rpms
/
tpm2-pkcs11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

tpm2-pkcs11: Fix build with openssl 3.0 

Allow use of deprecated declarations while upstream
works on updating support to newer openssl functionality,
and rework do_sig_verify_ec.

Related: rhbz#1958030

Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
This commit is contained in:
Jerry Snitselaar 2021-05-26 10:23:33 -07:00
parent 10ffe7d508
commit 1d77fcfa16
2 changed files with 106 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
tpm2-pkcs11-1.5.0-openssl3.patch Normal file
View File

@ -0,0 +1,100 @@
diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c 2020-11-03 17:36:45.000000000 -0700
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c 2021-05-26 10:17:23.723128758 -0700
@@ -438,82 +438,29 @@
return rv;
}
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-
- if (siglen & 1) {
- LOGE("Expected ECDSA signature length to be even, got : %lu",
- siglen);
- return CKR_SIGNATURE_LEN_RANGE;
- }
-
- size_t len = siglen >> 1;
-
- unsigned char *rbuf = sig;
- unsigned char *sbuf = &sig[len];
-
- BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
- if (!r) {
- LOGE("Could not make bignum for r");
- return CKR_GENERAL_ERROR;
- }
-
- BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
- if (!s) {
- LOGE("Could not make bignum for s");
- BN_free(r);
- return CKR_GENERAL_ERROR;
- }
-
- ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
- if (!ossl_sig) {
- LOGE("oom");
- return CKR_HOST_MEMORY;
- }
-
- int rc = ECDSA_SIG_set0(ossl_sig, r, s);
- if (!rc) {
- LOGE("Could not call ECDSA_SIG_set0");
- ECDSA_SIG_free(ossl_sig);
- return CKR_GENERAL_ERROR;
- }
-
- *outsig = ossl_sig;
-
- return CKR_OK;
-}
-
static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
CK_BYTE_PTR digest, CK_ULONG digest_len,
CK_BYTE_PTR signature, CK_ULONG signature_len) {
- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
- if (!eckey) {
- LOGE("Expected EC Key");
- return CKR_GENERAL_ERROR;
- }
+ int rc = CKR_OK;
+ EVP_PKEY_CTX *pctx = NULL;
- /*
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
- * R + S signatures, so convert it to ASN1 framing.
- * See:
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
- * For details.
- */
- ECDSA_SIG *ossl_sig = NULL;
- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
- if (rv != CKR_OK) {
- return rv;
+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
+ rc = CKR_HOST_MEMORY;
+ goto fail;
}
- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
- if (rc < 0) {
- ECDSA_SIG_free(ossl_sig);
- SSL_UTIL_LOGE("ECDSA_do_verify failed");
- return CKR_GENERAL_ERROR;
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
+ EVP_PKEY_verify(pctx, signature, signature_len,
+ digest, digest_len) != 1) {
+ rc = CKR_SIGNATURE_INVALID;
+ goto fail;
}
- ECDSA_SIG_free(ossl_sig);
- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
+fail:
+ if (pctx)
+ EVP_PKEY_CTX_free(pctx);
+ return rc;
}
CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,

8
tpm2-pkcs11.spec
View File

@ -7,7 +7,7 @@
Name: tpm2-pkcs11
Version: 1.5.0
Release: 5%{?candidate:.%{candidate}}%{?dist}
Release: 6%{?candidate:.%{candidate}}%{?dist}
Summary: PKCS#11 interface for TPM 2.0 hardware
License: BSD
@ -19,6 +19,7 @@ Source2: gpgkey-8E1F50C1.gpg
Patch0: tpm2-pkcs11-gcc11.patch
# https://github.com/tpm2-software/tpm2-pkcs11/commit/78f4e2b47d02cb8215f252e77c68a81dfe4afa30
Patch1: tpm2-pkcs11-s390x.patch
Patch2: tpm2-pkcs11-1.5.0-openssl3.patch
BuildRequires: gcc
BuildRequires: make
@ -64,7 +65,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%build
%configure --enable-unit
%configure --enable-unit CFLAGS="%{optflags} -Wno-error=deprecated-declarations"
%{make_build}
cd tools
%py3_build
@ -102,6 +103,9 @@ cd tools
%changelog
* Wed May 19 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.5.0-6
- Work around for openssl 3.0 update. Related: rhbz#1958030
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937