mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH] scripts: imx-image: fix build with OpenSSL 1.1.x
@ 2018-06-08 11:07 Lucas Stach
  2018-06-11  6:46 ` Sascha Hauer
  0 siblings, 1 reply; 4+ messages in thread
From: Lucas Stach @ 2018-06-08 11:07 UTC (permalink / raw)
  To: barebox

OpenSSL 1.1.x made some of the types opaque, so peeking inside directly
doesn't work anymore. Use the correct accessors instead.

I've dropped the algorithm check, as EVP_PKEY_get0_RSA() already verifies
that the pubkey is RSA and returns NULL if it isn't.

Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
---
This is compile tested only, so I would appreciate some testing and/or
a close look at this change.
---
 scripts/imx/imx-image.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
index b241e8c4b68e..d50c755456c3 100644
--- a/scripts/imx/imx-image.c
+++ b/scripts/imx/imx-image.c
@@ -94,12 +94,23 @@ struct hab_rsa_public_key {
 #include <openssl/pem.h>
 #include <openssl/bio.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+void RSA_get0_key(const RSA *r, const BIGNUM **n,
+		  const BIGNUM **e, const BIGNUM **d)
+{
+	if (n != NULL)
+		*n = r->n;
+	if (e != NULL)
+		*e = r->e;
+	if (d != NULL)
+		*d = r->d;
+}
+#endif
+
 static int extract_key(const char *certfile, uint8_t **modulus, int *modulus_len,
 	uint8_t **exponent, int *exponent_len)
 {
-	char buf[PUBKEY_ALGO_LEN];
-	int pubkey_algonid;
-	const char *sslbuf;
+	const BIGNUM *n, *e;
 	EVP_PKEY *pkey;
 	FILE *fp;
 	X509 *cert;
@@ -120,37 +131,26 @@ static int extract_key(const char *certfile, uint8_t **modulus, int *modulus_len
 
 	fclose(fp);
 
-	pubkey_algonid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
-	if (pubkey_algonid == NID_undef) {
-		fprintf(stderr, "unable to find specified public key algorithm name.\n");
-		return -EINVAL;
-	}
-
-	if (pubkey_algonid != NID_rsaEncryption)
-		return -EINVAL;
-
-	sslbuf = OBJ_nid2ln(pubkey_algonid);
-	strncpy(buf, sslbuf, PUBKEY_ALGO_LEN);
-
 	pkey = X509_get_pubkey(cert);
 	if (!pkey) {
 		fprintf(stderr, "unable to extract public key from certificate");
 		return -EINVAL;
 	}
 
-	rsa_key = pkey->pkey.rsa;
+	rsa_key = EVP_PKEY_get0_RSA(pkey);
 	if (!rsa_key) {
 		fprintf(stderr, "unable to extract RSA public key");
 		return -EINVAL;
 	}
 
-	*modulus_len = BN_num_bytes(rsa_key->n);
+	RSA_get0_key(rsa_key, &n, &e, NULL);
+	*modulus_len = BN_num_bytes(n);
 	*modulus = malloc(*modulus_len);
-	BN_bn2bin(rsa_key->n, *modulus);
+	BN_bn2bin(n, *modulus);
 
-	*exponent_len = BN_num_bytes(rsa_key->e);
+	*exponent_len = BN_num_bytes(e);
 	*exponent = malloc(*exponent_len);
-	BN_bn2bin(rsa_key->e, *exponent);
+	BN_bn2bin(e, *exponent);
 
 	EVP_PKEY_free(pkey);
 	X509_free(cert);
-- 
2.17.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] scripts: imx-image: fix build with OpenSSL 1.1.x
  2018-06-08 11:07 [PATCH] scripts: imx-image: fix build with OpenSSL 1.1.x Lucas Stach
@ 2018-06-11  6:46 ` Sascha Hauer
  2018-07-11 14:52   ` Lucas Stach
  0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2018-06-11  6:46 UTC (permalink / raw)
  To: Lucas Stach; +Cc: barebox

On Fri, Jun 08, 2018 at 01:07:47PM +0200, Lucas Stach wrote:
> OpenSSL 1.1.x made some of the types opaque, so peeking inside directly
> doesn't work anymore. Use the correct accessors instead.
> 
> I've dropped the algorithm check, as EVP_PKEY_get0_RSA() already verifies
> that the pubkey is RSA and returns NULL if it isn't.
> 
> Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
> ---
> This is compile tested only, so I would appreciate some testing and/or
> a close look at this change.
> ---
>  scripts/imx/imx-image.c | 40 ++++++++++++++++++++--------------------
>  1 file changed, 20 insertions(+), 20 deletions(-)

Applied, thanks

Sascha

> 
> diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
> index b241e8c4b68e..d50c755456c3 100644
> --- a/scripts/imx/imx-image.c
> +++ b/scripts/imx/imx-image.c
> @@ -94,12 +94,23 @@ struct hab_rsa_public_key {
>  #include <openssl/pem.h>
>  #include <openssl/bio.h>
>  
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +void RSA_get0_key(const RSA *r, const BIGNUM **n,
> +		  const BIGNUM **e, const BIGNUM **d)
> +{
> +	if (n != NULL)
> +		*n = r->n;
> +	if (e != NULL)
> +		*e = r->e;
> +	if (d != NULL)
> +		*d = r->d;
> +}
> +#endif
> +
>  static int extract_key(const char *certfile, uint8_t **modulus, int *modulus_len,
>  	uint8_t **exponent, int *exponent_len)
>  {
> -	char buf[PUBKEY_ALGO_LEN];
> -	int pubkey_algonid;
> -	const char *sslbuf;
> +	const BIGNUM *n, *e;
>  	EVP_PKEY *pkey;
>  	FILE *fp;
>  	X509 *cert;
> @@ -120,37 +131,26 @@ static int extract_key(const char *certfile, uint8_t **modulus, int *modulus_len
>  
>  	fclose(fp);
>  
> -	pubkey_algonid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
> -	if (pubkey_algonid == NID_undef) {
> -		fprintf(stderr, "unable to find specified public key algorithm name.\n");
> -		return -EINVAL;
> -	}
> -
> -	if (pubkey_algonid != NID_rsaEncryption)
> -		return -EINVAL;
> -
> -	sslbuf = OBJ_nid2ln(pubkey_algonid);
> -	strncpy(buf, sslbuf, PUBKEY_ALGO_LEN);
> -
>  	pkey = X509_get_pubkey(cert);
>  	if (!pkey) {
>  		fprintf(stderr, "unable to extract public key from certificate");
>  		return -EINVAL;
>  	}
>  
> -	rsa_key = pkey->pkey.rsa;
> +	rsa_key = EVP_PKEY_get0_RSA(pkey);
>  	if (!rsa_key) {
>  		fprintf(stderr, "unable to extract RSA public key");
>  		return -EINVAL;
>  	}
>  
> -	*modulus_len = BN_num_bytes(rsa_key->n);
> +	RSA_get0_key(rsa_key, &n, &e, NULL);
> +	*modulus_len = BN_num_bytes(n);
>  	*modulus = malloc(*modulus_len);
> -	BN_bn2bin(rsa_key->n, *modulus);
> +	BN_bn2bin(n, *modulus);
>  
> -	*exponent_len = BN_num_bytes(rsa_key->e);
> +	*exponent_len = BN_num_bytes(e);
>  	*exponent = malloc(*exponent_len);
> -	BN_bn2bin(rsa_key->e, *exponent);
> +	BN_bn2bin(e, *exponent);
>  
>  	EVP_PKEY_free(pkey);
>  	X509_free(cert);
> -- 
> 2.17.1
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] scripts: imx-image: fix build with OpenSSL 1.1.x
  2018-06-11  6:46 ` Sascha Hauer
@ 2018-07-11 14:52   ` Lucas Stach
  2018-07-13  6:20     ` Sascha Hauer
  0 siblings, 1 reply; 4+ messages in thread
From: Lucas Stach @ 2018-07-11 14:52 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox

Am Montag, den 11.06.2018, 08:46 +0200 schrieb Sascha Hauer:
> On Fri, Jun 08, 2018 at 01:07:47PM +0200, Lucas Stach wrote:
> > OpenSSL 1.1.x made some of the types opaque, so peeking inside
> > directly
> > doesn't work anymore. Use the correct accessors instead.
> > 
> > I've dropped the algorithm check, as EVP_PKEY_get0_RSA() already
> > verifies
> > that the pubkey is RSA and returns NULL if it isn't.
> > 
> > Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
> > ---
> > This is compile tested only, so I would appreciate some testing
> > and/or
> > a close look at this change.
> > ---
> >  scripts/imx/imx-image.c | 40 ++++++++++++++++++++-----------------
> > ---
> >  1 file changed, 20 insertions(+), 20 deletions(-)
> 
> Applied, thanks

It seems this has been lost in the -next cracks.

Regards,
Lucas

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] scripts: imx-image: fix build with OpenSSL 1.1.x
  2018-07-11 14:52   ` Lucas Stach
@ 2018-07-13  6:20     ` Sascha Hauer
  0 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2018-07-13  6:20 UTC (permalink / raw)
  To: Lucas Stach; +Cc: barebox

On Wed, Jul 11, 2018 at 04:52:37PM +0200, Lucas Stach wrote:
> Am Montag, den 11.06.2018, 08:46 +0200 schrieb Sascha Hauer:
> > On Fri, Jun 08, 2018 at 01:07:47PM +0200, Lucas Stach wrote:
> > > OpenSSL 1.1.x made some of the types opaque, so peeking inside
> > > directly
> > > doesn't work anymore. Use the correct accessors instead.
> > > 
> > > I've dropped the algorithm check, as EVP_PKEY_get0_RSA() already
> > > verifies
> > > that the pubkey is RSA and returns NULL if it isn't.
> > > 
> > > Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
> > > ---
> > > This is compile tested only, so I would appreciate some testing
> > > and/or
> > > a close look at this change.
> > > ---
> > >  scripts/imx/imx-image.c | 40 ++++++++++++++++++++-----------------
> > > ---
> > >  1 file changed, 20 insertions(+), 20 deletions(-)
> > 
> > Applied, thanks
> 
> It seems this has been lost in the -next cracks.

Oops, indeed. Applied now. For real.

Sascha

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-07-13  6:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-08 11:07 [PATCH] scripts: imx-image: fix build with OpenSSL 1.1.x Lucas Stach
2018-06-11  6:46 ` Sascha Hauer
2018-07-11 14:52   ` Lucas Stach
2018-07-13  6:20     ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox