From 61989b4c0a2da337a5c8df56e68c83e73259ed75 Mon Sep 17 00:00:00 2001

From: Petr Gotthard <petr.gotthard@centrum.cz>

Date: Sat, 7 Aug 2021 11:39:52 +0200

Subject: [PATCH 04/17] openssl: Remove support for OpenSSL < 1.1.0

The OpenSSL 1.0.2 is no longer maintained. Supporting an EOL crypto

library is not a good idea.

 - Compared to the upstream commit 1e439d85 changes related to functions

   and features not previously backported were ommited.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>

---

 configure.ac       |  2 +-

 doc/CHANGELOG.md   |  5 +++

 doc/INSTALL.md     |  2 +-

 doc/RELEASE.md     |  7 ----

 lib/tpm2_openssl.c | 87 ----------------------------------------------

 lib/tpm2_openssl.h | 10 ------

 6 files changed, 7 insertions(+), 106 deletions(-)

diff --git a/configure.ac b/configure.ac

index a3988e15..9561fa86 100644

--- a/configure.ac

+++ b/configure.ac

@@ -58,7 +58,7 @@ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])

 PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])

 PKG_CHECK_MODULES([TSS2_RC], [tss2-rc])

 PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys])

-PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])

+PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])

 PKG_CHECK_MODULES([CURL], [libcurl])

 PKG_CHECK_MODULES([UUID], [uuid])

diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md

index 87573fd7..b244dfee 100644

--- a/doc/CHANGELOG.md

+++ b/doc/CHANGELOG.md

@@ -1,5 +1,10 @@

 ## Changelog

+### next

+

+  * openssl:

+      - Dropped support for OpenSSL < 1.1.0

+

 ### 5.0 - 2020-11-16

 #### Non Backwards Compatible Changes

diff --git a/doc/INSTALL.md b/doc/INSTALL.md

index b23b8d61..ab160581 100644

--- a/doc/INSTALL.md

+++ b/doc/INSTALL.md

@@ -19,7 +19,7 @@ To build and install the tpm2-tools software the following software is required:

   * C compiler

   * C Library Development Libraries and Header Files (for pthreads headers)

   * ESAPI - TPM2.0 TSS ESAPI library (tss2-esys) and header files

-  * OpenSSL libcrypto library and header files

+  * OpenSSL libcrypto library and header files (version >= 1.1.0)

   * Curl library and header files

   * Universally Unique ID library (UUID)

diff --git a/doc/RELEASE.md b/doc/RELEASE.md

index e2c72a67..8769b57d 100644

--- a/doc/RELEASE.md

+++ b/doc/RELEASE.md

@@ -23,13 +23,6 @@ the next release.

 - [3.0.X](https://github.com/tpm2-software/tpm2-tools/tree/3.0.X): EOL after

 3.2.1 release.

-## OpenSSL

-

-tpm2-tools relies heavily on OpenSSL. OpenSSL will be EOL'ing 1.0.2 at the end

-of 2019, see: https://www.openssl.org/blog/blog/2018/05/18/new-lts/. When this

-occurs, we will remove OSSL 1.0.2 support from the tpm2-tools repository as

-supporting an EOL crypto library is not a good idea.

-

 # Release Information

 Releases shall be tagged following semantic version guidelines found at:

diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c

index e769d6df..877d2764 100644

--- a/lib/tpm2_openssl.c

+++ b/lib/tpm2_openssl.c

@@ -72,58 +72,6 @@ const EVP_MD *tpm2_openssl_halg_from_tpmhalg(TPMI_ALG_HASH algorithm) {

     /* no return, not possible */

 }

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {

-

-    if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {

-        return 0;

-    }

-

-    if (n != NULL) {

-        BN_free(r->n);

-        r->n = n;

-    }

-

-    if (e != NULL) {

-        BN_free(r->e);

-        r->e = e;

-    }

-

-    if (d != NULL) {

-        BN_free(r->d);

-        r->d = d;

-    }

-

-    return 1;

-}

-

-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {

-    if(p) {

-        *p = r->p;

-    }

-

-    if (q) {

-        *q = r->q;

-    }

-}

-

-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {

-

-    if (!r || !s) {

-        return 0;

-    }

-

-    BN_clear_free(sig->r);

-    BN_clear_free(sig->s);

-

-    sig->r = r;

-    sig->s = s;

-

-    return 1;

-}

-

-#endif

-

 bool tpm2_openssl_hash_compute_data(TPMI_ALG_HASH halg, BYTE *buffer,

         UINT16 length, TPM2B_DIGEST *digest) {

@@ -422,54 +370,28 @@ out:

 HMAC_CTX *tpm2_openssl_hmac_new() {

     HMAC_CTX *ctx;

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    ctx = malloc(sizeof(*ctx));

-#else

     ctx = HMAC_CTX_new();

-#endif

     if (!ctx)

         return NULL;

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    HMAC_CTX_init(ctx);

-#endif

-

     return ctx;

 }

 void tpm2_openssl_hmac_free(HMAC_CTX *ctx) {

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    HMAC_CTX_cleanup(ctx);

-    free(ctx);

-#else

     HMAC_CTX_free(ctx);

-#endif

 }

 EVP_CIPHER_CTX *tpm2_openssl_cipher_new(void) {

     EVP_CIPHER_CTX *ctx;

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    ctx = malloc(sizeof(*ctx));

-#else

     ctx = EVP_CIPHER_CTX_new();

-#endif

     if (!ctx)

         return NULL;

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    EVP_CIPHER_CTX_init(ctx);

-#endif

-

     return ctx;

 }

 void tpm2_openssl_cipher_free(EVP_CIPHER_CTX *ctx) {

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    EVP_CIPHER_CTX_cleanup(ctx);

-    free(ctx);

-#else

     EVP_CIPHER_CTX_free(ctx);

-#endif

 }

 digester tpm2_openssl_halg_to_digester(TPMI_ALG_HASH halg) {

@@ -680,12 +602,7 @@ static bool load_public_RSA_from_key(RSA *k, TPM2B_PUBLIC *pub) {

     const BIGNUM *n; /* modulus */

     const BIGNUM *e; /* public key exponent */

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    n = k->n;

-    e = k->e;

-#else

     RSA_get0_key(k, &n, &e, NULL);

-#endif

     /*

      * The size of the modulus is the key size in RSA, store this as the

@@ -1006,11 +923,7 @@ static bool load_private_RSA_from_key(RSA *k, TPM2B_SENSITIVE *priv) {

     const BIGNUM *p; /* the private key exponent */

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-    p = k->p;

-#else

     RSA_get0_factors(k, &p, NULL);

-#endif

     TPMT_SENSITIVE *sa = &priv->sensitiveArea;

diff --git a/lib/tpm2_openssl.h b/lib/tpm2_openssl.h

index 46c8f9c0..8e3e0c17 100644

--- a/lib/tpm2_openssl.h

+++ b/lib/tpm2_openssl.h

@@ -13,10 +13,6 @@

 #include "pcr.h"

-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */

-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11

-#endif

-

 #if OPENSSL_VERSION_NUMBER >= 0x10101000L

 #define EC_POINT_set_affine_coordinates_tss(group, tpm_pub_key, bn_x, bn_y, dmy) \

         EC_POINT_set_affine_coordinates(group, tpm_pub_key, bn_x, bn_y, dmy)

@@ -32,12 +28,6 @@

         EC_POINT_get_affine_coordinates_GFp(group, tpm_pub_key, bn_x, bn_y, dmy)

 #endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */

-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)

-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);

-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);

-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);

-#endif

-

 /**

  * Function prototype for a hashing routine.

  *

-- 

2.31.1