[PATCH 1/1] lib/ecdsa: Fix LibreSSL before v2.7.0

Wed Jul 28 21:16:47 CEST 2021

On 7/28/21 1:10 PM, Artem Panfilov wrote:
> Fix LibreSSL compilation for versions before v2.7.0.
> 
> Fix following compilation issue when CONFIG_TOOLS_LIBCRYPTO is enabled:
> tools/lib/ecdsa/ecdsa-libcrypto.o: In function `prepare_ctx':
> ecdsa-libcrypto.c:(.text+0x94): undefined reference to
> `OPENSSL_init_ssl'
> ecdsa-libcrypto.c:(.text+0x148): undefined reference to
> `EC_GROUP_order_bits'
> tools/lib/ecdsa/ecdsa-libcrypto.o: In function
> `ecdsa_check_signature.isra.0':
> ecdsa-libcrypto.c:(.text+0x32c): undefined reference to `ECDSA_SIG_set0'
> tools/lib/ecdsa/ecdsa-libcrypto.o: In function `ecdsa_sign':
> ecdsa-libcrypto.c:(.text+0x42c): undefined reference to `ECDSA_SIG_get0'
> ecdsa-libcrypto.c:(.text+0x443): undefined reference to `BN_bn2binpad'
> ecdsa-libcrypto.c:(.text+0x455): undefined reference to `BN_bn2binpad'
> tools/lib/ecdsa/ecdsa-libcrypto.o: In function `ecdsa_add_verify_data':
> ecdsa-libcrypto.c:(.text+0x5fa): undefined reference to
> `EC_GROUP_order_bits'
> ecdsa-libcrypto.c:(.text+0x642): undefined reference to
> `EC_POINT_get_affine_coordinates'
> 
> Signed-off-by: Artem Panfilov <panfilov.artyom at gmail.com>
> ---
>   lib/ecdsa/ecdsa-libcrypto.c | 80 ++++++++++++++++++++++++++++++++++++-
>   1 file changed, 79 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c
> index 1757a14562..50aa093acd 100644
> --- a/lib/ecdsa/ecdsa-libcrypto.c
> +++ b/lib/ecdsa/ecdsa-libcrypto.c
> @@ -24,6 +24,70 @@
>   #include <openssl/ec.h>
>   #include <openssl/bn.h>
>   
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> +	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)

Is there a reasonable use case for supporting an external library that 
is more than three years old at this point?

Otherwise NAK, as such #ifdefs don't really help with readability. I 
think Simon will agree here.

There's also the issue of deciding what version we have at compile time, 
which ignores the dynamic linking nature of .so libs. This leads into 
soname versioning territory. Let's not go there.

Alex

> +#include <openssl/err.h>
> +
> +static int EC_GROUP_order_bits(const EC_GROUP *group)
> +{
> +	int ret = 0;
> +	BIGNUM *order;
> +
> +	if (!group)
> +		return ret;
> +
> +	order = BN_new();
> +
> +	if (!order) {
> +		ERR_clear_error();
> +		return ret;
> +	}
> +
> +	if (!EC_GROUP_get_order(group, order, NULL)) {
> +		ERR_clear_error();
> +		BN_free(order);
> +		return ret;
> +	}
> +
> +	ret = BN_num_bits(order);
> +	BN_free(order);
> +	return ret;
> +}
> +
> +static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
> +{
> +	if (pr != NULL)
> +		*pr = sig->r;
> +	if (ps != NULL)
> +		*ps = sig->s;
> +}
> +
> +static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
> +{
> +	if (r == NULL || s == NULL)
> +		return 0;
> +	BN_clear_free(sig->r);
> +	BN_clear_free(sig->s);
> +	sig->r = r;
> +	sig->s = s;
> +	return 1;
> +}
> +
> +int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
> +{
> +	int n = BN_num_bytes(a);
> +
> +	if (n < 0 || n > tolen)
> +		return -1;
> +
> +	memset(to, 0, tolen - n);
> +	if (BN_bn2bin(a, to + tolen - n) < 0)
> +		return -1;
> +
> +	return tolen;
> +}
> +#endif
> +
>   /* Image signing context for openssl-libcrypto */
>   struct signer {
>   	EVP_PKEY *evp_key;	/* Pointer to EVP_PKEY object */
> @@ -34,9 +98,18 @@ struct signer {
>   
>   static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info)
>   {
> +	int ret = 0;
> +
>   	memset(ctx, 0, sizeof(*ctx));
>   
> -	if (!OPENSSL_init_ssl(0, NULL)) {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> +(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)
> +	ret = SSL_library_init();
> +#else
> +	ret = OPENSSL_init_ssl(0, NULL);
> +#endif
> +
> +	if (!ret) {
>   		fprintf(stderr, "Failure to init SSL library\n");
>   		return -1;
>   	}
> @@ -285,7 +358,12 @@ static int do_add(struct signer *ctx, void *fdt, const char *key_node_name)
>   	x = BN_new();
>   	y = BN_new();
>   	point = EC_KEY_get0_public_key(ctx->ecdsa_key);
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> +(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL)
> +	EC_POINT_get_affine_coordinates_GFp(group, point, x, y, NULL);
> +#else
>   	EC_POINT_get_affine_coordinates(group, point, x, y, NULL);
> +#endif
>   
>   	ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name);
>   	if (ret < 0)
> 