Merge lp:~jelle-vdwaa/ecryptfs/ecryptfs into lp:ecryptfs

Proposed by Jelle van der Waa
Status: Merged
Merged at revision: 890
Proposed branch: lp:~jelle-vdwaa/ecryptfs/ecryptfs
Merge into: lp:ecryptfs
Diff against target: 165 lines (+52/-8)
2 files modified
src/key_mod/ecryptfs_key_mod_openssl.c (+25/-4)
src/key_mod/ecryptfs_key_mod_pkcs11_helper.c (+27/-4)
To merge this branch: bzr merge lp:~jelle-vdwaa/ecryptfs/ecryptfs
Reviewer Review Type Date Requested Status
Tyler Hicks Approve
Raphael Groner (community) Approve
Review via email: mp+319746@code.launchpad.net

Description of the change

Make ecryptfs compile with OpenSSL 1.1.x

To post a comment you must log in.
lp:~jelle-vdwaa/ecryptfs/ecryptfs updated
886. By Jason Xing

libecryptfs: Handle '=' characters in mount option string values

Users cannot mount ecryptfs with "-o passphrase_passwd_file=mykey" (<mykey> is
"passwd=123=abc") or "-o passwd=123=abc". Because the passphrase user uses
includes "=" character.

Because in the manner of process_comma_tok() function, ecryptfs will store
"passwd=123" as the @current->name and "abc" as @current->value. That will go
wrong when we go into tf_pass_file() function because it cannot match the name
"passphrase_passwd" or "passwd".

Add two lines in process_comma_tok() to change that case. If we match one "="
character in the string, we don't need to loop and match another "=" again.

887. By Tyler Hicks

Add Jason's mount option parser fix to debian/changelog

888. By Jelle van der Waa

Fix build with OpenSSL 1.1.x

The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

CRYPTO_malloc_init has been removed from OpenSSL 1.1.x since the library
calls this routine by itself.

889. By Jelle van der Waa

Fix build with OpenSSL 1.1.x

The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

EVP_PKEY structure has been made opaque, use EVP_PKEY_base_id
to get the type.

Revision history for this message
Raphael Groner (projects-rg) wrote :

My vote goes to apply this patch. It fixes the issue for me.

review: Approve
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This looks good to me. Thanks for the patches!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c'
--- src/key_mod/ecryptfs_key_mod_openssl.c 2013-10-25 19:45:09 +0000
+++ src/key_mod/ecryptfs_key_mod_openssl.c 2017-06-02 18:27:28 +0000
@@ -41,6 +41,7 @@
41#include <stdlib.h>41#include <stdlib.h>
42#include <unistd.h>42#include <unistd.h>
43#include <libgen.h>43#include <libgen.h>
44#include <openssl/bn.h>
44#include <openssl/pem.h>45#include <openssl/pem.h>
45#include <openssl/rsa.h>46#include <openssl/rsa.h>
46#include <openssl/err.h>47#include <openssl/err.h>
@@ -55,6 +56,19 @@
55 char *passphrase;56 char *passphrase;
56};57};
5758
59#if OPENSSL_VERSION_NUMBER < 0x10100000L
60static void RSA_get0_key(const RSA *r,
61 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
62{
63 if (n != NULL)
64 *n = r->n;
65 if (e != NULL)
66 *e = r->e;
67 if (d != NULL)
68 *d = r->d;
69}
70#endif
71
58static void72static void
59ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data)73ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data)
60{74{
@@ -142,6 +156,7 @@
142{156{
143 int len, nbits, ebits, i;157 int len, nbits, ebits, i;
144 int nbytes, ebytes;158 int nbytes, ebytes;
159 const BIGNUM *key_n, *key_e;
145 unsigned char *hash;160 unsigned char *hash;
146 unsigned char *data = NULL;161 unsigned char *data = NULL;
147 int rc = 0;162 int rc = 0;
@@ -152,11 +167,13 @@
152 rc = -ENOMEM;167 rc = -ENOMEM;
153 goto out;168 goto out;
154 }169 }
155 nbits = BN_num_bits(key->n);170 RSA_get0_key(key, &key_n, NULL, NULL);
171 nbits = BN_num_bits(key_n);
156 nbytes = nbits / 8;172 nbytes = nbits / 8;
157 if (nbits % 8)173 if (nbits % 8)
158 nbytes++;174 nbytes++;
159 ebits = BN_num_bits(key->e);175 RSA_get0_key(key, NULL, &key_e, NULL);
176 ebits = BN_num_bits(key_e);
160 ebytes = ebits / 8;177 ebytes = ebits / 8;
161 if (ebits % 8)178 if (ebits % 8)
162 ebytes++;179 ebytes++;
@@ -179,11 +196,13 @@
179 data[i++] = '\02';196 data[i++] = '\02';
180 data[i++] = (nbits >> 8);197 data[i++] = (nbits >> 8);
181 data[i++] = nbits;198 data[i++] = nbits;
182 BN_bn2bin(key->n, &(data[i]));199 RSA_get0_key(key, &key_n, NULL, NULL);
200 BN_bn2bin(key_n, &(data[i]));
183 i += nbytes;201 i += nbytes;
184 data[i++] = (ebits >> 8);202 data[i++] = (ebits >> 8);
185 data[i++] = ebits;203 data[i++] = ebits;
186 BN_bn2bin(key->e, &(data[i]));204 RSA_get0_key(key, NULL, &key_e, NULL);
205 BN_bn2bin(key_e, &(data[i]));
187 i += ebytes;206 i += ebytes;
188 SHA1(data, len + 3, hash);207 SHA1(data, len + 3, hash);
189 to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);208 to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);
@@ -278,7 +297,9 @@
278 BIO *in = NULL;297 BIO *in = NULL;
279 int rc;298 int rc;
280299
300 #if OPENSSL_VERSION_NUMBER < 0x10100000L
281 CRYPTO_malloc_init();301 CRYPTO_malloc_init();
302 #endif
282 ERR_load_crypto_strings();303 ERR_load_crypto_strings();
283 OpenSSL_add_all_algorithms();304 OpenSSL_add_all_algorithms();
284 ENGINE_load_builtin_engines();305 ENGINE_load_builtin_engines();
285306
=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c'
--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2013-10-25 19:45:09 +0000
+++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2017-06-02 18:27:28 +0000
@@ -41,6 +41,7 @@
41#include <errno.h>41#include <errno.h>
42#include <stdlib.h>42#include <stdlib.h>
43#include <unistd.h>43#include <unistd.h>
44#include <openssl/bn.h>
44#include <openssl/err.h>45#include <openssl/err.h>
45#include <openssl/pem.h>46#include <openssl/pem.h>
46#include <openssl/x509.h>47#include <openssl/x509.h>
@@ -77,6 +78,19 @@
77typedef const unsigned char *__pkcs11_openssl_d2i_t;78typedef const unsigned char *__pkcs11_openssl_d2i_t;
78#endif79#endif
7980
81#if OPENSSL_VERSION_NUMBER < 0x10100000L
82static void RSA_get0_key(const RSA *r,
83 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
84{
85 if (n != NULL)
86 *n = r->n;
87 if (e != NULL)
88 *e = r->e;
89 if (d != NULL)
90 *d = r->d;
91}
92#endif
93
80/**94/**
81 * ecryptfs_pkcs11h_deserialize95 * ecryptfs_pkcs11h_deserialize
82 * @pkcs11h_data: The deserialized version of the key module data;96 * @pkcs11h_data: The deserialized version of the key module data;
@@ -282,7 +296,11 @@
282 goto out;296 goto out;
283 }297 }
284 298
299 #if OPENSSL_VERSION_NUMBER < 0x10100000L
285 if (pubkey->type != EVP_PKEY_RSA) {300 if (pubkey->type != EVP_PKEY_RSA) {
301 #else
302 if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) {
303 #endif
286 syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");304 syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");
287 rc = -EIO;305 rc = -EIO;
288 goto out;306 goto out;
@@ -318,6 +336,7 @@
318 int nbytes, ebytes;336 int nbytes, ebytes;
319 char *hash = NULL;337 char *hash = NULL;
320 char *data = NULL;338 char *data = NULL;
339 const BIGNUM *rsa_n, *rsa_e;
321 int rc;340 int rc;
322341
323 if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {342 if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
@@ -331,11 +350,13 @@
331 rc = -ENOMEM;350 rc = -ENOMEM;
332 goto out;351 goto out;
333 }352 }
334 nbits = BN_num_bits(rsa->n);353 RSA_get0_key(rsa, &rsa_n, NULL, NULL);
354 nbits = BN_num_bits(rsa_n);
335 nbytes = nbits / 8;355 nbytes = nbits / 8;
336 if (nbits % 8)356 if (nbits % 8)
337 nbytes++;357 nbytes++;
338 ebits = BN_num_bits(rsa->e);358 RSA_get0_key(rsa, NULL, &rsa_e, NULL);
359 ebits = BN_num_bits(rsa_e);
339 ebytes = ebits / 8;360 ebytes = ebits / 8;
340 if (ebits % 8)361 if (ebits % 8)
341 ebytes++;362 ebytes++;
@@ -358,11 +379,13 @@
358 data[i++] = '\02';379 data[i++] = '\02';
359 data[i++] = (char)(nbits >> 8);380 data[i++] = (char)(nbits >> 8);
360 data[i++] = (char)nbits;381 data[i++] = (char)nbits;
361 BN_bn2bin(rsa->n, &(data[i]));382 RSA_get0_key(rsa, &rsa_n, NULL, NULL);
383 BN_bn2bin(rsa_n, &(data[i]));
362 i += nbytes;384 i += nbytes;
363 data[i++] = (char)(ebits >> 8);385 data[i++] = (char)(ebits >> 8);
364 data[i++] = (char)ebits;386 data[i++] = (char)ebits;
365 BN_bn2bin(rsa->e, &(data[i]));387 RSA_get0_key(rsa, NULL, &rsa_e, NULL);
388 BN_bn2bin(rsa_e, &(data[i]));
366 i += ebytes;389 i += ebytes;
367 SHA1(data, len + 3, hash);390 SHA1(data, len + 3, hash);
368 to_hex(sig, hash, ECRYPTFS_SIG_SIZE);391 to_hex(sig, hash, ECRYPTFS_SIG_SIZE);

Subscribers

People subscribed via source and target branches