diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c index f31c55d36a..0a2fb1888b 100644 --- a/src/bootctl/bootctl-install.c +++ b/src/bootctl/bootctl-install.c @@ -623,12 +623,13 @@ static int efi_timestamp(EFI_TIME *ret) { return 0; } -#endif static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) { -#if HAVE_OPENSSL int r; + if (!arg_secure_boot_auto_enroll) + return 0; + _cleanup_free_ uint8_t *dercert = NULL; int dercertsz; dercertsz = i2d_X509(certificate, &dercert); @@ -752,10 +753,8 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E } return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot set up secure boot auto-enrollment."); -#endif } +#endif static bool same_entry(uint16_t id, sd_id128_t uuid, const char *path) { _cleanup_free_ char *opath = NULL; @@ -963,6 +962,7 @@ static int are_we_installed(const char *esp_path) { return r == 0; } +#if HAVE_OPENSSL static int load_secure_boot_auto_enroll( X509 **ret_certificate, EVP_PKEY **ret_private_key) { @@ -1022,6 +1022,7 @@ static int load_secure_boot_auto_enroll( return 0; } +#endif int verb_install(int argc, char *argv[], void *userdata) { sd_id128_t uuid = SD_ID128_NULL; @@ -1037,11 +1038,13 @@ int verb_install(int argc, char *argv[], void *userdata) { /* Support graceful mode only for updates, unless forcibly enabled in chroot environments */ graceful = arg_graceful() == ARG_GRACEFUL_FORCE || (!install && arg_graceful() != ARG_GRACEFUL_NO); +#if HAVE_OPENSSL _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL; _cleanup_(X509_freep) X509 *certificate = NULL; r = load_secure_boot_auto_enroll(&certificate, &private_key); if (r < 0) return r; +#endif r = acquire_esp(/* unprivileged_mode= */ false, graceful, &part, &pstart, &psize, &uuid, NULL); if (graceful && r == -ENOKEY) @@ -1101,17 +1104,15 @@ int verb_install(int argc, char *argv[], void *userdata) { if (r < 0) return r; - if (arg_install_random_seed) { - r = install_random_seed(arg_esp_path); - if (r < 0) - return r; - } + r = install_random_seed(arg_esp_path); + if (r < 0) + return r; - if (arg_secure_boot_auto_enroll) { - r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key); - if (r < 0) - return r; - } +#if HAVE_OPENSSL + r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key); + if (r < 0) + return r; +#endif } r = install_loader_specification(arg_dollar_boot_path()); diff --git a/src/bootctl/bootctl-random-seed.c b/src/bootctl/bootctl-random-seed.c index c4811aace3..8abb6c1969 100644 --- a/src/bootctl/bootctl-random-seed.c +++ b/src/bootctl/bootctl-random-seed.c @@ -122,6 +122,9 @@ int install_random_seed(const char *esp) { assert_cc(RANDOM_EFI_SEED_SIZE == SHA256_DIGEST_SIZE); + if (!arg_install_random_seed) + return 0; + esp_fd = open(esp, O_DIRECTORY|O_RDONLY|O_CLOEXEC); if (esp_fd < 0) return log_error_errno(errno, "Failed to open ESP directory '%s': %m", esp); diff --git a/src/bootctl/bootctl.c b/src/bootctl/bootctl.c index 1341036ced..dc321a07ca 100644 --- a/src/bootctl/bootctl.c +++ b/src/bootctl/bootctl.c @@ -654,11 +654,17 @@ static int parse_argv(int argc, char *argv[]) { if (arg_dry_run && argv[optind] && !STR_IN_SET(argv[optind], "unlink", "cleanup")) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry-run is only supported with --unlink or --cleanup"); - if (arg_secure_boot_auto_enroll && !arg_certificate) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided"); + if (arg_secure_boot_auto_enroll) { +#if HAVE_OPENSSL + if (!arg_certificate) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided."); - if (arg_secure_boot_auto_enroll && !arg_private_key) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided"); + if (!arg_private_key) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided."); +#else + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Secure boot auto-enrollment requested but OpenSSL support is disabled."); +#endif + } r = sd_varlink_invocation(SD_VARLINK_ALLOW_ACCEPT); if (r < 0) diff --git a/src/repart/repart.c b/src/repart/repart.c index 30395e1ca1..dbf261bb26 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -517,8 +517,10 @@ struct Context { bool from_scratch; +#if HAVE_OPENSSL X509 *certificate; EVP_PKEY *private_key; +#endif bool defer_partitions_empty; bool defer_partitions_factory_reset; @@ -848,11 +850,7 @@ static Context* context_new( char **definitions, EmptyMode empty, bool dry_run, - sd_id128_t seed, - X509 *certificate, - EVP_PKEY *private_key) { - - /* Note: This function takes ownership of the certificate and private_key arguments. */ + sd_id128_t seed) { _cleanup_strv_free_ char **d = NULL; if (!strv_isempty(definitions)) { @@ -871,8 +869,6 @@ static Context* context_new( .end = UINT64_MAX, .total = UINT64_MAX, .seed = seed, - .certificate = certificate, - .private_key = private_key, .empty = empty, .dry_run = dry_run, .backing_fd = -EBADF, @@ -912,8 +908,10 @@ static Context* context_free(Context *context) { else free(context->node); +#if HAVE_OPENSSL X509_free(context->certificate); EVP_PKEY_free(context->private_key); +#endif context->link = sd_varlink_unref(context->link); @@ -5492,9 +5490,8 @@ static int partition_format_verity_hash( } static int sign_verity_roothash( + Context *context, const struct iovec *roothash, - X509 *certificate, - EVP_PKEY *private_key, struct iovec *ret_signature) { #if HAVE_OPENSSL @@ -5504,8 +5501,10 @@ static int sign_verity_roothash( _cleanup_free_ uint8_t *sig = NULL; int sigsz; + assert(context); + assert(context->certificate); + assert(context->private_key); assert(roothash); - assert(private_key); assert(iovec_is_set(roothash)); assert(ret_signature); @@ -5517,7 +5516,7 @@ static int sign_verity_roothash( if (!rb) return log_oom(); - p7 = PKCS7_sign(certificate, private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY); + p7 = PKCS7_sign(context->certificate, context->private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY); if (!p7) return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to calculate PKCS7 signature: %s", ERR_error_string(ERR_get_error(), NULL)); @@ -5565,6 +5564,7 @@ static int partition_format_verity_sig(Context *context, Partition *p) { Partition *hp, *rp; uint8_t fp[X509_FINGERPRINT_SIZE]; int whole_fd, r; + bool has_fp = false; assert(p->verity == VERITY_SIG); @@ -5581,13 +5581,20 @@ static int partition_format_verity_sig(Context *context, Partition *p) { verity_settings = lookup_verity_settings_by_uuid_pair(rp->current_uuid, hp->current_uuid); - if (!context->private_key && !verity_settings) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Verity signature partition signing requested but no private key provided (--private-key=)."); + if (!verity_settings) { +#if HAVE_OPENSSL + if (!context->private_key) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Verity signature partition signing requested but no private key provided (--private-key=)."); - if (!context->certificate && !verity_settings) + if (!context->certificate) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Verity signature partition signing requested but no PEM certificate provided (--certificate=)."); +#else return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Verity signature partition signing requested but no PEM certificate provided (--certificate=)."); + "Verity signature partition signing requested but OpenSSL support is disabled."); +#endif + } (void) partition_hint(p, context->node, &hint); @@ -5603,7 +5610,7 @@ static int partition_format_verity_sig(Context *context, Partition *p) { .iov_len = verity_settings->root_hash_size, }; } else { - r = sign_verity_roothash(&hp->roothash, context->certificate, context->private_key, &sig_free); + r = sign_verity_roothash(context, &hp->roothash, &sig_free); if (r < 0) return r; @@ -5611,14 +5618,17 @@ static int partition_format_verity_sig(Context *context, Partition *p) { roothash = hp->roothash; } +#if HAVE_OPENSSL r = x509_fingerprint(context->certificate, fp); if (r < 0) return log_error_errno(r, "Unable to calculate X509 certificate fingerprint: %m"); + has_fp = true; +#endif r = sd_json_buildo( &v, SD_JSON_BUILD_PAIR("rootHash", SD_JSON_BUILD_HEX(roothash.iov_base, roothash.iov_len)), - SD_JSON_BUILD_PAIR("certificateFingerprint", SD_JSON_BUILD_HEX(fp, sizeof(fp))), + SD_JSON_BUILD_PAIR_CONDITION(has_fp, "certificateFingerprint", SD_JSON_BUILD_HEX(fp, sizeof(fp))), SD_JSON_BUILD_PAIR("signature", JSON_BUILD_IOVEC_BASE64(&sig))); if (r < 0) return log_error_errno(r, "Failed to build verity signature JSON object: %m"); @@ -8730,6 +8740,57 @@ static int context_minimize(Context *context) { return 0; } +static int context_load_keys(Context *context) { +#if HAVE_OPENSSL + int r; + + assert(context); + + if (arg_certificate) { + if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) { + r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate); + if (r < 0) + return r; + } + + r = openssl_load_x509_certificate( + arg_certificate_source_type, + arg_certificate_source, + arg_certificate, + &context->certificate); + if (r < 0) + return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate); + } + + if (arg_private_key) { + if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) { + r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key); + if (r < 0) + return r; + } + + r = openssl_load_private_key( + arg_private_key_source_type, + arg_private_key_source, + arg_private_key, + &(AskPasswordRequest) { + .tty_fd = -EBADF, + .id = "repart-private-key-pin", + .keyring = arg_private_key, + .credential = "repart.private-key-pin", + .until = USEC_INFINITY, + .hup_fd = -EBADF, + }, + &context->private_key, + /* ret_user_interface= */ NULL); + if (r < 0) + return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key); + } + +#endif + return 0; +} + static int parse_partition_types(const char *p, GptPartitionType **partitions, size_t *n_partitions) { int r; @@ -8934,13 +8995,7 @@ static int help(void) { return 0; } -static int parse_argv( - int argc, - char *argv[], - X509 **ret_certificate, - EVP_PKEY **ret_private_key, - OpenSSLAskPasswordUI **ret_ui) { - +static int parse_argv(int argc, char *argv[]) { enum { ARG_VERSION = 0x100, ARG_NO_PAGER, @@ -9039,17 +9094,11 @@ static int parse_argv( {} }; - _cleanup_(X509_freep) X509 *certificate = NULL; - _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL; - _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL; bool auto_public_key_pcr_mask = true, auto_pcrlock = true; int c, r; assert(argc >= 0); assert(argv); - assert(ret_certificate); - assert(ret_private_key); - assert(ret_ui); while ((c = getopt_long(argc, argv, "hs:SCP", options, NULL)) >= 0) @@ -9590,47 +9639,6 @@ static int parse_argv( *p = gpt_partition_type_override_architecture(*p, arg_architecture); } - if (arg_certificate) { - if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) { - r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate); - if (r < 0) - return r; - } - - r = openssl_load_x509_certificate( - arg_certificate_source_type, - arg_certificate_source, - arg_certificate, - &certificate); - if (r < 0) - return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate); - } - - if (arg_private_key) { - if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) { - r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key); - if (r < 0) - return r; - } - - r = openssl_load_private_key( - arg_private_key_source_type, - arg_private_key_source, - arg_private_key, - &(AskPasswordRequest) { - .tty_fd = -EBADF, - .id = "repart-private-key-pin", - .keyring = arg_private_key, - .credential = "repart.private-key-pin", - .until = USEC_INFINITY, - .hup_fd = -EBADF, - }, - &private_key, - &ui); - if (r < 0) - return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key); - } - if (arg_append_fstab && !arg_generate_fstab) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No --generate-fstab= specified for --append-fstab=%s.", append_mode_to_string(arg_append_fstab)); @@ -9642,10 +9650,6 @@ static int parse_argv( arg_pager_flags |= PAGER_DISABLE; } - *ret_certificate = TAKE_PTR(certificate); - *ret_private_key = TAKE_PTR(private_key); - *ret_ui = TAKE_PTR(ui); - return 1; } @@ -10266,9 +10270,7 @@ static int vl_method_run( p.definitions, p.empty, p.dry_run, - p.seed, - /* certificate= */ NULL, - /* private_key= */ NULL); + p.seed); if (!context) return log_oom(); @@ -10407,9 +10409,6 @@ static int vl_server(void) { } static int run(int argc, char *argv[]) { - _cleanup_(X509_freep) X509 *certificate = NULL; - _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL; - _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL; _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; _cleanup_(umount_and_freep) char *mounted_dir = NULL; _cleanup_(context_freep) Context* context = NULL; @@ -10418,7 +10417,7 @@ static int run(int argc, char *argv[]) { log_setup(); - r = parse_argv(argc, argv, &certificate, &private_key, &ui); + r = parse_argv(argc, argv); if (r <= 0) return r; @@ -10484,14 +10483,13 @@ static int run(int argc, char *argv[]) { arg_definitions, arg_empty, arg_dry_run, - arg_seed, - certificate, - private_key); + arg_seed); if (!context) return log_oom(); - TAKE_PTR(certificate); - TAKE_PTR(private_key); + r = context_load_keys(context); + if (r < 0) + return r; context->defer_partitions_empty = arg_defer_partitions_empty; context->defer_partitions_factory_reset = arg_defer_partitions_factory_reset; diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c index 9974b3696c..13f68f87b9 100644 --- a/src/resolve/resolvectl.c +++ b/src/resolve/resolvectl.c @@ -1014,6 +1014,7 @@ static int verb_service(int argc, char **argv, void *userdata) { return resolve_service(bus, argv[1], argv[2], argv[3]); } +#if HAVE_OPENSSL static int resolve_openpgp(sd_bus *bus, const char *address) { int r; @@ -1074,8 +1075,10 @@ static int resolve_openpgp(sd_bus *bus, const char *address) { arg_type ?: DNS_TYPE_OPENPGPKEY, /* warn_missing= */ true); } +#endif static int verb_openpgp(int argc, char **argv, void *userdata) { +#if HAVE_OPENSSL _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; int r, ret = 0; @@ -1090,6 +1093,9 @@ static int verb_openpgp(int argc, char **argv, void *userdata) { RET_GATHER(ret, resolve_openpgp(bus, *p)); return ret; +#else + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled, cannot query Open PGP keys."); +#endif } static int resolve_tlsa(sd_bus *bus, const char *family, const char *address) { diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c index bb45cf73f6..8fb23a8f92 100644 --- a/src/shared/openssl-util.c +++ b/src/shared/openssl-util.c @@ -1644,25 +1644,20 @@ static int load_x509_certificate_from_provider(const char *provider, const char return -EOPNOTSUPP; #endif } -#endif OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) { -#if HAVE_OPENSSL && !defined(OPENSSL_NO_UI_CONSOLE) if (!ui) return NULL; +#ifndef OPENSSL_NO_UI_CONSOLE assert(UI_get_default_method() == ui->method); UI_set_default_method(UI_OpenSSL()); UI_destroy_method(ui->method); - return mfree(ui); -#else - assert(ui == NULL); - return NULL; #endif + return mfree(ui); } int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) { -#if HAVE_OPENSSL _cleanup_free_ uint8_t *der = NULL; int dersz; @@ -1674,9 +1669,6 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) { sha256_direct(der, dersz, buffer); return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate X509 fingerprint."); -#endif } int openssl_load_x509_certificate( @@ -1684,7 +1676,7 @@ int openssl_load_x509_certificate( const char *certificate_source, const char *certificate, X509 **ret) { -#if HAVE_OPENSSL + int r; assert(certificate); @@ -1708,9 +1700,6 @@ int openssl_load_x509_certificate( certificate_source); return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load X509 certificate."); -#endif } int openssl_load_private_key( @@ -1720,7 +1709,7 @@ int openssl_load_private_key( const AskPasswordRequest *request, EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_user_interface) { -#if HAVE_OPENSSL + int r; assert(private_key); @@ -1763,10 +1752,8 @@ int openssl_load_private_key( } return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load private key."); -#endif } +#endif int parse_openssl_certificate_source_argument( const char *argument, diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index 0084d62fe0..72b9cfcc90 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -55,22 +55,24 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s # endif DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO(void*, OPENSSL_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TIME*, ASN1_TIME_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free_all, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIGNUM*, BN_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BN_CTX*, BN_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ECDSA_SIG*, ECDSA_SIG_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7_SIGNER_INFO*, PKCS7_SIGNER_INFO_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free_all, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TIME*, ASN1_TIME_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL); static inline STACK_OF(X509_ALGOR) *x509_algor_free_many(STACK_OF(X509_ALGOR) *attrs) { if (!attrs) @@ -170,44 +172,13 @@ int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_ int pkcs7_new(X509 *certificate, EVP_PKEY *private_key, const char *hash_algorithm, PKCS7 **ret_p7, PKCS7_SIGNER_INFO **ret_si); int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret); - -#else - -typedef struct X509 X509; -typedef struct EVP_PKEY EVP_PKEY; -typedef struct EVP_MD EVP_MD; -typedef struct UI_METHOD UI_METHOD; -typedef struct ASN1_TYPE ASN1_TYPE; -typedef struct ASN1_STRING ASN1_STRING; - -static inline void* X509_free(X509 *p) { - assert(p == NULL); - return NULL; +static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) { + return string_hashsum(s, len, "SHA224", ret); } - -static inline void* EVP_PKEY_free(EVP_PKEY *p) { - assert(p == NULL); - return NULL; +static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) { + return string_hashsum(s, len, "SHA256", ret); } -static inline int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret) { - return -EOPNOTSUPP; -} - -#endif - -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL); - -struct OpenSSLAskPasswordUI { - AskPasswordRequest request; - UI_METHOD *method; -}; - -OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui); - -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL); - int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]); int openssl_load_x509_certificate( @@ -224,10 +195,13 @@ int openssl_load_private_key( EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_user_interface); -static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) { - return string_hashsum(s, len, "SHA224", ret); -} +struct OpenSSLAskPasswordUI { + AskPasswordRequest request; +#ifndef OPENSSL_NO_UI_CONSOLE + UI_METHOD *method; +#endif +}; -static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) { - return string_hashsum(s, len, "SHA256", ret); -} +OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL); +#endif diff --git a/src/shared/pe-binary.c b/src/shared/pe-binary.c index 1dfda07142..97e5ba51c7 100644 --- a/src/shared/pe-binary.c +++ b/src/shared/pe-binary.c @@ -336,13 +336,12 @@ static int hash_file(int fd, EVP_MD_CTX *md_ctx, uint64_t offset, uint64_t size) static int section_offset_cmp(const IMAGE_SECTION_HEADER *a, const IMAGE_SECTION_HEADER *b) { return CMP(ASSERT_PTR(a)->PointerToRawData, ASSERT_PTR(b)->PointerToRawData); } -#endif int pe_hash(int fd, const EVP_MD *md, void **ret_hash, size_t *ret_hash_size) { -#if HAVE_OPENSSL + _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *mdctx = NULL; _cleanup_free_ IMAGE_SECTION_HEADER *sections = NULL; _cleanup_free_ IMAGE_DOS_HEADER *dos_header = NULL; @@ -449,9 +448,6 @@ int pe_hash(int fd, *ret_hash_size = hash_size; return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate PE hash."); -#endif } int pe_checksum(int fd, uint32_t *ret) { @@ -503,7 +499,6 @@ int pe_checksum(int fd, uint32_t *ret) { return 0; } -#if HAVE_OPENSSL typedef void* SectionHashArray[_UNIFIED_SECTION_MAX]; static void section_hash_array_done(SectionHashArray *array) { @@ -512,13 +507,12 @@ static void section_hash_array_done(SectionHashArray *array) { for (size_t i = 0; i < _UNIFIED_SECTION_MAX; i++) free((*array)[i]); } -#endif int uki_hash(int fd, const EVP_MD *md, void* ret_hashes[static _UNIFIED_SECTION_MAX], size_t *ret_hash_size) { -#if HAVE_OPENSSL + _cleanup_(section_hash_array_done) SectionHashArray hashes = {}; _cleanup_free_ IMAGE_SECTION_HEADER *sections = NULL; _cleanup_free_ IMAGE_DOS_HEADER *dos_header = NULL; @@ -605,7 +599,5 @@ int uki_hash(int fd, *ret_hash_size = (unsigned) hsz; return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate UKI hash."); -#endif } +#endif diff --git a/src/shared/pe-binary.h b/src/shared/pe-binary.h index 2579dd9ae8..0f748a87d7 100644 --- a/src/shared/pe-binary.h +++ b/src/shared/pe-binary.h @@ -151,8 +151,11 @@ bool pe_is_addon(const PeHeader *pe_header, const IMAGE_SECTION_HEADER *sections bool pe_is_native(const PeHeader *pe_header); int pe_is_native_fd(int fd); +#if HAVE_OPENSSL int pe_hash(int fd, const EVP_MD *md, void **ret_hash, size_t *ret_hash_size); +/* This does not depend on OpenSSL, but is currently only used by sbsign which requires OpenSSL. */ int pe_checksum(int fd, uint32_t *ret); int uki_hash(int fd, const EVP_MD *md, void *ret_hashes[static _UNIFIED_SECTION_MAX], size_t *ret_hash_size); +#endif