* [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api @ 2017-12-07 19:05 Bruno E. O. Meneguele 2018-01-27 6:23 ` James Bottomley 0 siblings, 1 reply; 4+ messages in thread From: Bruno E. O. Meneguele @ 2017-12-07 19:05 UTC (permalink / raw) To: dmitry.kasatkin, zohar, jarkko.sakkinen; +Cc: linux-integrity This patch adds and changes the points needed to support the new OpenSSL 1.1 API, considering the older one, OpenSSL 1.0.z, will be dropped by the major distros in following releases. Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com> --- src/evmctl.c | 39 +++++++++++++++++++++++++-------------- src/libimaevm.c | 38 +++++++++++++++++++++++--------------- 2 files changed, 48 insertions(+), 29 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..7d9be32 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) struct stat st; int err; uint32_t generation = 0; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; unsigned int mdlen; char **xattrname; char xattr_value[1024]; @@ -366,9 +366,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return -1; } - err = EVP_DigestInit(&ctx, EVP_sha1()); + ctx = EVP_MD_CTX_new(); + if (!ctx) { + log_err("EVP_MD_CTX_new() failed\n"); + return 1; + } + err = EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); if (!err) { - log_err("EVP_DigestInit() failed\n"); + log_err("EVP_DigestInit_ex() failed\n"); return 1; } @@ -398,7 +403,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ log_info("name: %s, size: %d\n", *xattrname, err); log_debug_dump(xattr_value, err); - err = EVP_DigestUpdate(&ctx, xattr_value, err); + err = EVP_DigestUpdate(ctx, xattr_value, err); if (!err) { log_err("EVP_DigestUpdate() failed\n"); return 1; @@ -446,7 +451,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); - err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); + err = EVP_DigestUpdate(ctx, &hmac_misc, hmac_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); return 1; @@ -457,18 +462,19 @@ static int calc_evm_hash(const char *file, unsigned char *hash) if (err) return -1; - err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); + err = EVP_DigestUpdate(ctx, (const unsigned char *)uuid, sizeof(uuid)); if (!err) { log_err("EVP_DigestUpdate() failed\n"); return 1; } } - err = EVP_DigestFinal(&ctx, hash, &mdlen); + err = EVP_DigestFinal_ex(ctx, hash, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); return 1; } + EVP_MD_CTX_free(ctx); return mdlen; } @@ -908,7 +914,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h struct stat st; int err = -1; uint32_t generation = 0; - HMAC_CTX ctx; + HMAC_CTX *ctx; unsigned int mdlen; char **xattrname; unsigned char xattr_value[1024]; @@ -965,10 +971,15 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h goto out; } - err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); + ctx = HMAC_CTX_new(); + if (!ctx) { + log_err("HMAC_MD_CTX_new() failed\n"); + goto out; + } + err = !HMAC_Init_ex(ctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL); if (err) { log_err("HMAC_Init() failed\n"); - goto out; + goto out_ctx_cleanup; } for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { @@ -984,7 +995,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ log_info("name: %s, size: %d\n", *xattrname, err); log_debug_dump(xattr_value, err); - err = !HMAC_Update(&ctx, xattr_value, err); + err = !HMAC_Update(ctx, xattr_value, err); if (err) { log_err("HMAC_Update() failed\n"); goto out_ctx_cleanup; @@ -1025,16 +1036,16 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); - err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); + err = !HMAC_Update(ctx, (const unsigned char *)&hmac_misc, hmac_size); if (err) { log_err("HMAC_Update() failed\n"); goto out_ctx_cleanup; } - err = !HMAC_Final(&ctx, hash, &mdlen); + err = !HMAC_Final(ctx, hash, &mdlen); if (err) log_err("HMAC_Final() failed\n"); out_ctx_cleanup: - HMAC_CTX_cleanup(&ctx); + HMAC_CTX_free(ctx); out: free(key); return err ?: mdlen; diff --git a/src/libimaevm.c b/src/libimaevm.c index eedffb4..f6339e5 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -271,7 +271,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) { const EVP_MD *md; struct stat st; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; unsigned int mdlen; int err; @@ -288,25 +288,30 @@ int ima_calc_hash(const char *file, uint8_t *hash) return 1; } - err = EVP_DigestInit(&ctx, md); + ctx = EVP_MD_CTX_new(); + if (!ctx) { + log_err("EVP_MD_CTX_new() failed\n"); + return 1; + } + err = EVP_DigestInit_ex(ctx, md, NULL); if (!err) { - log_err("EVP_DigestInit() failed\n"); + log_err("EVP_DigestInit_ex() failed\n"); return 1; } switch (st.st_mode & S_IFMT) { case S_IFREG: - err = add_file_hash(file, &ctx); + err = add_file_hash(file, ctx); break; case S_IFDIR: - err = add_dir_hash(file, &ctx); + err = add_dir_hash(file, ctx); break; case S_IFLNK: - err = add_link_hash(file, &ctx); + err = add_link_hash(file, ctx); break; case S_IFIFO: case S_IFSOCK: case S_IFCHR: case S_IFBLK: - err = add_dev_hash(&st, &ctx); + err = add_dev_hash(&st, ctx); break; default: log_errno("Unsupported file type"); @@ -316,11 +321,12 @@ int ima_calc_hash(const char *file, uint8_t *hash) if (err) return err; - err = EVP_DigestFinal(&ctx, hash, &mdlen); + err = EVP_DigestFinal_ex(ctx, hash, &mdlen); if (!err) { - log_err("EVP_DigestFinal() failed\n"); + log_err("EVP_DigestFinal_ex() failed\n"); return 1; } + EVP_MD_CTX_free(ctx); return mdlen; } @@ -549,6 +555,7 @@ int key2bin(RSA *key, unsigned char *pub) { int len, b, offset = 0; struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; + const BIGNUM *n, *e; /* add key header */ pkh->version = 1; @@ -558,18 +565,19 @@ int key2bin(RSA *key, unsigned char *pub) offset += sizeof(*pkh); - len = BN_num_bytes(key->n); - b = BN_num_bits(key->n); + RSA_get0_key(key, &n, &e, NULL); + len = BN_num_bytes(n); + b = BN_num_bits(n); pub[offset++] = b >> 8; pub[offset++] = b & 0xff; - BN_bn2bin(key->n, &pub[offset]); + BN_bn2bin(n, &pub[offset]); offset += len; - len = BN_num_bytes(key->e); - b = BN_num_bits(key->e); + len = BN_num_bytes(e); + b = BN_num_bits(e); pub[offset++] = b >> 8; pub[offset++] = b & 0xff; - BN_bn2bin(key->e, &pub[offset]); + BN_bn2bin(e, &pub[offset]); offset += len; return offset; -- 2.14.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api 2017-12-07 19:05 [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api Bruno E. O. Meneguele @ 2018-01-27 6:23 ` James Bottomley 2018-01-28 5:07 ` Mimi Zohar 0 siblings, 1 reply; 4+ messages in thread From: James Bottomley @ 2018-01-27 6:23 UTC (permalink / raw) To: Bruno E. O. Meneguele, dmitry.kasatkin, zohar, jarkko.sakkinen Cc: linux-integrity On Thu, 2017-12-07 at 17:05 -0200, Bruno E. O. Meneguele wrote: > This patch adds and changes the points needed to support the new > OpenSSL > 1.1 API, considering the older one, OpenSSL 1.0.z, will be dropped by > the major distros in following releases. This would break compilation on every 1.0 distro: gcc -DHAVE_CONFIG_H -I. -I.. -I.. -include config.h -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -MT evmctl-evmctl.o -MD -MP -MF .deps/evmctl-evmctl.Tpo -c -o evmctl-evmctl.o `test -f 'evmctl.c' || echo './'`evmctl.c evmctl.c: In function 'calc_evm_hash': evmctl.c:369:2: warning: implicit declaration of function 'EVP_MD_CTX_new' [-Wimplicit-function-declaration] ctx = EVP_MD_CTX_new(); ... Unfortunately you have to ifdef the compilations if you want it to work on both 1.0 and 1.1. How about this? James --- diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..6471404 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) struct stat st; int err; uint32_t generation = 0; - EVP_MD_CTX ctx; + EVP_MD_CTX *pctx; unsigned int mdlen; char **xattrname; char xattr_value[1024]; @@ -323,6 +323,12 @@ static int calc_evm_hash(const char *file, unsigned char *hash) char uuid[16]; struct h_misc_64 hmac_misc; int hmac_size; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + EVP_MD_CTX ctx; + pctx = &ctx; +#else + pctx = EVP_MD_CTX_new(); +#endif if (lstat(file, &st)) { log_err("Failed to stat: %s\n", file); @@ -366,7 +372,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return -1; } - err = EVP_DigestInit(&ctx, EVP_sha1()); + err = EVP_DigestInit(pctx, EVP_sha1()); if (!err) { log_err("EVP_DigestInit() failed\n"); return 1; @@ -398,7 +404,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ log_info("name: %s, size: %d\n", *xattrname, err); log_debug_dump(xattr_value, err); - err = EVP_DigestUpdate(&ctx, xattr_value, err); + err = EVP_DigestUpdate(pctx, xattr_value, err); if (!err) { log_err("EVP_DigestUpdate() failed\n"); return 1; @@ -446,7 +452,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); - err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); + err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); return 1; @@ -457,14 +463,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash) if (err) return -1; - err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); + err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid)); if (!err) { log_err("EVP_DigestUpdate() failed\n"); return 1; } } - err = EVP_DigestFinal(&ctx, hash, &mdlen); + err = EVP_DigestFinal(pctx, hash, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); return 1; @@ -908,7 +914,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h struct stat st; int err = -1; uint32_t generation = 0; - HMAC_CTX ctx; + HMAC_CTX *pctx; unsigned int mdlen; char **xattrname; unsigned char xattr_value[1024]; @@ -919,6 +925,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h ssize_t list_size; struct h_misc_64 hmac_misc; int hmac_size; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + HMAC_CTX ctx; + pctx = &ctx; +#else + pctx = HMAC_CTX_new(); +#endif key = file2bin(keyfile, NULL, &keylen); if (!key) { @@ -965,7 +977,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h goto out; } - err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); + err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL); if (err) { log_err("HMAC_Init() failed\n"); goto out; @@ -984,7 +996,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ log_info("name: %s, size: %d\n", *xattrname, err); log_debug_dump(xattr_value, err); - err = !HMAC_Update(&ctx, xattr_value, err); + err = !HMAC_Update(pctx, xattr_value, err); if (err) { log_err("HMAC_Update() failed\n"); goto out_ctx_cleanup; @@ -1025,16 +1037,20 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); - err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); + err = !HMAC_Update(pctx, (const unsigned char *)&hmac_misc, hmac_size); if (err) { log_err("HMAC_Update() failed\n"); goto out_ctx_cleanup; } - err = !HMAC_Final(&ctx, hash, &mdlen); + err = !HMAC_Final(pctx, hash, &mdlen); if (err) log_err("HMAC_Final() failed\n"); out_ctx_cleanup: - HMAC_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000 + HMAC_CTX_cleanup(pctx); +#else + HMAC_CTX_free(pctx); +#endif out: free(key); return err ?: mdlen; diff --git a/src/libimaevm.c b/src/libimaevm.c index eedffb4..fd1bde6 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -271,9 +271,15 @@ int ima_calc_hash(const char *file, uint8_t *hash) { const EVP_MD *md; struct stat st; - EVP_MD_CTX ctx; + EVP_MD_CTX *pctx; unsigned int mdlen; int err; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + EVP_MD_CTX ctx; + pctx = &ctx; +#else + pctx = EVP_MD_CTX_new(); +#endif /* Need to know the file length */ err = lstat(file, &st); @@ -288,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) return 1; } - err = EVP_DigestInit(&ctx, md); + err = EVP_DigestInit(pctx, md); if (!err) { log_err("EVP_DigestInit() failed\n"); return 1; @@ -296,17 +302,17 @@ int ima_calc_hash(const char *file, uint8_t *hash) switch (st.st_mode & S_IFMT) { case S_IFREG: - err = add_file_hash(file, &ctx); + err = add_file_hash(file, pctx); break; case S_IFDIR: - err = add_dir_hash(file, &ctx); + err = add_dir_hash(file, pctx); break; case S_IFLNK: - err = add_link_hash(file, &ctx); + err = add_link_hash(file, pctx); break; case S_IFIFO: case S_IFSOCK: case S_IFCHR: case S_IFBLK: - err = add_dev_hash(&st, &ctx); + err = add_dev_hash(&st, pctx); break; default: log_errno("Unsupported file type"); @@ -316,7 +322,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) if (err) return err; - err = EVP_DigestFinal(&ctx, hash, &mdlen); + err = EVP_DigestFinal(pctx, hash, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); return 1; @@ -549,6 +555,14 @@ int key2bin(RSA *key, unsigned char *pub) { int len, b, offset = 0; struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; + const BIGNUM *n, *e; + +#if OPENSSL_VERSION_NUMBER < 0x10100000 + n = key->n; + e = key->e; +#else + RSA_get0_key(key, &n, &e, NULL); +#endif /* add key header */ pkh->version = 1; @@ -558,18 +572,18 @@ int key2bin(RSA *key, unsigned char *pub) offset += sizeof(*pkh); - len = BN_num_bytes(key->n); - b = BN_num_bits(key->n); + len = BN_num_bytes(n); + b = BN_num_bits(n); pub[offset++] = b >> 8; pub[offset++] = b & 0xff; - BN_bn2bin(key->n, &pub[offset]); + BN_bn2bin(n, &pub[offset]); offset += len; - len = BN_num_bytes(key->e); - b = BN_num_bits(key->e); + len = BN_num_bytes(e); + b = BN_num_bits(e); pub[offset++] = b >> 8; pub[offset++] = b & 0xff; - BN_bn2bin(key->e, &pub[offset]); + BN_bn2bin(e, &pub[offset]); offset += len; return offset; ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api 2018-01-27 6:23 ` James Bottomley @ 2018-01-28 5:07 ` Mimi Zohar 2018-01-28 16:37 ` James Bottomley 0 siblings, 1 reply; 4+ messages in thread From: Mimi Zohar @ 2018-01-28 5:07 UTC (permalink / raw) To: James Bottomley, Bruno E. O. Meneguele, dmitry.kasatkin, jarkko.sakkinen Cc: linux-integrity On Fri, 2018-01-26 at 22:23 -0800, James Bottomley wrote: > On Thu, 2017-12-07 at 17:05 -0200, Bruno E. O. Meneguele wrote: > > This patch adds and changes the points needed to support the new > > OpenSSL > > 1.1 API, considering the older one, OpenSSL 1.0.z, will be dropped by > > the major distros in following releases. > > This would break compilation on every 1.0 distro: > > gcc -DHAVE_CONFIG_H -I. -I.. -I.. -include config.h -g -O2 -g -O1 > -Wall -Wstrict-prototypes -pipe -MT evmctl-evmctl.o -MD -MP -MF > .deps/evmctl-evmctl.Tpo -c -o evmctl-evmctl.o `test -f 'evmctl.c' || > echo './'`evmctl.c > evmctl.c: In function 'calc_evm_hash': > evmctl.c:369:2: warning: implicit declaration of function > 'EVP_MD_CTX_new' [-Wimplicit-function-declaration] > ctx = EVP_MD_CTX_new(); > ... > > Unfortunately you have to ifdef the compilations if you want it to work > on both 1.0 and 1.1. > > How about this? Thanks, James. It compiles and works with both libraries now. Mimi > --- > > diff --git a/src/evmctl.c b/src/evmctl.c > index c54efbb..6471404 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > struct stat st; > int err; > uint32_t generation = 0; > - EVP_MD_CTX ctx; > + EVP_MD_CTX *pctx; > unsigned int mdlen; > char **xattrname; > char xattr_value[1024]; > @@ -323,6 +323,12 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > char uuid[16]; > struct h_misc_64 hmac_misc; > int hmac_size; > +#if OPENSSL_VERSION_NUMBER < 0x10100000 > + EVP_MD_CTX ctx; > + pctx = &ctx; > +#else > + pctx = EVP_MD_CTX_new(); > +#endif > > if (lstat(file, &st)) { > log_err("Failed to stat: %s\n", file); > @@ -366,7 +372,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > return -1; > } > > - err = EVP_DigestInit(&ctx, EVP_sha1()); > + err = EVP_DigestInit(pctx, EVP_sha1()); > if (!err) { > log_err("EVP_DigestInit() failed\n"); > return 1; > @@ -398,7 +404,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ > log_info("name: %s, size: %d\n", *xattrname, err); > log_debug_dump(xattr_value, err); > - err = EVP_DigestUpdate(&ctx, xattr_value, err); > + err = EVP_DigestUpdate(pctx, xattr_value, err); > if (!err) { > log_err("EVP_DigestUpdate() failed\n"); > return 1; > @@ -446,7 +452,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > log_debug("hmac_misc (%d): ", hmac_size); > log_debug_dump(&hmac_misc, hmac_size); > > - err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); > + err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); > if (!err) { > log_err("EVP_DigestUpdate() failed\n"); > return 1; > @@ -457,14 +463,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > if (err) > return -1; > > - err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); > + err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid)); > if (!err) { > log_err("EVP_DigestUpdate() failed\n"); > return 1; > } > } > > - err = EVP_DigestFinal(&ctx, hash, &mdlen); > + err = EVP_DigestFinal(pctx, hash, &mdlen); > if (!err) { > log_err("EVP_DigestFinal() failed\n"); > return 1; > @@ -908,7 +914,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > struct stat st; > int err = -1; > uint32_t generation = 0; > - HMAC_CTX ctx; > + HMAC_CTX *pctx; > unsigned int mdlen; > char **xattrname; > unsigned char xattr_value[1024]; > @@ -919,6 +925,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > ssize_t list_size; > struct h_misc_64 hmac_misc; > int hmac_size; > +#if OPENSSL_VERSION_NUMBER < 0x10100000 > + HMAC_CTX ctx; > + pctx = &ctx; > +#else > + pctx = HMAC_CTX_new(); > +#endif > > key = file2bin(keyfile, NULL, &keylen); > if (!key) { > @@ -965,7 +977,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > goto out; > } > > - err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); > + err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL); > if (err) { > log_err("HMAC_Init() failed\n"); > goto out; > @@ -984,7 +996,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ > log_info("name: %s, size: %d\n", *xattrname, err); > log_debug_dump(xattr_value, err); > - err = !HMAC_Update(&ctx, xattr_value, err); > + err = !HMAC_Update(pctx, xattr_value, err); > if (err) { > log_err("HMAC_Update() failed\n"); > goto out_ctx_cleanup; > @@ -1025,16 +1037,20 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > log_debug("hmac_misc (%d): ", hmac_size); > log_debug_dump(&hmac_misc, hmac_size); > > - err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); > + err = !HMAC_Update(pctx, (const unsigned char *)&hmac_misc, hmac_size); > if (err) { > log_err("HMAC_Update() failed\n"); > goto out_ctx_cleanup; > } > - err = !HMAC_Final(&ctx, hash, &mdlen); > + err = !HMAC_Final(pctx, hash, &mdlen); > if (err) > log_err("HMAC_Final() failed\n"); > out_ctx_cleanup: > - HMAC_CTX_cleanup(&ctx); > +#if OPENSSL_VERSION_NUMBER < 0x10100000 > + HMAC_CTX_cleanup(pctx); > +#else > + HMAC_CTX_free(pctx); > +#endif > out: > free(key); > return err ?: mdlen; > diff --git a/src/libimaevm.c b/src/libimaevm.c > index eedffb4..fd1bde6 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -271,9 +271,15 @@ int ima_calc_hash(const char *file, uint8_t *hash) > { > const EVP_MD *md; > struct stat st; > - EVP_MD_CTX ctx; > + EVP_MD_CTX *pctx; > unsigned int mdlen; > int err; > +#if OPENSSL_VERSION_NUMBER < 0x10100000 > + EVP_MD_CTX ctx; > + pctx = &ctx; > +#else > + pctx = EVP_MD_CTX_new(); > +#endif > > /* Need to know the file length */ > err = lstat(file, &st); > @@ -288,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) > return 1; > } > > - err = EVP_DigestInit(&ctx, md); > + err = EVP_DigestInit(pctx, md); > if (!err) { > log_err("EVP_DigestInit() failed\n"); > return 1; > @@ -296,17 +302,17 @@ int ima_calc_hash(const char *file, uint8_t *hash) > > switch (st.st_mode & S_IFMT) { > case S_IFREG: > - err = add_file_hash(file, &ctx); > + err = add_file_hash(file, pctx); > break; > case S_IFDIR: > - err = add_dir_hash(file, &ctx); > + err = add_dir_hash(file, pctx); > break; > case S_IFLNK: > - err = add_link_hash(file, &ctx); > + err = add_link_hash(file, pctx); > break; > case S_IFIFO: case S_IFSOCK: > case S_IFCHR: case S_IFBLK: > - err = add_dev_hash(&st, &ctx); > + err = add_dev_hash(&st, pctx); > break; > default: > log_errno("Unsupported file type"); > @@ -316,7 +322,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) > if (err) > return err; > > - err = EVP_DigestFinal(&ctx, hash, &mdlen); > + err = EVP_DigestFinal(pctx, hash, &mdlen); > if (!err) { > log_err("EVP_DigestFinal() failed\n"); > return 1; > @@ -549,6 +555,14 @@ int key2bin(RSA *key, unsigned char *pub) > { > int len, b, offset = 0; > struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; > + const BIGNUM *n, *e; > + > +#if OPENSSL_VERSION_NUMBER < 0x10100000 > + n = key->n; > + e = key->e; > +#else > + RSA_get0_key(key, &n, &e, NULL); > +#endif > > /* add key header */ > pkh->version = 1; > @@ -558,18 +572,18 @@ int key2bin(RSA *key, unsigned char *pub) > > offset += sizeof(*pkh); > > - len = BN_num_bytes(key->n); > - b = BN_num_bits(key->n); > + len = BN_num_bytes(n); > + b = BN_num_bits(n); > pub[offset++] = b >> 8; > pub[offset++] = b & 0xff; > - BN_bn2bin(key->n, &pub[offset]); > + BN_bn2bin(n, &pub[offset]); > offset += len; > > - len = BN_num_bytes(key->e); > - b = BN_num_bits(key->e); > + len = BN_num_bytes(e); > + b = BN_num_bits(e); > pub[offset++] = b >> 8; > pub[offset++] = b & 0xff; > - BN_bn2bin(key->e, &pub[offset]); > + BN_bn2bin(e, &pub[offset]); > offset += len; > > return offset; > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api 2018-01-28 5:07 ` Mimi Zohar @ 2018-01-28 16:37 ` James Bottomley 0 siblings, 0 replies; 4+ messages in thread From: James Bottomley @ 2018-01-28 16:37 UTC (permalink / raw) To: Mimi Zohar, Bruno E. O. Meneguele, dmitry.kasatkin, jarkko.sakkinen Cc: linux-integrity On Sun, 2018-01-28 at 00:07 -0500, Mimi Zohar wrote: > On Fri, 2018-01-26 at 22:23 -0800, James Bottomley wrote: > > > > On Thu, 2017-12-07 at 17:05 -0200, Bruno E. O. Meneguele wrote: > > > > > > This patch adds and changes the points needed to support the new > > > OpenSSL 1.1 API, considering the older one, OpenSSL 1.0.z, will > > > be dropped by the major distros in following releases. > > > > This would break compilation on every 1.0 distro: > > > > gcc -DHAVE_CONFIG_H -I. -I.. -I.. -include config.h -g -O2 -g > > -O1 > > -Wall -Wstrict-prototypes -pipe -MT evmctl-evmctl.o -MD -MP -MF > > .deps/evmctl-evmctl.Tpo -c -o evmctl-evmctl.o `test -f 'evmctl.c' > > || > > echo './'`evmctl.c > > evmctl.c: In function 'calc_evm_hash': > > evmctl.c:369:2: warning: implicit declaration of function > > 'EVP_MD_CTX_new' [-Wimplicit-function-declaration] > > ctx = EVP_MD_CTX_new(); > > ... > > > > Unfortunately you have to ifdef the compilations if you want it to > > work on both 1.0 and 1.1. > > > > How about this? > > Thanks, James. It compiles and works with both libraries now. Great, thanks for testing (I only compile tested). I'll send this as a formal patch with your tested by. James ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-28 16:37 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-12-07 19:05 [PATCH] ima-evm-utils: migrate to the new openssl 1.1 api Bruno E. O. Meneguele 2018-01-27 6:23 ` James Bottomley 2018-01-28 5:07 ` Mimi Zohar 2018-01-28 16:37 ` James Bottomley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox