File tboot-ssl-broken.patch of Package tboot
Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -132,6 +132,7 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( fp == NULL ) {
ERROR("Error: failed to open .pem file %s: %s\n", file,
strerror(errno));
+ fclose(fp);
return NULL;
}
@@ -141,6 +142,7 @@ static lcp_signature_t2 *read_rsa_pubkey
ERROR("Error: failed to read .pem file %s: %s\n", file,
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
+ fclose(fp);
return NULL;
}
@@ -148,6 +150,7 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( keysize == 0 ) {
ERROR("Error: public key size is 0\n");
RSA_free(pubkey);
+ fclose(fp);
return NULL;
}
@@ -155,19 +158,20 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( sig == NULL ) {
ERROR("Error: failed to allocate sig\n");
RSA_free(pubkey);
+ fclose(fp);
return NULL;
}
memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
sig->rsa_signature.pubkey_size = keysize;
+ const BIGNUM *modulus = NULL;
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *modulus = BN_new();
- RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+ RSA_get0_key(pubkey, &modulus, NULL, NULL);
#else
- BIGNUM *modulus = BN_dup(pubkey->n);
+ modulus = pubkey->n;
#endif
unsigned char key[keysize];
@@ -183,8 +187,8 @@ static lcp_signature_t2 *read_rsa_pubkey
}
LOG("read rsa pubkey succeed!\n");
- BN_free(modulus);
RSA_free(pubkey);
+ fclose(fp);
return sig;
}
@@ -386,13 +390,13 @@ static bool ecdsa_sign_tpm20_list_data(l
return false;
}
- BIGNUM *r = BN_new();
- BIGNUM *s = BN_new();
-
+ const BIGNUM *r = NULL;
+ const BIGNUM *s = NULL;
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to
ECDSA_SIG stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ECDSA_SIG_get0(ecdsasig, (const BIGNUM **)&r, (const BIGNUM **)&s);
+ ECDSA_SIG_get0(ecdsasig, &r, &s);
#else
r = ecdsasig->r;
s = ecdsasig->s;
@@ -415,8 +419,7 @@ static bool ecdsa_sign_tpm20_list_data(l
display_tpm20_signature(" ", sig, pollist->sig_alg, false);
}
- BN_free(r);
- BN_free(s);
+ ECDSA_SIG_free(ecdsasig);
return true;
}
return false;
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -371,9 +371,8 @@ bool verify_signature(const uint8_t *dat
return false;
}
- BIGNUM *modulus = BN_new();
+ BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
BIGNUM *exponent = BN_new();
- modulus = BN_bin2bn(key, pubkey_size, NULL);
/* uses fixed exponent (LCP_SIG_EXPONENT) */
char exp[32];
@@ -384,8 +383,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = BN_dup(modulus);
- rsa_pubkey->e = BN_dup(exponent);
+ rsa_pubkey->n = modulus;
+ rsa_pubkey->e = exponent;
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
@@ -407,8 +406,6 @@ bool verify_signature(const uint8_t *dat
tb_hash_t digest;
if ( !hash_buffer(data, data_size, &digest, hashalg) ) {
ERROR("Error: failed to hash list\n");
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -451,8 +448,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -467,8 +462,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -483,8 +476,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -499,8 +490,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -508,13 +497,10 @@ bool verify_signature(const uint8_t *dat
default :
LOG("unknown hash alg\n");
- BN_free(modulus);
- BN_free(exponent);
+ RSA_free(rsa_pubkey);
return false;
}
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return true;
}
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -156,13 +156,14 @@ static lcp_signature_t *read_pubkey_file
memset(sig, 0, sizeof(*sig) + 2*keysize);
sig->pubkey_size = keysize;
+ const BIGNUM *modulus = NULL;
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *modulus = BN_new();
- RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+ RSA_get0_key(pubkey, &modulus, NULL, NULL);
#else
- BIGNUM *modulus = BN_dup(pubkey->n);
+ modulus = pubkey->n;
#endif
unsigned char key[keysize];
BN_bn2bin(modulus, key);
@@ -175,8 +176,7 @@ static lcp_signature_t *read_pubkey_file
LOG("signature:\n");
display_signature(" ", sig, false);
}
-
- BN_free(modulus);
+
RSA_free(pubkey);
return sig;
}
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -274,31 +274,29 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to allocate key\n");
return false;
}
- BIGNUM *modulus = BN_new();
+
+ BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
BIGNUM *exponent = BN_new();
- modulus = BN_bin2bn(key, pubkey_size, NULL);
/* uses fixed exponent (LCP_SIG_EXPONENT) */
char exp[32];
snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
BN_dec2bn(&exponent, exp);
-
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
+ RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = BN_dup(modulus);
- rsa_pubkey->e = BN_dup(exponent);
- rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+ rsa_pubkey->n = modulus;
+ rsa_pubkey->e = exponent;
+ rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
/* first create digest of data */
tb_hash_t digest;
if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) {
ERROR("Error: failed to hash list\n");
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -339,14 +337,10 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
- RSA_free(rsa_pubkey);
+ RSA_free(rsa_pubkey);
return false;
}
-
- BN_free(modulus);
- BN_free(exponent);
+
RSA_free(rsa_pubkey);
return true;
}
