[openssl-dev] [openssl.org #3674] Bug report - cannot compile 1.0.2 with no-cms

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] [openssl.org #3674] Bug report - cannot compile 1.0.2 with no-cms

Rich Salz via RT
If running
./config no-cms
make


then there's multiple problems with new code that adds new CMS
functionality that was not properly protected by #ifndef OPENSSL_NO_CMS

I've attaching a patch file that I've done over 1.0.2. It compiles with the
patch.
The changes are fairly simple in all files except dh_pmeth.c which you
should probably reconsider.
In dh_pmeth.c, pkey_dh_ctrl(), the change is a bit ugly, especially if
there's a plan to make more types of kdf_type in addition to the two
existing ones. I've done it like so to minimize the change. Perhaps changes
this to a switch would make it more elegant and future-proof.
In dh_pmeth.c, pkey_dh_derive - apart from the reasonable change of putting
the whole "else if" under a #ifndef, I've also changed the default return
value of the function to 0.
If the "if" and the "else if" don't recognize the kdf_type, I think it's
much more reasonable for the function to indicate a failure, instead of the
original code.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

openssl_no_cms.patch (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3674] Bug report - cannot compile 1.0.2 with no-cms

Rich Salz via RT
From: David Bar <[hidden email]>
Subject: [PATCH] RT3674: Fix no-cms build failure

This fixes multiple problems with CMS-related code, including the
RFC2631 DH key derivation which depends on CMS, not being correctly
protected by #ifndef OPENSSL_NO_CMS.
---
Updated version of David Bar's patch, against OpenSSL git HEAD. I have
introduced a couple of switch statements for key derivation types, as
David suggested. And also I leave EVP_PKEY_DH_KDF_X9_42 defined in the
header file, but just returning failure when you try to *use* it.

(
This fix is also required for building OpenSSL in the UEFI environment.
We are starting to work on fixing up the patch which currently lives in
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Library/Openssl
Lib
so that we can get the useful parts merged upstream.

To start with, we've just broken it down into individual changes, which
are (not cleaned up for submission yet) at
http://git.infradead.org/users/dwmw2/openssl.git/shortlog/refs/heads/OpenSSL_1_0_2-stable 
)

 crypto/dh/dh_kdf.c     |  3 +++
 crypto/dh/dh_pmeth.c   | 30 +++++++++++++++++++++++-------
 crypto/ec/ec_ameth.c   |  2 ++
 crypto/rsa/rsa_ameth.c |  8 ++++++++
 include/openssl/dh.h   |  2 ++
 5 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c
index b812d82..3035d0b 100644
--- a/crypto/dh/dh_kdf.c
+++ b/crypto/dh/dh_kdf.c
@@ -51,6 +51,8 @@
  * ====================================================================
  */
 
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_CMS
 #include <string.h>
 #include <openssl/dh.h>
 #include <openssl/evp.h>
@@ -184,3 +186,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
     EVP_MD_CTX_cleanup(&mctx);
     return rv;
 }
+#endif /* !OPENSSL_NO_CMS */
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 763e42f..b070246 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -203,12 +203,20 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
 
     case EVP_PKEY_CTRL_DH_KDF_TYPE:
-        if (p1 == -2)
+        switch (p1) {
+        case -2:
             return dctx->kdf_type;
-        if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
+
+#ifndef OPENSSL_NO_CMS
+        case EVP_PKEY_DH_KDF_X9_42:
+#endif
+        case EVP_PKEY_DH_KDF_NONE:
+            dctx->kdf_type = p1;
+            return 1;
+
+        default:
             return -2;
-        dctx->kdf_type = p1;
-        return 1;
+ }
 
     case EVP_PKEY_CTRL_DH_KDF_MD:
         dctx->kdf_md = p2;
@@ -437,7 +445,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
     }
     dh = ctx->pkey->pkey.dh;
     dhpub = ctx->peerkey->pkey.dh->pub_key;
-    if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
+
+    switch (dctx->kdf_type) {
+    case EVP_PKEY_DH_KDF_NONE:
         if (key == NULL) {
             *keylen = DH_size(dh);
             return 1;
@@ -447,7 +457,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
             return ret;
         *keylen = ret;
         return 1;
-    } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
+
+#ifndef OPENSSL_NO_CMS
+    case EVP_PKEY_DH_KDF_X9_42: {
         unsigned char *Z = NULL;
         size_t Zlen = 0;
         if (!dctx->kdf_outlen || !dctx->kdf_oid)
@@ -475,7 +487,11 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
         OPENSSL_clear_free(Z, Zlen);
         return ret;
     }
-    return 1;
+#endif /* !OPENSSL_NO_CMS */
+
+    default:
+        return 0;
+    }
 }
 
 const EVP_PKEY_METHOD dh_pkey_meth = {
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index edb68d1..e2f3287 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -67,8 +67,10 @@
 #include <openssl/asn1t.h>
 #include "internal/asn1_int.h"
 
+#ifndef OPENSSL_NO_CMS
 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
+#endif
 
 static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 {
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index d409631..254b553 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -68,10 +68,12 @@
 #endif
 #include "internal/asn1_int.h"
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si);
 static int rsa_cms_verify(CMS_SignerInfo *si);
 static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
 static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
+#endif
 
 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
@@ -653,6 +655,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
     return rv;
 }
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_verify(CMS_SignerInfo *si)
 {
     int nid, nid2;
@@ -671,6 +674,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)
     }
     return 0;
 }
+#endif
 
 /*
  * Customised RSA item verification routine. This is called when a signature
@@ -693,6 +697,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
     return -1;
 }
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si)
 {
     int pad_mode = RSA_PKCS1_PADDING;
@@ -717,6 +722,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
     X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
     return 1;
 }
+#endif
 
 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
                          X509_ALGOR *alg1, X509_ALGOR *alg2,
@@ -768,6 +774,7 @@ static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
     return pss;
 }
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
 {
     EVP_PKEY_CTX *pkctx;
@@ -900,6 +907,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
     ASN1_STRING_free(os);
     return rv;
 }
+#endif
 
 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
     {
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index e0f4b57..882d4f1 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -239,11 +239,13 @@ DH *DH_get_1024_160(void);
 DH *DH_get_2048_224(void);
 DH *DH_get_2048_256(void);
 
+# ifndef OPENSSL_NO_CMS
 /* RFC2631 KDF */
 int DH_KDF_X9_42(unsigned char *out, size_t outlen,
                  const unsigned char *Z, size_t Zlen,
                  ASN1_OBJECT *key_oid,
                  const unsigned char *ukm, size_t ukmlen, const EVP_MD *md);
+# endif
 
 # define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) \
         EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \
--
2.4.3

--
dwmw2


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (7K) Download Attachment