Re: [U-Boot] [PATCH v2 1/3] rsa: Fix build with OpenSSL 1.1.x

Wed, 19 Apr 2017 07:27:06 -0700 

On Tue, Apr 18, 2017 at 05:58:35PM +0100, Peter Robinson wrote:
> On Wed, Apr 5, 2017 at 10:49 AM, Mario Six <mario....@gdsys.cc> wrote:
> > Hi Jelle,
> >
> > On Tue, Apr 4, 2017 at 11:59 PM, Jelle van der Waa <je...@vdwaa.nl> wrote:
> >> @@ -20,6 +20,19 @@
> >>  #define HAVE_ERR_REMOVE_THREAD_STATE
> >>  #endif
> >>
> >> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || 
> >> defined(LIBRESSL_VERSION_NUMBER)
> >> +void RSA_get0_key(const RSA *r,
> >> +                 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
> >> +{
> >> +   if (n != NULL)
> >> +       *n = r->n;
> >> +   if (e != NULL)
> >> +       *e = r->e;
> >> +   if (d != NULL)
> >> +       *d = r->d;
> >> +}
> >> +#endif
> >> +
> >
> > Like in the other patch, this function should be static (also, missing 
> > #include
> > <openssl/bn.h> in this file as well).
> >
> >> @@ -548,7 +568,8 @@ int rsa_get_params(RSA *key, uint64_t *exponent, 
> >> uint32_t *n0_invp,
> >>         if (0 != rsa_get_exponent(key, exponent))
> >>                 ret = -1;
> >>
> >> -       if (!BN_copy(n, key->n) || !BN_set_word(big1, 1L) ||
> >> +       RSA_get0_key(key, NULL, &key_n, NULL);
> >> +       if (!BN_copy(n, key_n) || !BN_set_word(big1, 1L) ||
> >>             !BN_set_word(big2, 2L) || !BN_set_word(big32, 32L))
> >>                 ret = -1;
> >>
> >
> > Your're loading the parameter e into key_n here! It should be
> >
> > RSA_get0_key(key, &key_n, NULL, NULL);
> >
> > instead.
> >
> > Like I said in the previous patch, you will have to #ifdef out more 
> > functions
> > in this file:
> >
> > * SSL_load_error_strings
> > * OpenSSL_add_all_algorithms
> > * OpenSSL_add_all_digests
> > * OpenSSL_add_all_ciphers
> > * ENGINE_cleanup
> > * CRYPTO_cleanup_all_ex_data
> > * ERR_free_strings();
> > * EVP_cleanup
> >
> > And you'll also have to replace SSL_library_init() with
> > OPENSSL_init_ssl(0, NULL).
> >
> > After making all these changes, I was able to build a working U-Boot (for 
> > our
> > controlcenterdc board) against OpenSSL 1.1 that loaded a signed FIT-Image 
> > that
> > a previous U-Boot also loaded.
> 
> 
> Jelle,
> 
> are you planning a v3 to address the above issues, it would be useful
> to get this resolved for 2017.05

Yes, please!

-- 
Tom

Attachment: signature.asc
Description: Digital signature

_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot

Reply via email to