[U-Boot] [PATCH] rsa-sign: Fix build against libressl

Thu Apr 19 14:43:58 UTC 2018

On Wed, Apr 18, 2018 at 10:37:43PM +0200, Hauke Mehrtens wrote:
> Libressl implements the OpenSSL 1.1 API partially and improved the
> support with version 2.7. For some code we have to take use the OpenSSL
> 1.0 API and for some parts the OpenSSL 1.1 API can be used.
> This was compile tested against libressl 2.6.4 and 2.7.2.

The parts that don't test LIBRESSL_VERSION_NUMBER look suspect.

> 
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>  lib/rsa/rsa-sign.c | 15 +++++++++------
>  1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> index 1da4ef7fff..b2a4446d83 100644
> --- a/lib/rsa/rsa-sign.c
> +++ b/lib/rsa/rsa-sign.c
> @@ -21,7 +21,8 @@
>  #define HAVE_ERR_REMOVE_THREAD_STATE
>  #endif
>  
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> +    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
>  static void RSA_get0_key(const RSA *r,
>                   const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
>  {
> @@ -300,7 +301,8 @@ static int rsa_init(void)
>  {
>  	int ret;
>  
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> +    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
>  	ret = SSL_library_init();
>  #else
>  	ret = OPENSSL_init_ssl(0, NULL);
> @@ -309,7 +311,7 @@ static int rsa_init(void)
>  		fprintf(stderr, "Failure to init SSL library\n");
>  		return -1;
>  	}
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>  	SSL_load_error_strings();
>  
>  	OpenSSL_add_all_algorithms();

Shouldn't this block also be gated by VERSION < 0x2070000fL as SSL_library_init()
covers it?

> @@ -355,7 +357,7 @@ err_set_rsa:
>  err_engine_init:
>  	ENGINE_free(e);
>  err_engine_by_id:
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L ||  defined(LIBRESSL_VERSION_NUMBER)
>  	ENGINE_cleanup();
>  #endif
>  	return ret;
> @@ -363,7 +365,7 @@ err_engine_by_id:
>  
>  static void rsa_remove(void)
>  {
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>  	CRYPTO_cleanup_all_ex_data();
>  	ERR_free_strings();
>  #ifdef HAVE_ERR_REMOVE_THREAD_STATE
> @@ -433,7 +435,8 @@ static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo,
>  		ret = rsa_err("Could not obtain signature");
>  		goto err_sign;
>  	}
> -	#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +	#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> +	    defined(LIBRESSL_VERSION_NUMBER)
>  		EVP_MD_CTX_cleanup(context);
>  	#else
>  		EVP_MD_CTX_reset(context);

EVP_MD_CTX_reset is present in recent LibreSSL as well and
should be used here.