[openssl-dev] [openssl.org #3674] Bug report - cannot compile 1.0.2 with no-cms

David Woodhouse via RT rt at openssl.org
Wed Jul 22 11:42:36 UTC 2015 

From: David Bar <david.bar at gmail.com>
Subject: [PATCH] RT3674: Fix no-cms build failure

This fixes multiple problems with CMS-related code, including the
RFC2631 DH key derivation which depends on CMS, not being correctly
protected by #ifndef OPENSSL_NO_CMS.
---
Updated version of David Bar's patch, against OpenSSL git HEAD. I have
introduced a couple of switch statements for key derivation types, as
David suggested. And also I leave EVP_PKEY_DH_KDF_X9_42 defined in the
header file, but just returning failure when you try to *use* it.

(
This fix is also required for building OpenSSL in the UEFI environment.
We are starting to work on fixing up the patch which currently lives in 
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Library/Openssl
Lib
so that we can get the useful parts merged upstream.

To start with, we've just broken it down into individual changes, which
are (not cleaned up for submission yet) at 
http://git.infradead.org/users/dwmw2/openssl.git/shortlog/refs/heads/OpenSSL_1_0_2-stable 
)

 crypto/dh/dh_kdf.c     |  3 +++
 crypto/dh/dh_pmeth.c   | 30 +++++++++++++++++++++++-------
 crypto/ec/ec_ameth.c   |  2 ++
 crypto/rsa/rsa_ameth.c |  8 ++++++++
 include/openssl/dh.h   |  2 ++
 5 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c
index b812d82..3035d0b 100644
--- a/crypto/dh/dh_kdf.c
+++ b/crypto/dh/dh_kdf.c
@@ -51,6 +51,8 @@
  * ====================================================================
  */
 
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_CMS
 #include <string.h>
 #include <openssl/dh.h>
 #include <openssl/evp.h>
@@ -184,3 +186,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
     EVP_MD_CTX_cleanup(&mctx);
     return rv;
 }
+#endif /* !OPENSSL_NO_CMS */
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 763e42f..b070246 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -203,12 +203,20 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
 
     case EVP_PKEY_CTRL_DH_KDF_TYPE:
-        if (p1 == -2)
+        switch (p1) {
+        case -2:
             return dctx->kdf_type;
-        if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
+
+#ifndef OPENSSL_NO_CMS
+        case EVP_PKEY_DH_KDF_X9_42:
+#endif
+        case EVP_PKEY_DH_KDF_NONE:
+            dctx->kdf_type = p1;
+            return 1;
+
+        default:
             return -2;
-        dctx->kdf_type = p1;
-        return 1;
+	}
 
     case EVP_PKEY_CTRL_DH_KDF_MD:
         dctx->kdf_md = p2;
@@ -437,7 +445,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
     }
     dh = ctx->pkey->pkey.dh;
     dhpub = ctx->peerkey->pkey.dh->pub_key;
-    if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
+
+    switch (dctx->kdf_type) {
+    case EVP_PKEY_DH_KDF_NONE:
         if (key == NULL) {
             *keylen = DH_size(dh);
             return 1;
@@ -447,7 +457,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
             return ret;
         *keylen = ret;
         return 1;
-    } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
+
+#ifndef OPENSSL_NO_CMS
+    case EVP_PKEY_DH_KDF_X9_42: {
         unsigned char *Z = NULL;
         size_t Zlen = 0;
         if (!dctx->kdf_outlen || !dctx->kdf_oid)
@@ -475,7 +487,11 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
         OPENSSL_clear_free(Z, Zlen);
         return ret;
     }
-    return 1;
+#endif /* !OPENSSL_NO_CMS */
+
+    default:
+        return 0;
+    }
 }
 
 const EVP_PKEY_METHOD dh_pkey_meth = {
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index edb68d1..e2f3287 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -67,8 +67,10 @@
 #include <openssl/asn1t.h>
 #include "internal/asn1_int.h"
 
+#ifndef OPENSSL_NO_CMS
 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
+#endif
 
 static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 {
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index d409631..254b553 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -68,10 +68,12 @@
 #endif
 #include "internal/asn1_int.h"
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si);
 static int rsa_cms_verify(CMS_SignerInfo *si);
 static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
 static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
+#endif
 
 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
@@ -653,6 +655,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
     return rv;
 }
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_verify(CMS_SignerInfo *si)
 {
     int nid, nid2;
@@ -671,6 +674,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)
     }
     return 0;
 }
+#endif
 
 /*
  * Customised RSA item verification routine. This is called when a signature
@@ -693,6 +697,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
     return -1;
 }
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si)
 {
     int pad_mode = RSA_PKCS1_PADDING;
@@ -717,6 +722,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
     X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
     return 1;
 }
+#endif
 
 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
                          X509_ALGOR *alg1, X509_ALGOR *alg2,
@@ -768,6 +774,7 @@ static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
     return pss;
 }
 
+#ifndef OPENSSL_NO_CMS
 static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
 {
     EVP_PKEY_CTX *pkctx;
@@ -900,6 +907,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
     ASN1_STRING_free(os);
     return rv;
 }
+#endif
 
 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
     {
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index e0f4b57..882d4f1 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -239,11 +239,13 @@ DH *DH_get_1024_160(void);
 DH *DH_get_2048_224(void);
 DH *DH_get_2048_256(void);
 
+# ifndef OPENSSL_NO_CMS
 /* RFC2631 KDF */
 int DH_KDF_X9_42(unsigned char *out, size_t outlen,
                  const unsigned char *Z, size_t Zlen,
                  ASN1_OBJECT *key_oid,
                  const unsigned char *ukm, size_t ukmlen, const EVP_MD *md);
+# endif
 
 # define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) \
         EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \
-- 
2.4.3

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/35da945f/attachment-0001.bin>

More information about the openssl-dev mailing list