eCryptfs

Merge lp:~jelle-vdwaa/ecryptfs/ecryptfs into lp:ecryptfs

ecryptfs
Merge into trunk

Proposed by Jelle van der Waa on 2017-03-13

Status:	Merged
Merged at revision:	890
Proposed branch:	lp:~jelle-vdwaa/ecryptfs/ecryptfs
Merge into:	lp:ecryptfs
Diff against target:	165 lines (+52/-8) 2 files modified src/key_mod/ecryptfs_key_mod_openssl.c (+25/-4) src/key_mod/ecryptfs_key_mod_pkcs11_helper.c (+27/-4)
To merge this branch:	bzr merge lp:~jelle-vdwaa/ecryptfs/ecryptfs
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Tyler Hicks	2017-03-13	Approve on 2017-06-08
Raphael Groner (community)		Approve on 2017-06-04
Review via email: mp+319746@code.launchpad.net

Description of the change

Make ecryptfs compile with OpenSSL 1.1.x

lp:~jelle-vdwaa/ecryptfs/ecryptfs updated on 2017-06-02

886. By Jason Xing on 2017-05-25

libecryptfs: Handle '=' characters in mount option string values

Users cannot mount ecryptfs with "-o passphrase_passwd_file=mykey" (<mykey> is
"passwd=123=abc") or "-o passwd=123=abc". Because the passphrase user uses
includes "=" character.

Because in the manner of process_comma_tok() function, ecryptfs will store
"passwd=123" as the @current->name and "abc" as @current->value. That will go
wrong when we go into tf_pass_file() function because it cannot match the name
"passphrase_passwd" or "passwd".

Add two lines in process_comma_tok() to change that case. If we match one "="
character in the string, we don't need to loop and match another "=" again.

887. By Tyler Hicks on 2017-05-25

Add Jason's mount option parser fix to debian/changelog

888. By Jelle van der Waa on 2017-06-02

Fix build with OpenSSL 1.1.x

The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

CRYPTO_malloc_init has been removed from OpenSSL 1.1.x since the library
calls this routine by itself.

889. By Jelle van der Waa on 2017-06-02

Fix build with OpenSSL 1.1.x

The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

EVP_PKEY structure has been made opaque, use EVP_PKEY_base_id
to get the type.

Revision history for this message

Raphael Groner (projects-rg) wrote on 2017-06-04:

My vote goes to apply this patch. It fixes the issue for me.

review: Approve

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-06-08:

This looks good to me. Thanks for the patches!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Grzegorz Tymendorf

Jason Xing

Jelle van der Waa

Morty Smith

Sylvain

Tyler Hicks

dingjingmaster

eCryptfs

1	=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c'
2	--- src/key_mod/ecryptfs_key_mod_openssl.c 2013-10-25 19:45:09 +0000
3	+++ src/key_mod/ecryptfs_key_mod_openssl.c 2017-06-02 18:27:28 +0000
4	@@ -41,6 +41,7 @@
5	#include <stdlib.h>
6	#include <unistd.h>
7	#include <libgen.h>
8	+#include <openssl/bn.h>
9	#include <openssl/pem.h>
10	#include <openssl/rsa.h>
11	#include <openssl/err.h>
12	@@ -55,6 +56,19 @@
13	char *passphrase;
14	};
15
16	+#if OPENSSL_VERSION_NUMBER < 0x10100000L
17	+static void RSA_get0_key(const RSA *r,
18	+ const BIGNUM n, const BIGNUM e, const BIGNUM **d)
19	+{
20	+ if (n != NULL)
21	+ *n = r->n;
22	+ if (e != NULL)
23	+ *e = r->e;
24	+ if (d != NULL)
25	+ *d = r->d;
26	+}
27	+#endif
28	+
29	static void
30	ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data)
31	{
32	@@ -142,6 +156,7 @@
33	{
34	int len, nbits, ebits, i;
35	int nbytes, ebytes;
36	+ const BIGNUM key_n, key_e;
37	unsigned char *hash;
38	unsigned char *data = NULL;
39	int rc = 0;
40	@@ -152,11 +167,13 @@
41	rc = -ENOMEM;
42	goto out;
43	}
44	- nbits = BN_num_bits(key->n);
45	+ RSA_get0_key(key, &key_n, NULL, NULL);
46	+ nbits = BN_num_bits(key_n);
47	nbytes = nbits / 8;
48	if (nbits % 8)
49	nbytes++;
50	- ebits = BN_num_bits(key->e);
51	+ RSA_get0_key(key, NULL, &key_e, NULL);
52	+ ebits = BN_num_bits(key_e);
53	ebytes = ebits / 8;
54	if (ebits % 8)
55	ebytes++;
56	@@ -179,11 +196,13 @@
57	data[i++] = '\02';
58	data[i++] = (nbits >> 8);
59	data[i++] = nbits;
60	- BN_bn2bin(key->n, &(data[i]));
61	+ RSA_get0_key(key, &key_n, NULL, NULL);
62	+ BN_bn2bin(key_n, &(data[i]));
63	i += nbytes;
64	data[i++] = (ebits >> 8);
65	data[i++] = ebits;
66	- BN_bn2bin(key->e, &(data[i]));
67	+ RSA_get0_key(key, NULL, &key_e, NULL);
68	+ BN_bn2bin(key_e, &(data[i]));
69	i += ebytes;
70	SHA1(data, len + 3, hash);
71	to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);
72	@@ -278,7 +297,9 @@
73	BIO *in = NULL;
74	int rc;
75
76	+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
77	CRYPTO_malloc_init();
78	+ #endif
79	ERR_load_crypto_strings();
80	OpenSSL_add_all_algorithms();
81	ENGINE_load_builtin_engines();
82
83	=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c'
84	--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2013-10-25 19:45:09 +0000
85	+++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2017-06-02 18:27:28 +0000
86	@@ -41,6 +41,7 @@
87	#include <errno.h>
88	#include <stdlib.h>
89	#include <unistd.h>
90	+#include <openssl/bn.h>
91	#include <openssl/err.h>
92	#include <openssl/pem.h>
93	#include <openssl/x509.h>
94	@@ -77,6 +78,19 @@
95	typedef const unsigned char *__pkcs11_openssl_d2i_t;
96	#endif
97
98	+#if OPENSSL_VERSION_NUMBER < 0x10100000L
99	+static void RSA_get0_key(const RSA *r,
100	+ const BIGNUM n, const BIGNUM e, const BIGNUM **d)
101	+{
102	+ if (n != NULL)
103	+ *n = r->n;
104	+ if (e != NULL)
105	+ *e = r->e;
106	+ if (d != NULL)
107	+ *d = r->d;
108	+}
109	+#endif
110	+
111	/**
112	* ecryptfs_pkcs11h_deserialize
113	* @pkcs11h_data: The deserialized version of the key module data;
114	@@ -282,7 +296,11 @@
115	goto out;
116	}
117
118	+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
119	if (pubkey->type != EVP_PKEY_RSA) {
120	+ #else
121	+ if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) {
122	+ #endif
123	syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");
124	rc = -EIO;
125	goto out;
126	@@ -318,6 +336,7 @@
127	int nbytes, ebytes;
128	char *hash = NULL;
129	char *data = NULL;
130	+ const BIGNUM rsa_n, rsa_e;
131	int rc;
132
133	if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
134	@@ -331,11 +350,13 @@
135	rc = -ENOMEM;
136	goto out;
137	}
138	- nbits = BN_num_bits(rsa->n);
139	+ RSA_get0_key(rsa, &rsa_n, NULL, NULL);
140	+ nbits = BN_num_bits(rsa_n);
141	nbytes = nbits / 8;
142	if (nbits % 8)
143	nbytes++;
144	- ebits = BN_num_bits(rsa->e);
145	+ RSA_get0_key(rsa, NULL, &rsa_e, NULL);
146	+ ebits = BN_num_bits(rsa_e);
147	ebytes = ebits / 8;
148	if (ebits % 8)
149	ebytes++;
150	@@ -358,11 +379,13 @@
151	data[i++] = '\02';
152	data[i++] = (char)(nbits >> 8);
153	data[i++] = (char)nbits;
154	- BN_bn2bin(rsa->n, &(data[i]));
155	+ RSA_get0_key(rsa, &rsa_n, NULL, NULL);
156	+ BN_bn2bin(rsa_n, &(data[i]));
157	i += nbytes;
158	data[i++] = (char)(ebits >> 8);
159	data[i++] = (char)ebits;
160	- BN_bn2bin(rsa->e, &(data[i]));
161	+ RSA_get0_key(rsa, NULL, &rsa_e, NULL);
162	+ BN_bn2bin(rsa_e, &(data[i]));
163	i += ebytes;
164	SHA1(data, len + 3, hash);
165	to_hex(sig, hash, ECRYPTFS_SIG_SIZE);

eCryptfs

Merge lp:~jelle-vdwaa/ecryptfs/ecryptfs into lp:ecryptfs

Commit message

Description of the change

Preview Diff

Subscribers