Merge lp:~jelle-vdwaa/ecryptfs/ecryptfs into lp:ecryptfs

Proposed by Jelle van der Waa on 2017-03-13
Status: Merged
Merged at revision: 890
Proposed branch: lp:~jelle-vdwaa/ecryptfs/ecryptfs
Merge into: lp:ecryptfs
Diff against target: 165 lines (+52/-8)
2 files modified
src/key_mod/ecryptfs_key_mod_openssl.c (+25/-4)
src/key_mod/ecryptfs_key_mod_pkcs11_helper.c (+27/-4)
To merge this branch: bzr merge lp:~jelle-vdwaa/ecryptfs/ecryptfs
Reviewer Review Type Date Requested Status
Tyler Hicks 2017-03-13 Approve on 2017-06-08
Raphael Groner (community) Approve on 2017-06-04
Review via email: mp+319746@code.launchpad.net

Description of the Change

Make ecryptfs compile with OpenSSL 1.1.x

To post a comment you must log in.
lp:~jelle-vdwaa/ecryptfs/ecryptfs updated on 2017-06-02
886. By Jason Xing on 2017-05-25

libecryptfs: Handle '=' characters in mount option string values

Users cannot mount ecryptfs with "-o passphrase_passwd_file=mykey" (<mykey> is
"passwd=123=abc") or "-o passwd=123=abc". Because the passphrase user uses
includes "=" character.

Because in the manner of process_comma_tok() function, ecryptfs will store
"passwd=123" as the @current->name and "abc" as @current->value. That will go
wrong when we go into tf_pass_file() function because it cannot match the name
"passphrase_passwd" or "passwd".

Add two lines in process_comma_tok() to change that case. If we match one "="
character in the string, we don't need to loop and match another "=" again.

887. By Tyler Hicks on 2017-05-25

Add Jason's mount option parser fix to debian/changelog

888. By Jelle van der Waa on 2017-06-02

Fix build with OpenSSL 1.1.x

The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

CRYPTO_malloc_init has been removed from OpenSSL 1.1.x since the library
calls this routine by itself.

889. By Jelle van der Waa on 2017-06-02

Fix build with OpenSSL 1.1.x

The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

EVP_PKEY structure has been made opaque, use EVP_PKEY_base_id
to get the type.

Raphael Groner (projects-rg) wrote :

My vote goes to apply this patch. It fixes the issue for me.

review: Approve
Tyler Hicks (tyhicks) wrote :

This looks good to me. Thanks for the patches!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c'
2--- src/key_mod/ecryptfs_key_mod_openssl.c 2013-10-25 19:45:09 +0000
3+++ src/key_mod/ecryptfs_key_mod_openssl.c 2017-06-02 18:27:28 +0000
4@@ -41,6 +41,7 @@
5 #include <stdlib.h>
6 #include <unistd.h>
7 #include <libgen.h>
8+#include <openssl/bn.h>
9 #include <openssl/pem.h>
10 #include <openssl/rsa.h>
11 #include <openssl/err.h>
12@@ -55,6 +56,19 @@
13 char *passphrase;
14 };
15
16+#if OPENSSL_VERSION_NUMBER < 0x10100000L
17+static void RSA_get0_key(const RSA *r,
18+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
19+{
20+ if (n != NULL)
21+ *n = r->n;
22+ if (e != NULL)
23+ *e = r->e;
24+ if (d != NULL)
25+ *d = r->d;
26+}
27+#endif
28+
29 static void
30 ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data)
31 {
32@@ -142,6 +156,7 @@
33 {
34 int len, nbits, ebits, i;
35 int nbytes, ebytes;
36+ const BIGNUM *key_n, *key_e;
37 unsigned char *hash;
38 unsigned char *data = NULL;
39 int rc = 0;
40@@ -152,11 +167,13 @@
41 rc = -ENOMEM;
42 goto out;
43 }
44- nbits = BN_num_bits(key->n);
45+ RSA_get0_key(key, &key_n, NULL, NULL);
46+ nbits = BN_num_bits(key_n);
47 nbytes = nbits / 8;
48 if (nbits % 8)
49 nbytes++;
50- ebits = BN_num_bits(key->e);
51+ RSA_get0_key(key, NULL, &key_e, NULL);
52+ ebits = BN_num_bits(key_e);
53 ebytes = ebits / 8;
54 if (ebits % 8)
55 ebytes++;
56@@ -179,11 +196,13 @@
57 data[i++] = '\02';
58 data[i++] = (nbits >> 8);
59 data[i++] = nbits;
60- BN_bn2bin(key->n, &(data[i]));
61+ RSA_get0_key(key, &key_n, NULL, NULL);
62+ BN_bn2bin(key_n, &(data[i]));
63 i += nbytes;
64 data[i++] = (ebits >> 8);
65 data[i++] = ebits;
66- BN_bn2bin(key->e, &(data[i]));
67+ RSA_get0_key(key, NULL, &key_e, NULL);
68+ BN_bn2bin(key_e, &(data[i]));
69 i += ebytes;
70 SHA1(data, len + 3, hash);
71 to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);
72@@ -278,7 +297,9 @@
73 BIO *in = NULL;
74 int rc;
75
76+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
77 CRYPTO_malloc_init();
78+ #endif
79 ERR_load_crypto_strings();
80 OpenSSL_add_all_algorithms();
81 ENGINE_load_builtin_engines();
82
83=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c'
84--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2013-10-25 19:45:09 +0000
85+++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2017-06-02 18:27:28 +0000
86@@ -41,6 +41,7 @@
87 #include <errno.h>
88 #include <stdlib.h>
89 #include <unistd.h>
90+#include <openssl/bn.h>
91 #include <openssl/err.h>
92 #include <openssl/pem.h>
93 #include <openssl/x509.h>
94@@ -77,6 +78,19 @@
95 typedef const unsigned char *__pkcs11_openssl_d2i_t;
96 #endif
97
98+#if OPENSSL_VERSION_NUMBER < 0x10100000L
99+static void RSA_get0_key(const RSA *r,
100+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
101+{
102+ if (n != NULL)
103+ *n = r->n;
104+ if (e != NULL)
105+ *e = r->e;
106+ if (d != NULL)
107+ *d = r->d;
108+}
109+#endif
110+
111 /**
112 * ecryptfs_pkcs11h_deserialize
113 * @pkcs11h_data: The deserialized version of the key module data;
114@@ -282,7 +296,11 @@
115 goto out;
116 }
117
118+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
119 if (pubkey->type != EVP_PKEY_RSA) {
120+ #else
121+ if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) {
122+ #endif
123 syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");
124 rc = -EIO;
125 goto out;
126@@ -318,6 +336,7 @@
127 int nbytes, ebytes;
128 char *hash = NULL;
129 char *data = NULL;
130+ const BIGNUM *rsa_n, *rsa_e;
131 int rc;
132
133 if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
134@@ -331,11 +350,13 @@
135 rc = -ENOMEM;
136 goto out;
137 }
138- nbits = BN_num_bits(rsa->n);
139+ RSA_get0_key(rsa, &rsa_n, NULL, NULL);
140+ nbits = BN_num_bits(rsa_n);
141 nbytes = nbits / 8;
142 if (nbits % 8)
143 nbytes++;
144- ebits = BN_num_bits(rsa->e);
145+ RSA_get0_key(rsa, NULL, &rsa_e, NULL);
146+ ebits = BN_num_bits(rsa_e);
147 ebytes = ebits / 8;
148 if (ebits % 8)
149 ebytes++;
150@@ -358,11 +379,13 @@
151 data[i++] = '\02';
152 data[i++] = (char)(nbits >> 8);
153 data[i++] = (char)nbits;
154- BN_bn2bin(rsa->n, &(data[i]));
155+ RSA_get0_key(rsa, &rsa_n, NULL, NULL);
156+ BN_bn2bin(rsa_n, &(data[i]));
157 i += nbytes;
158 data[i++] = (char)(ebits >> 8);
159 data[i++] = (char)ebits;
160- BN_bn2bin(rsa->e, &(data[i]));
161+ RSA_get0_key(rsa, NULL, &rsa_e, NULL);
162+ BN_bn2bin(rsa_e, &(data[i]));
163 i += ebytes;
164 SHA1(data, len + 3, hash);
165 to_hex(sig, hash, ECRYPTFS_SIG_SIZE);

Subscribers

People subscribed via source and target branches