morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

Several OpenSSL related cleanups (#39455)

Browse Source
This commit is contained in:
Yu Watanabe
2025-11-02 17:21:51 +09:00
committed by GitHub
parent ab1f4e506f b7d752a67e
commit c29e304562
9 changed files with 157 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/bootctl/bootctl-install.c
View File

@@ -623,12 +623,13 @@ static int efi_timestamp(EFI_TIME *ret) {
return 0;
}
#endif
static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) {
#if HAVE_OPENSSL
int r;
if (!arg_secure_boot_auto_enroll)
return 0;
_cleanup_free_ uint8_t *dercert = NULL;
int dercertsz;
dercertsz = i2d_X509(certificate, &dercert);
@@ -752,10 +753,8 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E
}
return 0;
#else
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot set up secure boot auto-enrollment.");
#endif
}
#endif
static bool same_entry(uint16_t id, sd_id128_t uuid, const char *path) {
_cleanup_free_ char *opath = NULL;
@@ -963,6 +962,7 @@ static int are_we_installed(const char *esp_path) {
return r == 0;
}
#if HAVE_OPENSSL
static int load_secure_boot_auto_enroll(
X509 **ret_certificate,
EVP_PKEY **ret_private_key) {
@@ -1022,6 +1022,7 @@ static int load_secure_boot_auto_enroll(
return 0;
}
#endif
int verb_install(int argc, char *argv[], void *userdata) {
sd_id128_t uuid = SD_ID128_NULL;
@@ -1037,11 +1038,13 @@ int verb_install(int argc, char *argv[], void *userdata) {
/* Support graceful mode only for updates, unless forcibly enabled in chroot environments */
graceful = arg_graceful() == ARG_GRACEFUL_FORCE || (!install && arg_graceful() != ARG_GRACEFUL_NO);
#if HAVE_OPENSSL
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
_cleanup_(X509_freep) X509 *certificate = NULL;
r = load_secure_boot_auto_enroll(&certificate, &private_key);
if (r < 0)
return r;
#endif
r = acquire_esp(/* unprivileged_mode= */ false, graceful, &part, &pstart, &psize, &uuid, NULL);
if (graceful && r == -ENOKEY)
@@ -1101,17 +1104,15 @@ int verb_install(int argc, char *argv[], void *userdata) {
if (r < 0)
return r;
if (arg_install_random_seed) {
r = install_random_seed(arg_esp_path);
if (r < 0)
return r;
}
r = install_random_seed(arg_esp_path);
if (r < 0)
return r;
if (arg_secure_boot_auto_enroll) {
r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key);
if (r < 0)
return r;
}
#if HAVE_OPENSSL
r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key);
if (r < 0)
return r;
#endif
}
r = install_loader_specification(arg_dollar_boot_path());

3
src/bootctl/bootctl-random-seed.c
View File

@@ -122,6 +122,9 @@ int install_random_seed(const char *esp) {
assert_cc(RANDOM_EFI_SEED_SIZE == SHA256_DIGEST_SIZE);
if (!arg_install_random_seed)
return 0;
esp_fd = open(esp, O_DIRECTORY|O_RDONLY|O_CLOEXEC);
if (esp_fd < 0)
return log_error_errno(errno, "Failed to open ESP directory '%s': %m", esp);

14
src/bootctl/bootctl.c
View File

@@ -654,11 +654,17 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_dry_run && argv[optind] && !STR_IN_SET(argv[optind], "unlink", "cleanup"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry-run is only supported with --unlink or --cleanup");
if (arg_secure_boot_auto_enroll && !arg_certificate)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided");
if (arg_secure_boot_auto_enroll) {
#if HAVE_OPENSSL
if (!arg_certificate)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided.");
if (arg_secure_boot_auto_enroll && !arg_private_key)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided");
if (!arg_private_key)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided.");
#else
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Secure boot auto-enrollment requested but OpenSSL support is disabled.");
#endif
}
r = sd_varlink_invocation(SD_VARLINK_ALLOW_ACCEPT);
if (r < 0)

174
src/repart/repart.c
View File

@@ -517,8 +517,10 @@ struct Context {
bool from_scratch;
#if HAVE_OPENSSL
X509 *certificate;
EVP_PKEY *private_key;
#endif
bool defer_partitions_empty;
bool defer_partitions_factory_reset;
@@ -848,11 +850,7 @@ static Context* context_new(
char **definitions,
EmptyMode empty,
bool dry_run,
sd_id128_t seed,
X509 *certificate,
EVP_PKEY *private_key) {
/* Note: This function takes ownership of the certificate and private_key arguments. */
sd_id128_t seed) {
_cleanup_strv_free_ char **d = NULL;
if (!strv_isempty(definitions)) {
@@ -871,8 +869,6 @@ static Context* context_new(
.end = UINT64_MAX,
.total = UINT64_MAX,
.seed = seed,
.certificate = certificate,
.private_key = private_key,
.empty = empty,
.dry_run = dry_run,
.backing_fd = -EBADF,
@@ -912,8 +908,10 @@ static Context* context_free(Context *context) {
else
free(context->node);
#if HAVE_OPENSSL
X509_free(context->certificate);
EVP_PKEY_free(context->private_key);
#endif
context->link = sd_varlink_unref(context->link);
@@ -5492,9 +5490,8 @@ static int partition_format_verity_hash(
}
static int sign_verity_roothash(
Context *context,
const struct iovec *roothash,
X509 *certificate,
EVP_PKEY *private_key,
struct iovec *ret_signature) {
#if HAVE_OPENSSL
@@ -5504,8 +5501,10 @@ static int sign_verity_roothash(
_cleanup_free_ uint8_t *sig = NULL;
int sigsz;
assert(context);
assert(context->certificate);
assert(context->private_key);
assert(roothash);
assert(private_key);
assert(iovec_is_set(roothash));
assert(ret_signature);
@@ -5517,7 +5516,7 @@ static int sign_verity_roothash(
if (!rb)
return log_oom();
p7 = PKCS7_sign(certificate, private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
p7 = PKCS7_sign(context->certificate, context->private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
if (!p7)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to calculate PKCS7 signature: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -5565,6 +5564,7 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
Partition *hp, *rp;
uint8_t fp[X509_FINGERPRINT_SIZE];
int whole_fd, r;
bool has_fp = false;
assert(p->verity == VERITY_SIG);
@@ -5581,13 +5581,20 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
verity_settings = lookup_verity_settings_by_uuid_pair(rp->current_uuid, hp->current_uuid);
if (!context->private_key && !verity_settings)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition signing requested but no private key provided (--private-key=).");
if (!verity_settings) {
#if HAVE_OPENSSL
if (!context->private_key)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition signing requested but no private key provided (--private-key=).");
if (!context->certificate && !verity_settings)
if (!context->certificate)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
#else
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
"Verity signature partition signing requested but OpenSSL support is disabled.");
#endif
}
(void) partition_hint(p, context->node, &hint);
@@ -5603,7 +5610,7 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
.iov_len = verity_settings->root_hash_size,
};
} else {
r = sign_verity_roothash(&hp->roothash, context->certificate, context->private_key, &sig_free);
r = sign_verity_roothash(context, &hp->roothash, &sig_free);
if (r < 0)
return r;
@@ -5611,14 +5618,17 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
roothash = hp->roothash;
}
#if HAVE_OPENSSL
r = x509_fingerprint(context->certificate, fp);
if (r < 0)
return log_error_errno(r, "Unable to calculate X509 certificate fingerprint: %m");
has_fp = true;
#endif
r = sd_json_buildo(
&v,
SD_JSON_BUILD_PAIR("rootHash", SD_JSON_BUILD_HEX(roothash.iov_base, roothash.iov_len)),
SD_JSON_BUILD_PAIR("certificateFingerprint", SD_JSON_BUILD_HEX(fp, sizeof(fp))),
SD_JSON_BUILD_PAIR_CONDITION(has_fp, "certificateFingerprint", SD_JSON_BUILD_HEX(fp, sizeof(fp))),
SD_JSON_BUILD_PAIR("signature", JSON_BUILD_IOVEC_BASE64(&sig)));
if (r < 0)
return log_error_errno(r, "Failed to build verity signature JSON object: %m");
@@ -8730,6 +8740,57 @@ static int context_minimize(Context *context) {
return 0;
}
static int context_load_keys(Context *context) {
#if HAVE_OPENSSL
int r;
assert(context);
if (arg_certificate) {
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&context->certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
}
if (arg_private_key) {
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key);
if (r < 0)
return r;
}
r = openssl_load_private_key(
arg_private_key_source_type,
arg_private_key_source,
arg_private_key,
&(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "repart-private-key-pin",
.keyring = arg_private_key,
.credential = "repart.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
},
&context->private_key,
/* ret_user_interface= */ NULL);
if (r < 0)
return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
}
#endif
return 0;
}
static int parse_partition_types(const char *p, GptPartitionType **partitions, size_t *n_partitions) {
int r;
@@ -8934,13 +8995,7 @@ static int help(void) {
return 0;
}
static int parse_argv(
int argc,
char *argv[],
X509 **ret_certificate,
EVP_PKEY **ret_private_key,
OpenSSLAskPasswordUI **ret_ui) {
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
ARG_NO_PAGER,
@@ -9039,17 +9094,11 @@ static int parse_argv(
{}
};
_cleanup_(X509_freep) X509 *certificate = NULL;
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
bool auto_public_key_pcr_mask = true, auto_pcrlock = true;
int c, r;
assert(argc >= 0);
assert(argv);
assert(ret_certificate);
assert(ret_private_key);
assert(ret_ui);
while ((c = getopt_long(argc, argv, "hs:SCP", options, NULL)) >= 0)
@@ -9590,47 +9639,6 @@ static int parse_argv(
*p = gpt_partition_type_override_architecture(*p, arg_architecture);
}
if (arg_certificate) {
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
}
if (arg_private_key) {
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key);
if (r < 0)
return r;
}
r = openssl_load_private_key(
arg_private_key_source_type,
arg_private_key_source,
arg_private_key,
&(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "repart-private-key-pin",
.keyring = arg_private_key,
.credential = "repart.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
},
&private_key,
&ui);
if (r < 0)
return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
}
if (arg_append_fstab && !arg_generate_fstab)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No --generate-fstab= specified for --append-fstab=%s.", append_mode_to_string(arg_append_fstab));
@@ -9642,10 +9650,6 @@ static int parse_argv(
arg_pager_flags |= PAGER_DISABLE;
}
*ret_certificate = TAKE_PTR(certificate);
*ret_private_key = TAKE_PTR(private_key);
*ret_ui = TAKE_PTR(ui);
return 1;
}
@@ -10266,9 +10270,7 @@ static int vl_method_run(
p.definitions,
p.empty,
p.dry_run,
p.seed,
/* certificate= */ NULL,
/* private_key= */ NULL);
p.seed);
if (!context)
return log_oom();
@@ -10407,9 +10409,6 @@ static int vl_server(void) {
}
static int run(int argc, char *argv[]) {
_cleanup_(X509_freep) X509 *certificate = NULL;
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
_cleanup_(umount_and_freep) char *mounted_dir = NULL;
_cleanup_(context_freep) Context* context = NULL;
@@ -10418,7 +10417,7 @@ static int run(int argc, char *argv[]) {
log_setup();
r = parse_argv(argc, argv, &certificate, &private_key, &ui);
r = parse_argv(argc, argv);
if (r <= 0)
return r;
@@ -10484,14 +10483,13 @@ static int run(int argc, char *argv[]) {
arg_definitions,
arg_empty,
arg_dry_run,
arg_seed,
certificate,
private_key);
arg_seed);
if (!context)
return log_oom();
TAKE_PTR(certificate);
TAKE_PTR(private_key);
r = context_load_keys(context);
if (r < 0)
return r;
context->defer_partitions_empty = arg_defer_partitions_empty;
context->defer_partitions_factory_reset = arg_defer_partitions_factory_reset;

6
src/resolve/resolvectl.c
View File

@@ -1014,6 +1014,7 @@ static int verb_service(int argc, char **argv, void *userdata) {
return resolve_service(bus, argv[1], argv[2], argv[3]);
}
#if HAVE_OPENSSL
static int resolve_openpgp(sd_bus *bus, const char *address) {
int r;
@@ -1074,8 +1075,10 @@ static int resolve_openpgp(sd_bus *bus, const char *address) {
arg_type ?: DNS_TYPE_OPENPGPKEY,
/* warn_missing= */ true);
}
#endif
static int verb_openpgp(int argc, char **argv, void *userdata) {
#if HAVE_OPENSSL
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
int r, ret = 0;
@@ -1090,6 +1093,9 @@ static int verb_openpgp(int argc, char **argv, void *userdata) {
RET_GATHER(ret, resolve_openpgp(bus, *p));
return ret;
#else
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled, cannot query Open PGP keys.");
#endif
}
static int resolve_tlsa(sd_bus *bus, const char *family, const char *address) {

23
src/shared/openssl-util.c
View File

@@ -1644,25 +1644,20 @@ static int load_x509_certificate_from_provider(const char *provider, const char
return -EOPNOTSUPP;
#endif
}
#endif
OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
#if HAVE_OPENSSL && !defined(OPENSSL_NO_UI_CONSOLE)
if (!ui)
return NULL;
#ifndef OPENSSL_NO_UI_CONSOLE
assert(UI_get_default_method() == ui->method);
UI_set_default_method(UI_OpenSSL());
UI_destroy_method(ui->method);
return mfree(ui);
#else
assert(ui == NULL);
return NULL;
#endif
return mfree(ui);
}
int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
#if HAVE_OPENSSL
_cleanup_free_ uint8_t *der = NULL;
int dersz;
@@ -1674,9 +1669,6 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
sha256_direct(der, dersz, buffer);
return 0;
#else
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate X509 fingerprint.");
#endif
}
int openssl_load_x509_certificate(
@@ -1684,7 +1676,7 @@ int openssl_load_x509_certificate(
const char *certificate_source,
const char *certificate,
X509 **ret) {
#if HAVE_OPENSSL
int r;
assert(certificate);
@@ -1708,9 +1700,6 @@ int openssl_load_x509_certificate(
certificate_source);
return 0;
#else
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load X509 certificate.");
#endif
}
int openssl_load_private_key(
@@ -1720,7 +1709,7 @@ int openssl_load_private_key(
const AskPasswordRequest *request,
EVP_PKEY **ret_private_key,
OpenSSLAskPasswordUI **ret_user_interface) {
#if HAVE_OPENSSL
int r;
assert(private_key);
@@ -1763,10 +1752,8 @@ int openssl_load_private_key(
}
return 0;
#else
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load private key.");
#endif
}
#endif
int parse_openssl_certificate_source_argument(
const char *argument,

76
src/shared/openssl-util.h
View File

@@ -55,22 +55,24 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s
# endif
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO(void*, OPENSSL_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TIME*, ASN1_TIME_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free_all, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIGNUM*, BN_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BN_CTX*, BN_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ECDSA_SIG*, ECDSA_SIG_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7_SIGNER_INFO*, PKCS7_SIGNER_INFO_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free_all, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TIME*, ASN1_TIME_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL);
static inline STACK_OF(X509_ALGOR) *x509_algor_free_many(STACK_OF(X509_ALGOR) *attrs) {
if (!attrs)
@@ -170,44 +172,13 @@ int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_
int pkcs7_new(X509 *certificate, EVP_PKEY *private_key, const char *hash_algorithm, PKCS7 **ret_p7, PKCS7_SIGNER_INFO **ret_si);
int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret);
#else
typedef struct X509 X509;
typedef struct EVP_PKEY EVP_PKEY;
typedef struct EVP_MD EVP_MD;
typedef struct UI_METHOD UI_METHOD;
typedef struct ASN1_TYPE ASN1_TYPE;
typedef struct ASN1_STRING ASN1_STRING;
static inline void* X509_free(X509 *p) {
assert(p == NULL);
return NULL;
static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, "SHA224", ret);
}
static inline void* EVP_PKEY_free(EVP_PKEY *p) {
assert(p == NULL);
return NULL;
static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, "SHA256", ret);
}
static inline int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret) {
return -EOPNOTSUPP;
}
#endif
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
struct OpenSSLAskPasswordUI {
AskPasswordRequest request;
UI_METHOD *method;
};
OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL);
int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]);
int openssl_load_x509_certificate(
@@ -224,10 +195,13 @@ int openssl_load_private_key(
EVP_PKEY **ret_private_key,
OpenSSLAskPasswordUI **ret_user_interface);
static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, "SHA224", ret);
}
struct OpenSSLAskPasswordUI {
AskPasswordRequest request;
#ifndef OPENSSL_NO_UI_CONSOLE
UI_METHOD *method;
#endif
};
static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, "SHA256", ret);
}
OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL);
#endif

14
src/shared/pe-binary.c
View File

@@ -336,13 +336,12 @@ static int hash_file(int fd, EVP_MD_CTX *md_ctx, uint64_t offset, uint64_t size)
static int section_offset_cmp(const IMAGE_SECTION_HEADER *a, const IMAGE_SECTION_HEADER *b) {
return CMP(ASSERT_PTR(a)->PointerToRawData, ASSERT_PTR(b)->PointerToRawData);
}
#endif
int pe_hash(int fd,
const EVP_MD *md,
void **ret_hash,
size_t *ret_hash_size) {
#if HAVE_OPENSSL
_cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *mdctx = NULL;
_cleanup_free_ IMAGE_SECTION_HEADER *sections = NULL;
_cleanup_free_ IMAGE_DOS_HEADER *dos_header = NULL;
@@ -449,9 +448,6 @@ int pe_hash(int fd,
*ret_hash_size = hash_size;
return 0;
#else
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate PE hash.");
#endif
}
int pe_checksum(int fd, uint32_t *ret) {
@@ -503,7 +499,6 @@ int pe_checksum(int fd, uint32_t *ret) {
return 0;
}
#if HAVE_OPENSSL
typedef void* SectionHashArray[_UNIFIED_SECTION_MAX];
static void section_hash_array_done(SectionHashArray *array) {
@@ -512,13 +507,12 @@ static void section_hash_array_done(SectionHashArray *array) {
for (size_t i = 0; i < _UNIFIED_SECTION_MAX; i++)
free((*array)[i]);
}
#endif
int uki_hash(int fd,
const EVP_MD *md,
void* ret_hashes[static _UNIFIED_SECTION_MAX],
size_t *ret_hash_size) {
#if HAVE_OPENSSL
_cleanup_(section_hash_array_done) SectionHashArray hashes = {};
_cleanup_free_ IMAGE_SECTION_HEADER *sections = NULL;
_cleanup_free_ IMAGE_DOS_HEADER *dos_header = NULL;
@@ -605,7 +599,5 @@ int uki_hash(int fd,
*ret_hash_size = (unsigned) hsz;
return 0;
#else
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate UKI hash.");
#endif
}
#endif

3
src/shared/pe-binary.h
View File

@@ -151,8 +151,11 @@ bool pe_is_addon(const PeHeader *pe_header, const IMAGE_SECTION_HEADER *sections
bool pe_is_native(const PeHeader *pe_header);
int pe_is_native_fd(int fd);
#if HAVE_OPENSSL
int pe_hash(int fd, const EVP_MD *md, void **ret_hash, size_t *ret_hash_size);
/* This does not depend on OpenSSL, but is currently only used by sbsign which requires OpenSSL. */
int pe_checksum(int fd, uint32_t *ret);
int uki_hash(int fd, const EVP_MD *md, void *ret_hashes[static _UNIFIED_SECTION_MAX], size_t *ret_hash_size);
#endif