system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-10-01 13:55:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20876 from poettering/openssl3-creds

Browse source 
creds-util: switch to OpenSSL 3.0 APIs
This commit is contained in:
Yu Watanabe 2021-09-30 04:01:57 +09:00 committed by GitHub
parent 5386e247f8 6d74db7ef6
commit 200f77f933
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.packit.yml
View file

@ -31,9 +31,6 @@ actions:
# [0] https://github.com/mesonbuild/meson/issues/7360
# [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
# FIXME: temporarily disable the deprecated-declarations check to suppress
# OpenSSL 3.0 warnings in Rawhide
- 'sed -i "1 i %global optflags %{optflags} -Wno-deprecated-declarations" .packit_rpm/systemd.spec'
jobs:
- job: copr_build

18
src/shared/creds-util.c
View file

@ -401,7 +401,8 @@ static int sha256_hash_host_and_tpm2_key(
size_t tpm2_key_size,
uint8_t ret[static SHA256_DIGEST_LENGTH]) {
SHA256_CTX sha256_context;
_cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
unsigned l;
assert(host_key_size == 0 || host_key);
assert(tpm2_key_size == 0 || tpm2_key);
@ -409,18 +410,25 @@ static int sha256_hash_host_and_tpm2_key(
/* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
if (SHA256_Init(&sha256_context) != 1)
md = EVP_MD_CTX_new();
if (!md)
return log_oom();
if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
if (host_key && SHA256_Update(&sha256_context, host_key, host_key_size) != 1)
if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
if (tpm2_key && SHA256_Update(&sha256_context, tpm2_key, tpm2_key_size) != 1)
if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
if (SHA256_Final(ret, &sha256_context) != 1)
assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
if (EVP_DigestFinal_ex(md, ret, &l) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
assert(l == SHA256_DIGEST_LENGTH);
return 0;
}

7
src/shared/openssl-util.c
View file

@ -46,7 +46,6 @@ int rsa_pkey_to_suitable_key_size(
size_t *ret_suitable_key_size) {
size_t suitable_key_size;
const RSA *rsa;
int bits;
assert_se(pkey);
@ -58,11 +57,7 @@ int rsa_pkey_to_suitable_key_size(
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA)
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key.");
rsa = EVP_PKEY_get0_RSA(pkey);
if (!rsa)
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate.");
bits = RSA_bits(rsa);
bits = EVP_PKEY_bits(pkey);
log_debug("Bits in RSA key: %i", bits);
/* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only

1
src/shared/openssl-util.h
View file

@ -17,6 +17,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
if (!sk || !*sk)