tpm2-pkcs11: Fix build with openssl 3.0
Allow use of deprecated declarations while upstream works on updating support to newer openssl functionality, and rework do_sig_verify_ec. Related: rhbz#1958030 Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
This commit is contained in:
parent
10ffe7d508
commit
1d77fcfa16
|
@ -0,0 +1,100 @@
|
|||
diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
|
||||
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c 2020-11-03 17:36:45.000000000 -0700
|
||||
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c 2021-05-26 10:17:23.723128758 -0700
|
||||
@@ -438,82 +438,29 @@
|
||||
return rv;
|
||||
}
|
||||
|
||||
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
|
||||
-
|
||||
- if (siglen & 1) {
|
||||
- LOGE("Expected ECDSA signature length to be even, got : %lu",
|
||||
- siglen);
|
||||
- return CKR_SIGNATURE_LEN_RANGE;
|
||||
- }
|
||||
-
|
||||
- size_t len = siglen >> 1;
|
||||
-
|
||||
- unsigned char *rbuf = sig;
|
||||
- unsigned char *sbuf = &sig[len];
|
||||
-
|
||||
- BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
|
||||
- if (!r) {
|
||||
- LOGE("Could not make bignum for r");
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
- BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
|
||||
- if (!s) {
|
||||
- LOGE("Could not make bignum for s");
|
||||
- BN_free(r);
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
- ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
|
||||
- if (!ossl_sig) {
|
||||
- LOGE("oom");
|
||||
- return CKR_HOST_MEMORY;
|
||||
- }
|
||||
-
|
||||
- int rc = ECDSA_SIG_set0(ossl_sig, r, s);
|
||||
- if (!rc) {
|
||||
- LOGE("Could not call ECDSA_SIG_set0");
|
||||
- ECDSA_SIG_free(ossl_sig);
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
- *outsig = ossl_sig;
|
||||
-
|
||||
- return CKR_OK;
|
||||
-}
|
||||
-
|
||||
static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
|
||||
CK_BYTE_PTR digest, CK_ULONG digest_len,
|
||||
CK_BYTE_PTR signature, CK_ULONG signature_len) {
|
||||
|
||||
- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
|
||||
- if (!eckey) {
|
||||
- LOGE("Expected EC Key");
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
+ int rc = CKR_OK;
|
||||
+ EVP_PKEY_CTX *pctx = NULL;
|
||||
|
||||
- /*
|
||||
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
|
||||
- * R + S signatures, so convert it to ASN1 framing.
|
||||
- * See:
|
||||
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
|
||||
- * For details.
|
||||
- */
|
||||
- ECDSA_SIG *ossl_sig = NULL;
|
||||
- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
|
||||
- if (rv != CKR_OK) {
|
||||
- return rv;
|
||||
+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
|
||||
+ rc = CKR_HOST_MEMORY;
|
||||
+ goto fail;
|
||||
}
|
||||
|
||||
- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
|
||||
- if (rc < 0) {
|
||||
- ECDSA_SIG_free(ossl_sig);
|
||||
- SSL_UTIL_LOGE("ECDSA_do_verify failed");
|
||||
- return CKR_GENERAL_ERROR;
|
||||
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
|
||||
+ EVP_PKEY_verify(pctx, signature, signature_len,
|
||||
+ digest, digest_len) != 1) {
|
||||
+ rc = CKR_SIGNATURE_INVALID;
|
||||
+ goto fail;
|
||||
}
|
||||
- ECDSA_SIG_free(ossl_sig);
|
||||
|
||||
- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
|
||||
+fail:
|
||||
+ if (pctx)
|
||||
+ EVP_PKEY_CTX_free(pctx);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
Name: tpm2-pkcs11
|
||||
Version: 1.5.0
|
||||
Release: 5%{?candidate:.%{candidate}}%{?dist}
|
||||
Release: 6%{?candidate:.%{candidate}}%{?dist}
|
||||
Summary: PKCS#11 interface for TPM 2.0 hardware
|
||||
|
||||
License: BSD
|
||||
|
@ -19,6 +19,7 @@ Source2: gpgkey-8E1F50C1.gpg
|
|||
Patch0: tpm2-pkcs11-gcc11.patch
|
||||
# https://github.com/tpm2-software/tpm2-pkcs11/commit/78f4e2b47d02cb8215f252e77c68a81dfe4afa30
|
||||
Patch1: tpm2-pkcs11-s390x.patch
|
||||
Patch2: tpm2-pkcs11-1.5.0-openssl3.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
|
@ -64,7 +65,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
|||
|
||||
|
||||
%build
|
||||
%configure --enable-unit
|
||||
%configure --enable-unit CFLAGS="%{optflags} -Wno-error=deprecated-declarations"
|
||||
%{make_build}
|
||||
cd tools
|
||||
%py3_build
|
||||
|
@ -102,6 +103,9 @@ cd tools
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed May 19 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.5.0-6
|
||||
- Work around for openssl 3.0 update. Related: rhbz#1958030
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-5
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
|
|
Loading…
Reference in New Issue