From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
"Bruno E. O. Meneguele" <brdeoliv@redhat.com>,
dmitry.kasatkin@gmail.com, jarkko.sakkinen@linux.intel.com
Cc: linux-integrity@vger.kernel.org
Subject: Re: [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api
Date: Sun, 28 Jan 2018 00:07:09 -0500 [thread overview]
Message-ID: <1517116029.29187.214.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1517034216.3034.50.camel@HansenPartnership.com>
On Fri, 2018-01-26 at 22:23 -0800, James Bottomley wrote:
> On Thu, 2017-12-07 at 17:05 -0200, Bruno E. O. Meneguele wrote:
> > This patch adds and changes the points needed to support the new
> > OpenSSL
> > 1.1 API, considering the older one, OpenSSL 1.0.z, will be dropped by
> > the major distros in following releases.
>
> This would break compilation on every 1.0 distro:
>
> gcc -DHAVE_CONFIG_H -I. -I.. -I.. -include config.h -g -O2 -g -O1
> -Wall -Wstrict-prototypes -pipe -MT evmctl-evmctl.o -MD -MP -MF
> .deps/evmctl-evmctl.Tpo -c -o evmctl-evmctl.o `test -f 'evmctl.c' ||
> echo './'`evmctl.c
> evmctl.c: In function 'calc_evm_hash':
> evmctl.c:369:2: warning: implicit declaration of function
> 'EVP_MD_CTX_new' [-Wimplicit-function-declaration]
> ctx = EVP_MD_CTX_new();
> ...
>
> Unfortunately you have to ifdef the compilations if you want it to work
> on both 1.0 and 1.1.
>
> How about this?
Thanks, James. It compiles and works with both libraries now.
Mimi
> ---
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index c54efbb..6471404 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> struct stat st;
> int err;
> uint32_t generation = 0;
> - EVP_MD_CTX ctx;
> + EVP_MD_CTX *pctx;
> unsigned int mdlen;
> char **xattrname;
> char xattr_value[1024];
> @@ -323,6 +323,12 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> char uuid[16];
> struct h_misc_64 hmac_misc;
> int hmac_size;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000
> + EVP_MD_CTX ctx;
> + pctx = &ctx;
> +#else
> + pctx = EVP_MD_CTX_new();
> +#endif
>
> if (lstat(file, &st)) {
> log_err("Failed to stat: %s\n", file);
> @@ -366,7 +372,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> return -1;
> }
>
> - err = EVP_DigestInit(&ctx, EVP_sha1());
> + err = EVP_DigestInit(pctx, EVP_sha1());
> if (!err) {
> log_err("EVP_DigestInit() failed\n");
> return 1;
> @@ -398,7 +404,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
> log_info("name: %s, size: %d\n", *xattrname, err);
> log_debug_dump(xattr_value, err);
> - err = EVP_DigestUpdate(&ctx, xattr_value, err);
> + err = EVP_DigestUpdate(pctx, xattr_value, err);
> if (!err) {
> log_err("EVP_DigestUpdate() failed\n");
> return 1;
> @@ -446,7 +452,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> log_debug("hmac_misc (%d): ", hmac_size);
> log_debug_dump(&hmac_misc, hmac_size);
>
> - err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size);
> + err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size);
> if (!err) {
> log_err("EVP_DigestUpdate() failed\n");
> return 1;
> @@ -457,14 +463,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> if (err)
> return -1;
>
> - err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid));
> + err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid));
> if (!err) {
> log_err("EVP_DigestUpdate() failed\n");
> return 1;
> }
> }
>
> - err = EVP_DigestFinal(&ctx, hash, &mdlen);
> + err = EVP_DigestFinal(pctx, hash, &mdlen);
> if (!err) {
> log_err("EVP_DigestFinal() failed\n");
> return 1;
> @@ -908,7 +914,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> struct stat st;
> int err = -1;
> uint32_t generation = 0;
> - HMAC_CTX ctx;
> + HMAC_CTX *pctx;
> unsigned int mdlen;
> char **xattrname;
> unsigned char xattr_value[1024];
> @@ -919,6 +925,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> ssize_t list_size;
> struct h_misc_64 hmac_misc;
> int hmac_size;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000
> + HMAC_CTX ctx;
> + pctx = &ctx;
> +#else
> + pctx = HMAC_CTX_new();
> +#endif
>
> key = file2bin(keyfile, NULL, &keylen);
> if (!key) {
> @@ -965,7 +977,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> goto out;
> }
>
> - err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1());
> + err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL);
> if (err) {
> log_err("HMAC_Init() failed\n");
> goto out;
> @@ -984,7 +996,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
> log_info("name: %s, size: %d\n", *xattrname, err);
> log_debug_dump(xattr_value, err);
> - err = !HMAC_Update(&ctx, xattr_value, err);
> + err = !HMAC_Update(pctx, xattr_value, err);
> if (err) {
> log_err("HMAC_Update() failed\n");
> goto out_ctx_cleanup;
> @@ -1025,16 +1037,20 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> log_debug("hmac_misc (%d): ", hmac_size);
> log_debug_dump(&hmac_misc, hmac_size);
>
> - err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size);
> + err = !HMAC_Update(pctx, (const unsigned char *)&hmac_misc, hmac_size);
> if (err) {
> log_err("HMAC_Update() failed\n");
> goto out_ctx_cleanup;
> }
> - err = !HMAC_Final(&ctx, hash, &mdlen);
> + err = !HMAC_Final(pctx, hash, &mdlen);
> if (err)
> log_err("HMAC_Final() failed\n");
> out_ctx_cleanup:
> - HMAC_CTX_cleanup(&ctx);
> +#if OPENSSL_VERSION_NUMBER < 0x10100000
> + HMAC_CTX_cleanup(pctx);
> +#else
> + HMAC_CTX_free(pctx);
> +#endif
> out:
> free(key);
> return err ?: mdlen;
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index eedffb4..fd1bde6 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -271,9 +271,15 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> {
> const EVP_MD *md;
> struct stat st;
> - EVP_MD_CTX ctx;
> + EVP_MD_CTX *pctx;
> unsigned int mdlen;
> int err;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000
> + EVP_MD_CTX ctx;
> + pctx = &ctx;
> +#else
> + pctx = EVP_MD_CTX_new();
> +#endif
>
> /* Need to know the file length */
> err = lstat(file, &st);
> @@ -288,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> return 1;
> }
>
> - err = EVP_DigestInit(&ctx, md);
> + err = EVP_DigestInit(pctx, md);
> if (!err) {
> log_err("EVP_DigestInit() failed\n");
> return 1;
> @@ -296,17 +302,17 @@ int ima_calc_hash(const char *file, uint8_t *hash)
>
> switch (st.st_mode & S_IFMT) {
> case S_IFREG:
> - err = add_file_hash(file, &ctx);
> + err = add_file_hash(file, pctx);
> break;
> case S_IFDIR:
> - err = add_dir_hash(file, &ctx);
> + err = add_dir_hash(file, pctx);
> break;
> case S_IFLNK:
> - err = add_link_hash(file, &ctx);
> + err = add_link_hash(file, pctx);
> break;
> case S_IFIFO: case S_IFSOCK:
> case S_IFCHR: case S_IFBLK:
> - err = add_dev_hash(&st, &ctx);
> + err = add_dev_hash(&st, pctx);
> break;
> default:
> log_errno("Unsupported file type");
> @@ -316,7 +322,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> if (err)
> return err;
>
> - err = EVP_DigestFinal(&ctx, hash, &mdlen);
> + err = EVP_DigestFinal(pctx, hash, &mdlen);
> if (!err) {
> log_err("EVP_DigestFinal() failed\n");
> return 1;
> @@ -549,6 +555,14 @@ int key2bin(RSA *key, unsigned char *pub)
> {
> int len, b, offset = 0;
> struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
> + const BIGNUM *n, *e;
> +
> +#if OPENSSL_VERSION_NUMBER < 0x10100000
> + n = key->n;
> + e = key->e;
> +#else
> + RSA_get0_key(key, &n, &e, NULL);
> +#endif
>
> /* add key header */
> pkh->version = 1;
> @@ -558,18 +572,18 @@ int key2bin(RSA *key, unsigned char *pub)
>
> offset += sizeof(*pkh);
>
> - len = BN_num_bytes(key->n);
> - b = BN_num_bits(key->n);
> + len = BN_num_bytes(n);
> + b = BN_num_bits(n);
> pub[offset++] = b >> 8;
> pub[offset++] = b & 0xff;
> - BN_bn2bin(key->n, &pub[offset]);
> + BN_bn2bin(n, &pub[offset]);
> offset += len;
>
> - len = BN_num_bytes(key->e);
> - b = BN_num_bits(key->e);
> + len = BN_num_bytes(e);
> + b = BN_num_bits(e);
> pub[offset++] = b >> 8;
> pub[offset++] = b & 0xff;
> - BN_bn2bin(key->e, &pub[offset]);
> + BN_bn2bin(e, &pub[offset]);
> offset += len;
>
> return offset;
>
next prev parent reply other threads:[~2018-01-28 5:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-07 19:05 [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api Bruno E. O. Meneguele
2018-01-27 6:23 ` James Bottomley
2018-01-28 5:07 ` Mimi Zohar [this message]
2018-01-28 16:37 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517116029.29187.214.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=brdeoliv@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox