecdsa-libcrypto.c:(.text+0x148): undefined reference to > `EC_GROUP_order_bits' > tools/lib/ecdsa/ecdsa-libcrypto.o: In function > `ecdsa_check_signature.isra.0': > ecdsa-libcrypto.c:(.text+0x32c): undefined reference to `ECDSA_SIG_set0' > tools/lib/ecdsa/ecdsa-libcrypto.o: In function `ecdsa_sign': > ecdsa-libcrypto.c:(.text+0x42c): undefined reference to `ECDSA_SIG_get0' > ecdsa-libcrypto.c:(.text+0x443): undefined reference to `BN_bn2binpad' > ecdsa-libcrypto.c:(.text+0x455): undefined reference to `BN_bn2binpad' > tools/lib/ecdsa/ecdsa-libcrypto.o: In function `ecdsa_add_verify_data': > ecdsa-libcrypto.c:(.text+0x5fa): undefined reference to > `EC_GROUP_order_bits' > ecdsa-libcrypto.c:(.text+0x642): undefined reference to > `EC_POINT_get_affine_coordinates' > > Signed-off-by: Artem Panfilov > --- > lib/ecdsa/ecdsa-libcrypto.c | 80 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 79 insertions(+), 1 deletion(-) > > diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c > index 1757a14562..50aa093acd 100644 > --- a/lib/ecdsa/ecdsa-libcrypto.c > +++ b/lib/ecdsa/ecdsa-libcrypto.c > @@ -24,6 +24,70 @@ > #include > #include > > +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ > + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL) Is there a reasonable use case for supporting an external library that is more than three years old at this point? Otherwise NAK, as such #ifdefs don't really help with readability. I think Simon will agree here. There's also the issue of deciding what version we have at compile time, which ignores the dynamic linking nature of .so libs. This leads into soname versioning territory. Let's not go there. Alex > +#include > + > +static int EC_GROUP_order_bits(const EC_GROUP *group) > +{ > + int ret = 0; > + BIGNUM *order; > + > + if (!group) > + return ret; > + > + order = BN_new(); > + > + if (!order) { > + ERR_clear_error(); > + return ret; > + } > + > + if (!EC_GROUP_get_order(group, order, NULL)) { > + ERR_clear_error(); > + BN_free(order); > + return ret; > + } > + > + ret = BN_num_bits(order); > + BN_free(order); > + return ret; > +} > + > +static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) > +{ > + if (pr != NULL) > + *pr = sig->r; > + if (ps != NULL) > + *ps = sig->s; > +} > + > +static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) > +{ > + if (r == NULL || s == NULL) > + return 0; > + BN_clear_free(sig->r); > + BN_clear_free(sig->s); > + sig->r = r; > + sig->s = s; > + return 1; > +} > + > +int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) > +{ > + int n = BN_num_bytes(a); > + > + if (n < 0 || n > tolen) > + return -1; > + > + memset(to, 0, tolen - n); > + if (BN_bn2bin(a, to + tolen - n) < 0) > + return -1; > + > + return tolen; > +} > +#endif > + > /* Image signing context for openssl-libcrypto */ > struct signer { > EVP_PKEY *evp_key; /* Pointer to EVP_PKEY object */ > @@ -34,9 +98,18 @@ struct signer { > > static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info) > { > + int ret = 0; > + > memset(ctx, 0, sizeof(*ctx)); > > - if (!OPENSSL_init_ssl(0, NULL)) { > +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ > +(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL) > + ret = SSL_library_init(); > +#else > + ret = OPENSSL_init_ssl(0, NULL); > +#endif > + > + if (!ret) { > fprintf(stderr, "Failure to init SSL library\n"); > return -1; > } > @@ -285,7 +358,12 @@ static int do_add(struct signer *ctx, void *fdt, const char *key_node_name) > x = BN_new(); > y = BN_new(); > point = EC_KEY_get0_public_key(ctx->ecdsa_key); > +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ > +(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL) > + EC_POINT_get_affine_coordinates_GFp(group, point, x, y, NULL); > +#else > EC_POINT_get_affine_coordinates(group, point, x, y, NULL); > +#endif > > ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name); > if (ret < 0) >