Merge tag 'keys-next-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd
Pull key updates from Jarkko Sakkinen: "The bulk of this is OpenSSL 3.0 compatibility fixes for the signing and certificates" * tag 'keys-next-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 sign-file,extract-cert: avoid using deprecated ERR_get_error_line() sign-file,extract-cert: move common SSL helper functions to a header KEYS: prevent NULL pointer dereference in find_asymmetric_key() KEYS: Remove unused declarations
This commit is contained in:
+68
-64
@@ -27,14 +27,17 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/engine.h>
|
||||
|
||||
/*
|
||||
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
|
||||
*
|
||||
* Remove this if/when that API is no longer used
|
||||
*/
|
||||
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
# define USE_PKCS11_PROVIDER
|
||||
# include <openssl/provider.h>
|
||||
# include <openssl/store.h>
|
||||
#else
|
||||
# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
|
||||
# define USE_PKCS11_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
# endif
|
||||
#endif
|
||||
#include "ssl-common.h"
|
||||
|
||||
/*
|
||||
* Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
|
||||
@@ -83,41 +86,6 @@ void format(void)
|
||||
exit(2);
|
||||
}
|
||||
|
||||
static void display_openssl_errors(int l)
|
||||
{
|
||||
const char *file;
|
||||
char buf[120];
|
||||
int e, line;
|
||||
|
||||
if (ERR_peek_error() == 0)
|
||||
return;
|
||||
fprintf(stderr, "At main.c:%d:\n", l);
|
||||
|
||||
while ((e = ERR_get_error_line(&file, &line))) {
|
||||
ERR_error_string(e, buf);
|
||||
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||
}
|
||||
}
|
||||
|
||||
static void drain_openssl_errors(void)
|
||||
{
|
||||
const char *file;
|
||||
int line;
|
||||
|
||||
if (ERR_peek_error() == 0)
|
||||
return;
|
||||
while (ERR_get_error_line(&file, &line)) {}
|
||||
}
|
||||
|
||||
#define ERR(cond, fmt, ...) \
|
||||
do { \
|
||||
bool __cond = (cond); \
|
||||
display_openssl_errors(__LINE__); \
|
||||
if (__cond) { \
|
||||
errx(1, fmt, ## __VA_ARGS__); \
|
||||
} \
|
||||
} while(0)
|
||||
|
||||
static const char *key_pass;
|
||||
|
||||
static int pem_pw_cb(char *buf, int len, int w, void *v)
|
||||
@@ -139,28 +107,64 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
|
||||
return pwlen;
|
||||
}
|
||||
|
||||
static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
|
||||
{
|
||||
EVP_PKEY *private_key = NULL;
|
||||
#ifdef USE_PKCS11_PROVIDER
|
||||
OSSL_STORE_CTX *store;
|
||||
|
||||
if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
|
||||
ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
|
||||
if (!OSSL_PROVIDER_try_load(NULL, "default", true))
|
||||
ERR(1, "OSSL_PROVIDER_try_load(default)");
|
||||
|
||||
store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
|
||||
ERR(!store, "OSSL_STORE_open");
|
||||
|
||||
while (!OSSL_STORE_eof(store)) {
|
||||
OSSL_STORE_INFO *info = OSSL_STORE_load(store);
|
||||
|
||||
if (!info) {
|
||||
drain_openssl_errors(__LINE__, 0);
|
||||
continue;
|
||||
}
|
||||
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
|
||||
private_key = OSSL_STORE_INFO_get1_PKEY(info);
|
||||
ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
|
||||
}
|
||||
OSSL_STORE_INFO_free(info);
|
||||
if (private_key)
|
||||
break;
|
||||
}
|
||||
OSSL_STORE_close(store);
|
||||
#elif defined(USE_PKCS11_ENGINE)
|
||||
ENGINE *e;
|
||||
|
||||
ENGINE_load_builtin_engines();
|
||||
drain_openssl_errors(__LINE__, 1);
|
||||
e = ENGINE_by_id("pkcs11");
|
||||
ERR(!e, "Load PKCS#11 ENGINE");
|
||||
if (ENGINE_init(e))
|
||||
drain_openssl_errors(__LINE__, 1);
|
||||
else
|
||||
ERR(1, "ENGINE_init");
|
||||
if (key_pass)
|
||||
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
|
||||
private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
|
||||
ERR(!private_key, "%s", private_key_name);
|
||||
#else
|
||||
fprintf(stderr, "no pkcs11 engine/provider available\n");
|
||||
exit(1);
|
||||
#endif
|
||||
return private_key;
|
||||
}
|
||||
|
||||
static EVP_PKEY *read_private_key(const char *private_key_name)
|
||||
{
|
||||
EVP_PKEY *private_key;
|
||||
|
||||
if (!strncmp(private_key_name, "pkcs11:", 7)) {
|
||||
ENGINE *e;
|
||||
|
||||
ENGINE_load_builtin_engines();
|
||||
drain_openssl_errors();
|
||||
e = ENGINE_by_id("pkcs11");
|
||||
ERR(!e, "Load PKCS#11 ENGINE");
|
||||
if (ENGINE_init(e))
|
||||
drain_openssl_errors();
|
||||
else
|
||||
ERR(1, "ENGINE_init");
|
||||
if (key_pass)
|
||||
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
|
||||
"Set PKCS#11 PIN");
|
||||
private_key = ENGINE_load_private_key(e, private_key_name,
|
||||
NULL, NULL);
|
||||
ERR(!private_key, "%s", private_key_name);
|
||||
return read_private_key_pkcs11(private_key_name);
|
||||
} else {
|
||||
EVP_PKEY *private_key;
|
||||
BIO *b;
|
||||
|
||||
b = BIO_new_file(private_key_name, "rb");
|
||||
@@ -169,9 +173,9 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
|
||||
NULL);
|
||||
ERR(!private_key, "%s", private_key_name);
|
||||
BIO_free(b);
|
||||
}
|
||||
|
||||
return private_key;
|
||||
return private_key;
|
||||
}
|
||||
}
|
||||
|
||||
static X509 *read_x509(const char *x509_name)
|
||||
@@ -306,7 +310,7 @@ int main(int argc, char **argv)
|
||||
|
||||
/* Digest the module data. */
|
||||
OpenSSL_add_all_digests();
|
||||
display_openssl_errors(__LINE__);
|
||||
drain_openssl_errors(__LINE__, 0);
|
||||
digest_algo = EVP_get_digestbyname(hash_algo);
|
||||
ERR(!digest_algo, "EVP_get_digestbyname");
|
||||
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||
/*
|
||||
* SSL helper functions shared by sign-file and extract-cert.
|
||||
*/
|
||||
|
||||
static void drain_openssl_errors(int l, int silent)
|
||||
{
|
||||
const char *file;
|
||||
char buf[120];
|
||||
int e, line;
|
||||
|
||||
if (ERR_peek_error() == 0)
|
||||
return;
|
||||
if (!silent)
|
||||
fprintf(stderr, "At main.c:%d:\n", l);
|
||||
|
||||
while ((e = ERR_peek_error_line(&file, &line))) {
|
||||
ERR_error_string(e, buf);
|
||||
if (!silent)
|
||||
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||
ERR_get_error();
|
||||
}
|
||||
}
|
||||
|
||||
#define ERR(cond, fmt, ...) \
|
||||
do { \
|
||||
bool __cond = (cond); \
|
||||
drain_openssl_errors(__LINE__, 0); \
|
||||
if (__cond) { \
|
||||
errx(1, fmt, ## __VA_ARGS__); \
|
||||
} \
|
||||
} while (0)
|
||||
Reference in New Issue
Block a user