add OpenSSL 1.0.2 backport patch

jluebbe · jluebbe · commit ab1ab02eb8f6 · 2020-12-14T12:43:38.000+01:00
diff --git a/0001-backport-to-OpenSSL-1.0.2.patch b/0001-backport-to-OpenSSL-1.0.2.patch
@@ -0,0 +1,297 @@
+From e1d5cca98f3ed30613635b6fd718c92044294adb Mon Sep 17 00:00:00 2001
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Tue, 1 Dec 2020 12:47:37 +0100
+Subject: [PATCH] backport to OpenSSL 1.0.2
+
+This is partially a revert of commit
+3c6470ba7c2adbf51e5eaf4601e4affbab0c15c5.
+
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+---
+ configure.ac           |   2 +-
+ m4/ax_check_openssl.m4 | 124 +++++++++++++++++++++++++++++++++++++++++
+ src/signature.c        |  36 ++++++++++--
+ src/verity_hash.c      |  10 ++++
+ 4 files changed, 167 insertions(+), 5 deletions(-)
+ create mode 100644 m4/ax_check_openssl.m4
+
+diff --git a/configure.ac b/configure.ac
+index 7ba36bff8ee1..df04c49fb741 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -84,7 +84,7 @@ AS_IF([test "x$enable_json" != "xno"], [
+        AC_DEFINE([ENABLE_JSON], [0])
+ ])
+ 
+-PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1])
++AX_CHECK_OPENSSL([],[AC_MSG_ERROR([OpenSSL not found])])
+ 
+ AC_ARG_ENABLE([gpt],
+        AS_HELP_STRING([--enable-gpt], [Enable GPT support])
+diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4
+new file mode 100644
+index 000000000000..a87c5a6b6f93
+--- /dev/null
++++ b/m4/ax_check_openssl.m4
+@@ -0,0 +1,124 @@
++# ===========================================================================
++#     http://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++#   AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
++#
++# DESCRIPTION
++#
++#   Look for OpenSSL in a number of default spots, or in a user-selected
++#   spot (via --with-openssl).  Sets
++#
++#     OPENSSL_INCLUDES to the include directives required
++#     OPENSSL_LIBS to the -l directives required
++#     OPENSSL_LDFLAGS to the -L or -R flags required
++#
++#   and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
++#
++#   This macro sets OPENSSL_INCLUDES such that source files should use the
++#   openssl/ directory in include directives:
++#
++#     #include <openssl/hmac.h>
++#
++# LICENSE
++#
++#   Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
++#   Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
++#
++#   Copying and distribution of this file, with or without modification, are
++#   permitted in any medium without royalty provided the copyright notice
++#   and this notice are preserved. This file is offered as-is, without any
++#   warranty.
++
++#serial 8
++
++AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
++AC_DEFUN([AX_CHECK_OPENSSL], [
++    found=false
++    AC_ARG_WITH([openssl],
++        [AS_HELP_STRING([--with-openssl=DIR],
++            [root of the OpenSSL directory])],
++        [
++            case "$withval" in
++            "" | y | ye | yes | n | no)
++            AC_MSG_ERROR([Invalid --with-openssl value])
++              ;;
++            *) ssldirs="$withval"
++              ;;
++            esac
++        ], [
++            # if pkg-config is installed and openssl has installed a .pc file,
++            # then use that information and don't search ssldirs
++            AC_PATH_PROG([PKG_CONFIG], [pkg-config])
++            if test x"$PKG_CONFIG" != x""; then
++                OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
++                if test $? = 0; then
++                    OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
++                    OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
++                    found=true
++                fi
++            fi
++
++            # no such luck; use some default ssldirs
++            if ! $found; then
++                ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
++            fi
++        ]
++        )
++
++
++    # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
++    # an 'openssl' subdirectory
++
++    if ! $found; then
++        OPENSSL_INCLUDES=
++        for ssldir in $ssldirs; do
++            AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
++            if test -f "$ssldir/include/openssl/ssl.h"; then
++                OPENSSL_INCLUDES="-I$ssldir/include"
++                OPENSSL_LDFLAGS="-L$ssldir/lib"
++                OPENSSL_LIBS="-lssl -lcrypto"
++                found=true
++                AC_MSG_RESULT([yes])
++                break
++            else
++                AC_MSG_RESULT([no])
++            fi
++        done
++
++        # if the file wasn't found, well, go ahead and try the link anyway -- maybe
++        # it will just work!
++    fi
++
++    # try the preprocessor and linker with our new flags,
++    # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
++
++    AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
++    echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
++        "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
++
++    save_LIBS="$LIBS"
++    save_LDFLAGS="$LDFLAGS"
++    save_CPPFLAGS="$CPPFLAGS"
++    LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
++    LIBS="$OPENSSL_LIBS $LIBS"
++    CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
++    AC_LINK_IFELSE(
++        [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
++        [
++            AC_MSG_RESULT([yes])
++            $1
++        ], [
++            AC_MSG_RESULT([no])
++            $2
++        ])
++    CPPFLAGS="$save_CPPFLAGS"
++    LDFLAGS="$save_LDFLAGS"
++    LIBS="$save_LIBS"
++
++    AC_SUBST([OPENSSL_INCLUDES])
++    AC_SUBST([OPENSSL_LIBS])
++    AC_SUBST([OPENSSL_LDFLAGS])
++])
+diff --git a/src/signature.c b/src/signature.c
+index a4a2b14e20dc..a643a9650160 100644
+--- a/src/signature.c
++++ b/src/signature.c
+@@ -1,3 +1,5 @@
++#include <stdint.h>
++
+ #include <openssl/asn1.h>
+ #include <openssl/cms.h>
+ #include <openssl/conf.h>
+@@ -7,10 +9,19 @@
+ #include <openssl/crypto.h>
+ #include <openssl/engine.h>
+ #include <openssl/x509.h>
++#include <openssl/x509v3.h>
+ 
+ #include "context.h"
+ #include "signature.h"
+ 
++/* Define for OpenSSL 1.0.x backwards compatiblity.
++ * We use newer get0 names to be clear about memory ownership and to not use
++ * API deprecated in OpenSSL 1.1.x */
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++#define X509_get0_notAfter X509_get_notAfter
++#define X509_get0_notBefore X509_get_notBefore
++#endif
++
+ GQuark r_signature_error_quark(void)
+ {
+ 	return g_quark_from_static_string("r_signature_error_quark");
+@@ -23,9 +34,15 @@ static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *const_x,
+ 	 * the ex_ variables have already been calculated by other code when
+ 	 * we are in this callback. */
+ 	X509 *x = (X509 *)const_x;
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++	uint32_t ex_flags = x->ex_flags;
++	uint32_t ex_kusage = (x->ex_flags & EXFLAG_KUSAGE) ? x->ex_kusage : UINT32_MAX;
++	uint32_t ex_xkusage = (x->ex_flags & EXFLAG_XKUSAGE) ? x->ex_xkusage : UINT32_MAX;
++#else
+ 	uint32_t ex_flags = X509_get_extension_flags(x);
+ 	uint32_t ex_kusage = X509_get_key_usage(x);
+ 	uint32_t ex_xkusage = X509_get_extended_key_usage(x);
++#endif
+ 
+ 	if (ca) {
+ 		/* If extended key usage is present, it must contain codeSigning for all
+@@ -56,7 +73,11 @@ static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *const_x,
+ gboolean signature_init(GError **error)
+ {
+ 	int ret, id;
+-
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++	OPENSSL_config(NULL);
++	OpenSSL_add_all_algorithms();
++	ERR_load_crypto_strings();
++#else
+ 	g_return_val_if_fail(error == FALSE || *error == NULL, FALSE);
+ 
+ 	ret = OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+@@ -74,6 +95,7 @@ gboolean signature_init(GError **error)
+ 				(flags & ERR_TXT_STRING) ? data : ERR_error_string(err, NULL));
+ 		return FALSE;
+ 	}
++#endif
+ 
+ 	id = X509_PURPOSE_get_count() + 1;
+ 	if (X509_PURPOSE_get_by_id(id) >= 0) {
+@@ -86,7 +108,9 @@ gboolean signature_init(GError **error)
+ 	}
+ 
+ 	/* X509_TRUST_OBJECT_SIGN maps to the Code Signing ID (via OpenSSL's NID_code_sign) */
+-	ret = X509_PURPOSE_add(id, X509_TRUST_OBJECT_SIGN, 0, check_purpose_code_sign, "Code signing", "codesign", NULL);
++	/* X509_PURPOSE_add calls BUF_strdup on the string arguments and they
++	 * are const in newer OpenSSL versions. */
++	ret = X509_PURPOSE_add(id, X509_TRUST_OBJECT_SIGN, 0, check_purpose_code_sign, (char *)"Code signing", (char *)"codesign", NULL);
+ 	if (!ret) {
+ 		unsigned long err;
+ 		const gchar *data;
+@@ -439,8 +463,12 @@ X509_STORE* setup_x509_store(const gchar *capath, const gchar *cadir, GError **e
+ 
+ 	/* Enable purpose checking if configured */
+ 	if (check_purpose) {
+-		const X509_PURPOSE *xp = X509_PURPOSE_get0(X509_PURPOSE_get_by_sname(check_purpose));
+-		if (!xp || !X509_STORE_set_purpose(store, X509_PURPOSE_get_id(xp))) {
++		/* X509_PURPOSE_get0 calls only strcmp on the string argument and
++		 * it is const in newer OpenSSL versions. */
++		const X509_PURPOSE *xp = X509_PURPOSE_get0(X509_PURPOSE_get_by_sname((char *)check_purpose));
++		/* X509_PURPOSE_get_id calls only returns an int field of the
++		 * X509_PURPOSE it is const in newer OpenSSL versions. */
++		if (!xp || !X509_STORE_set_purpose(store, X509_PURPOSE_get_id((X509_PURPOSE *)xp))) {
+ 			g_set_error(
+ 					error,
+ 					R_SIGNATURE_ERROR,
+diff --git a/src/verity_hash.c b/src/verity_hash.c
+index bc53e21952db..58493bc832d5 100644
+--- a/src/verity_hash.c
++++ b/src/verity_hash.c
+@@ -23,6 +23,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <stdint.h>
++#include <inttypes.h>
+ #include <glib.h>
+ 
+ #include <openssl/bio.h>
+@@ -80,11 +81,18 @@ static int verify_hash_block(
+ {
+ 	/* SHA256, version 1 only */
+ 	EVP_MD_CTX *mdctx;
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++	EVP_MD_CTX mdctx_stack;
++#endif
+ 	uint8_t tmp[EVP_MAX_MD_SIZE];
+ 	unsigned int tmp_size = 0;
+ 	int r = 0;
+ 
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++	mdctx = &mdctx_stack;
++#else
+ 	mdctx = EVP_MD_CTX_new();
++#endif
+ 	if (EVP_DigestInit(mdctx, EVP_sha256()) != 1) {
+ 		g_message("init failed");
+ 		r = -EINVAL;
+@@ -116,7 +124,9 @@ static int verify_hash_block(
+ out:
+ 	if (r)
+ 		ERR_print_errors_fp(stderr);
++#if !(OPENSSL_VERSION_NUMBER < 0x10100000L)
+ 	EVP_MD_CTX_free(mdctx);
++#endif
+ 	return r;
+ }
+ 
+-- 
+2.20.1
+
