diff --git a/.gitignore b/.gitignore index a3db686..c0555ef 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ config.status configure Makefile Makefile.in +.idea diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..3042ef9 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,107 @@ +# If not stated otherwise in this file or this component's Licenses.txt file the +# following copyright and licenses apply: +# +# Copyright 2022 RDK Management +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +cmake_minimum_required(VERSION 3.16) +project(sec_api C CXX) + +set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH}) +set(CMAKE_C_STANDARD 99) +set(CMAKE_CXX_STANDARD 11) +set(CMAKE_CXX_STANDARD_REQUIRED ON) + +# Set OPENSSL_ROOT_DIR if not found +find_package(OpenSSL REQUIRED) +# Set YAJL_ROOT if not found +find_package(YAJL REQUIRED) + +enable_testing() + +include_directories( + ${OPENSSL_INCLUDE_DIR} + ${YAJL_INCLUDE_DIR} + src/headers + src +) + +add_compile_options(-DSEC_TARGET_LOCAL + -Wall + -Werror + -Wfatal-errors + -Wno-unused-result + -Wno-unused-but-set-variable + -Wno-unused-value + -fPIC + -fdata-sections + -ffunction-sections + -pthread + -Os + -DSEC_PLATFORM_OPENSSL + -DYAJL_V2) + +add_library(sec_api STATIC + src/headers/sec_security.h + src/headers/sec_security_comcastids.h + src/headers/sec_security_common.h + src/headers/sec_security_datatype.h + src/outprot.cpp + src/outprot.h + src/outprot_mock.cpp + src/sec_pubops.h + src/sec_pubops_openssl.c + src/sec_security_asn1kc.c + src/sec_security_asn1kc.h + src/sec_security_buffer.c + src/sec_security_common.c + src/sec_security_endian.c + src/sec_security_engine.c + src/sec_security_json.h + src/sec_security_json_yajl.c + src/sec_security_jtype.c + src/sec_security_jtype.h + src/sec_security_logger.c + src/sec_security_mutex.c + src/sec_security_mutex.h + src/sec_security_openssl.c + src/sec_security_openssl.h + src/sec_security_outprot.c + src/sec_security_outprot.h + src/sec_security_shm.c + src/sec_security_shm.h + src/sec_security_store.c + src/sec_security_store.h + src/sec_security_strptime.c + src/sec_security_utils.c + src/sec_security_utils.h + src/sec_security_utils_b64.c + src/sec_security_utils_time.c + src/sec_version.h + ) + +target_link_libraries(sec_api + PRIVATE + ${OPENSSL_CRYPTO_LIBRARY} + ) + +# 'make install' to the correct locations (provided by GNUInstallDirs). +install(TARGETS sec_api + ARCHIVE DESTINATION lib + LIBRARY DESTINATION lib + RUNTIME DESTINATION bin + ) + +install(DIRECTORY headers/ DESTINATION include) diff --git a/Makefile.am b/Makefile.am deleted file mode 100644 index f268924..0000000 --- a/Makefile.am +++ /dev/null @@ -1,2 +0,0 @@ -SUBDIRS = src - diff --git a/NOTICE b/NOTICE index 644855c..ab71bf4 100644 --- a/NOTICE +++ b/NOTICE @@ -1,2 +1,8 @@ -Copyright 2019 RDK Management -Licensed under the Apache License, Version 2.0 +This component contains software that is Copyright (c) 2019 RDK Management. +The component is licensed to you under the Apache License, Version 2.0 (the "License"). +You may not use the component except in compliance with the License. + +The component may include material which is licensed under other licenses / copyrights as +listed below. Your use of this material within the component is also subject to the terms and +conditions of these licenses. The LICENSE file contains the text of all the licenses which apply +within this component. diff --git a/README.md b/README.md new file mode 100644 index 0000000..5999783 --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +# RDKCryptoAPI + +## Summary + +RDKCryptoAPI contains cryptographic APIs used in the RDK Software Stack and an OpenSSL reference implementation. + +## Building + +### Generate Build Files + +To build RDKCryptoAPI, first run cmake to generate build files. + +The build assumes that the following packages have already been installed: +YAJL - include -DYAJL_ROOT= if not found +OPENSSL - include -DOPENSSL_ROOT_DIR= if not found +Add -DCMAKE_INSTALL_PREFIX= to install to a non-standard install directory. + +``` +cmake -S . -B cmake-build +``` + +### Build + +To build RDKCryptoAPI, run a cmake build + +``` +cmake --build cmake-build +``` + +This creates a library, libsec_api.(so/dll/dylib) containing the RDKCryptoAPI code (the extension .so/.dll/.dylib +created depends on which platform you are building on). It also creates a test application, sec_api_test, to +test the library. + +Run unit test suite + +``` +cmake-build/sec_api_test +``` + +### Install + +To install RDKCryptoAPI, run a cmake install + +``` +cmake --install cmake-build +``` + +This copies the include files, the library, libsec_api.(so/dll/dylib) containing the RDKCryptoAPI reference code (the +extension .so/.dll/.dylib created depends on which platform you are building on), and the test application, +sec_api_test, to their appropriate locations on the system. + +## Dependencies + +RDKCryptoAPI depends on OpenSSL 1.0.2 or 1.1.1 and YAJL version 1 or 2. diff --git a/autogen.sh b/autogen.sh deleted file mode 100755 index 122e1e1..0000000 --- a/autogen.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -mkdir config -autoreconf --force --install -I config diff --git a/cmake/FindYAJL.cmake b/cmake/FindYAJL.cmake new file mode 100755 index 0000000..3ec7604 --- /dev/null +++ b/cmake/FindYAJL.cmake @@ -0,0 +1,36 @@ +# +# Copyright 2020-2022 Comcast Cable Communications Management, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Find libyajl + +FIND_PATH(YAJL_INCLUDE_DIR yajl/yajl_common.h) + +SET(YAJL_NAMES ${YAJL_NAMES} yajl libyajl) +FIND_LIBRARY(YAJL_LIBRARY NAMES ${YAJL_NAMES} PATH) + +IF(YAJL_INCLUDE_DIR AND YAJL_LIBRARY) + SET(YAJL_FOUND TRUE) +ENDIF(YAJL_INCLUDE_DIR AND YAJL_LIBRARY) + +IF(YAJL_FOUND) + IF(NOT Yajl_FIND_QUIETLY) + MESSAGE(STATUS "Found Yajl: ${YAJL_LIBRARY}") + ENDIF (NOT Yajl_FIND_QUIETLY) +ELSE(YAJL_FOUND) + IF(Yajl_FIND_REQUIRED) + MESSAGE(FATAL_ERROR "Could not find yajl") + ENDIF(Yajl_FIND_REQUIRED) +ENDIF(YAJL_FOUND) diff --git a/configure.ac b/configure.ac deleted file mode 100644 index 43c4075..0000000 --- a/configure.ac +++ /dev/null @@ -1,10 +0,0 @@ -AC_INIT([sec_api], [2.2.0], [davor_mrkoci@cable.comcast.com]) -AC_CONFIG_AUX_DIR(config) -AM_INIT_AUTOMAKE([foreign -Wall -Werror]) -AC_PROG_RANLIB -AC_PROG_CC -AC_PROG_CXX -AM_PROG_AR -AC_CONFIG_FILES([Makefile src/Makefile]) -AC_OUTPUT - diff --git a/src/Makefile.am b/src/Makefile.am deleted file mode 100644 index b168df7..0000000 --- a/src/Makefile.am +++ /dev/null @@ -1,14 +0,0 @@ -lib_LIBRARIES = libsec_api.a - -include_HEADERS = headers/sec_security_datatype.h -include_HEADERS += headers/sec_security.h -include_HEADERS += headers/sec_security_common.h -include_HEADERS += headers/sec_security_comcastids.h - -libsec_api_a_SOURCES = outprot_mock.cpp outprot.cpp sec_pubops_openssl.c sec_security_asn1kc.c sec_security_buffer.c sec_security_common.c sec_security_endian.c sec_security_engine.c sec_security_json_yajl.c sec_security_jtype.c sec_security_logger.c sec_security_mutex.c sec_security_openssl.c sec_security_outprot.c sec_security_shm.c sec_security_store.c sec_security_strptime.c sec_security_utils_b64.c sec_security_utils_time.c sec_security_utils.c - -AM_CFLAGS = -DSEC_TARGET_LOCAL -Wall -Werror -Wfatal-errors -Wno-unused-result -Wno-unused-but-set-variable -Wno-unused-value -fPIC -fdata-sections -ffunction-sections -pthread -Os -DSEC_PLATFORM_OPENSSL -DYAJL_V2 -AM_CFLAGS += -I./headers/ - -AM_CXXFLAGS = -DSEC_TARGET_LOCAL -Wall -Werror -Wfatal-errors -Wno-unused-result -Wno-unused-but-set-variable -Wno-unused-value -fPIC -fdata-sections -ffunction-sections -pthread -Os -DSEC_PLATFORM_OPENSSL -DYAJL_V2 -AM_CXXFLAGS += -I./headers/ diff --git a/src/headers/sec_security_comcastids.h b/src/headers/sec_security_comcastids.h index c3d7d2d..d18f1ff 100644 --- a/src/headers/sec_security_comcastids.h +++ b/src/headers/sec_security_comcastids.h @@ -98,6 +98,7 @@ extern "C" #define SEC_OBJECTID_PLAYREADY_MODELCERT 0x0631000006310001ULL #define SEC_OBJECTID_PLAYREADY_MODELKEY 0x0331000003310001ULL +#define SEC_OBJECTID_PLAYREADY_3K_MODELKEY 0x0331000003310003ULL #define SEC_OBJECTID_WV_KEY 0x0351000003510001ULL #define SEC_OBJECTID_WV_CERTBUNDLE 0x0651000006510001ULL diff --git a/src/sec_pubops_openssl.c b/src/sec_pubops_openssl.c index bc53fc0..0d6c77e 100644 --- a/src/sec_pubops_openssl.c +++ b/src/sec_pubops_openssl.c @@ -414,6 +414,11 @@ Sec_Result _Pubops_VerifyWithPubRsa(Sec_RSARawPublicKey *pub_key, Sec_SignatureA Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureAlgorithm alg, SEC_BYTE *digest, SEC_SIZE digest_len, SEC_BYTE *sig, SEC_SIZE sig_len) { EC_KEY *ec_key = _SecUtils_ECCFromPubBinary(pub_key); Sec_Result res = SEC_RESULT_FAILURE; +#if OPENSSL_VERSION_NUMBER > 0x10100000L + ECDSA_SIG* esig = NULL; + BIGNUM* esigr = NULL; + BIGNUM* esigs = NULL; +#endif if (NULL == ec_key) { @@ -426,6 +431,37 @@ Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureA goto done; } +#if OPENSSL_VERSION_NUMBER > 0x10100000L + esig = ECDSA_SIG_new(); + if (esig == NULL) { + SEC_LOG_ERROR("ECDSA_SIG_new failed"); + goto done; + } + + esigr = BN_new(); + if (esigr == NULL) { + SEC_LOG_ERROR("BN_new failed"); + goto done; + } + + esigs = BN_new(); + if (esigs == NULL) { + SEC_LOG_ERROR("BN_new failed"); + goto done; + } + + BN_bin2bn(&sig[0], SEC_ECC_NISTP256_KEY_LEN, esigr); + BN_bin2bn(&sig[SEC_ECC_NISTP256_KEY_LEN], SEC_ECC_NISTP256_KEY_LEN, esigs); + + if (!ECDSA_SIG_set0(esig, esigr, esigs)) { + SEC_LOG_ERROR("ECDSA_SIG_set0 failed"); + goto done; + } + esigr = NULL; + esigs = NULL; + + int openssl_res = ECDSA_do_verify(digest, digest_len, esig, ec_key); +#else ECDSA_SIG esig; esig.r = BN_new(); esig.s = BN_new(); @@ -435,6 +471,7 @@ Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureA int openssl_res = ECDSA_do_verify(digest, digest_len, &esig, ec_key); BN_free(esig.r); BN_free(esig.s); +#endif if (1 != openssl_res) { @@ -450,6 +487,11 @@ Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureA res = SEC_RESULT_SUCCESS; done: +#if OPENSSL_VERSION_NUMBER > 0x10100000L + BN_free(esigr); + BN_free(esigs); + ECDSA_SIG_free(esig); +#endif SEC_ECC_FREE(ec_key); return res; @@ -636,8 +678,16 @@ Sec_Result _Pubops_ExtractRSAPubFromX509Der(SEC_BYTE *cert, SEC_SIZE cert_len, S } Sec_Uint32ToBEBytes(RSA_size(rsa), pub->modulus_len_be); +#if OPENSSL_VERSION_NUMBER > 0x10100000L + const BIGNUM* n; + const BIGNUM* e; + RSA_get0_key(rsa, &n, &e, NULL); + _SecUtils_BigNumToBuffer(n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be)); + _SecUtils_BigNumToBuffer(e, pub->e, 4); +#else _SecUtils_BigNumToBuffer(rsa->n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be)); _SecUtils_BigNumToBuffer(rsa->e, pub->e, 4); +#endif res = SEC_RESULT_SUCCESS; done: @@ -814,8 +864,16 @@ Sec_Result _Pubops_ExtractRSAPubFromPUBKEYDer(SEC_BYTE *cert, SEC_SIZE cert_len, } Sec_Uint32ToBEBytes(RSA_size(rsa), pub->modulus_len_be); +#if OPENSSL_VERSION_NUMBER > 0x10100000L + const BIGNUM* n; + const BIGNUM* e; + RSA_get0_key(rsa, &n, &e, NULL); + _SecUtils_BigNumToBuffer(n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be)); + _SecUtils_BigNumToBuffer(e, pub->e, 4); +#else _SecUtils_BigNumToBuffer(rsa->n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be)); _SecUtils_BigNumToBuffer(rsa->e, pub->e, 4); +#endif res = SEC_RESULT_SUCCESS; @@ -886,7 +944,7 @@ Sec_Result _Pubops_Random(SEC_BYTE* out, SEC_SIZE out_len) { } Sec_Result _Pubops_RandomPrng(SEC_BYTE* out, SEC_SIZE out_len) { - if (1 != RAND_pseudo_bytes(out, out_len)) { + if (1 != RAND_bytes(out, out_len)) { SEC_LOG_ERROR(); return SEC_RESULT_FAILURE; } diff --git a/src/sec_security_asn1kc.c b/src/sec_security_asn1kc.c index 4ef9a7e..0d2eb07 100644 --- a/src/sec_security_asn1kc.c +++ b/src/sec_security_asn1kc.c @@ -51,6 +51,7 @@ IMPLEMENT_ASN1_FUNCTIONS(Sec_Asn1KC) IMPLEMENT_ASN1_PRINT_FUNCTION(Sec_Asn1KC) //PRINTF //Implements Sec_Asn1KC_new, Sec_Asn1KC_free, d2i_Sec_Asn1KC i2d_Sec_Asn1KC +#if OPENSSL_VERSION_NUMBER < 0x10100000L static Sec_Result getBE_ASN1_INTEGER(SEC_BYTE* res, const ASN1_INTEGER *ai, SEC_SIZE size, SEC_BOOL signd) { BIGNUM *bn = NULL; @@ -93,6 +94,7 @@ static Sec_Result getBE_ASN1_INTEGER(SEC_BYTE* res, const ASN1_INTEGER *ai, SEC_ BN_free(bn); return SEC_RESULT_SUCCESS; } +#endif static Sec_Result setBE_ASN1_INTEGER(ASN1_INTEGER *st, SEC_BYTE* be_value, SEC_SIZE size) @@ -233,8 +235,13 @@ static Asn1KCAttribute_t *SecAsn1KC_GetAttr(Sec_Asn1KC *kc, const char *key) at = sk_Asn1KCAttribute_t_value(kc, i); if (at != NULL && strlen(key) == ASN1_STRING_length(at->name) && +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_STRING_data(at->name) != NULL && 0 == Sec_Memcmp(key, ASN1_STRING_data(at->name), ASN1_STRING_length(at->name))) +#else + ASN1_STRING_get0_data(at->name) != NULL && + 0 == Sec_Memcmp(key, ASN1_STRING_get0_data(at->name), ASN1_STRING_length(at->name))) +#endif { return at; } @@ -266,10 +273,18 @@ Sec_Result SecAsn1KC_GetAttrLong(Sec_Asn1KC *kc, const char *key, long *val) return SEC_RESULT_FAILURE; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L // Openssl 1.0.9 has support for signed long types // With Openssl 1.1.x new applications should use ASN1_INTEGER_get_int64() // instead *val = (long)ASN1_INTEGER_get(attr->value->c.integer); +#else + if(ASN1_INTEGER_get_int64((int64_t*)val, attr->value->c.integer) != 1) + { + SEC_LOG_ERROR("failed to get Long value from asn1 struct"); + return SEC_RESULT_FAILURE; + } +#endif return SEC_RESULT_SUCCESS; } @@ -277,7 +292,9 @@ Sec_Result SecAsn1KC_GetAttrLong(Sec_Asn1KC *kc, const char *key, long *val) Sec_Result SecAsn1KC_GetAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t *val) { Asn1KCAttribute_t *attr = NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000L SEC_BYTE val_buf[sizeof(int64_t)]; +#endif attr = SecAsn1KC_GetAttr(kc, key); if (attr == NULL) @@ -293,6 +310,7 @@ Sec_Result SecAsn1KC_GetAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t *val) return SEC_RESULT_FAILURE; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L //With openssl 1.1.x support you can use ASN1_INTEGER_get_int64() in place //of getBE_ASN1_INTEGER() if(getBE_ASN1_INTEGER(val_buf, attr->value->c.integer, sizeof(val), @@ -304,6 +322,13 @@ Sec_Result SecAsn1KC_GetAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t *val) //val_buf is an 8 byte buffer that has sign bits extended if needed. *val = (int64_t)Sec_BEBytesToUint64(val_buf); +#else + if(ASN1_INTEGER_get_int64(val, attr->value->c.integer) != 1) + { + SEC_LOG_ERROR("failed to get Long value from asn1 struct"); + return SEC_RESULT_FAILURE; + } +#endif return SEC_RESULT_SUCCESS; } @@ -311,7 +336,9 @@ Sec_Result SecAsn1KC_GetAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t *val) Sec_Result SecAsn1KC_GetAttrUlong(Sec_Asn1KC *kc, const char *key, unsigned long *val) { Asn1KCAttribute_t *attr = NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000L SEC_BYTE val_buf[sizeof(unsigned long)]; +#endif attr = SecAsn1KC_GetAttr(kc, key); if (attr == NULL) @@ -326,6 +353,7 @@ Sec_Result SecAsn1KC_GetAttrUlong(Sec_Asn1KC *kc, const char *key, unsigned long return SEC_RESULT_FAILURE; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L //With openssl 1.1.x support you can use ASN1_INTEGER_get_uint64() in place //of getBE_ASN1_INTEGER() if(getBE_ASN1_INTEGER(val_buf, attr->value->c.integer, sizeof(val), @@ -344,13 +372,22 @@ Sec_Result SecAsn1KC_GetAttrUlong(Sec_Asn1KC *kc, const char *key, unsigned long *val = (unsigned long)Sec_BEBytesToUint64(val_buf); } +#else + if(ASN1_INTEGER_get_uint64((uint64_t*)val, attr->value->c.integer) != 1) + { + SEC_LOG_ERROR("failed to get Long value from asn1 struct"); + return SEC_RESULT_FAILURE; + } +#endif return SEC_RESULT_SUCCESS; } Sec_Result SecAsn1KC_GetAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t *val) { Asn1KCAttribute_t *attr = NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000L SEC_BYTE val_buf[sizeof(uint64_t)]; +#endif attr = SecAsn1KC_GetAttr(kc, key); if (attr == NULL) @@ -365,6 +402,7 @@ Sec_Result SecAsn1KC_GetAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t *va return SEC_RESULT_FAILURE; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L //With openssl 1.1.x support you can use ASN1_INTEGER_get_uint64() in place //of getBE_ASN1_INTEGER() if(getBE_ASN1_INTEGER(val_buf, attr->value->c.integer, sizeof(uint64_t), @@ -375,6 +413,13 @@ Sec_Result SecAsn1KC_GetAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t *va } *val = Sec_BEBytesToUint64(val_buf); +#else + if(ASN1_INTEGER_get_uint64(val, attr->value->c.integer) != 1) + { + SEC_LOG_ERROR("failed to get Long value from asn1 struct"); + return SEC_RESULT_FAILURE; + } +#endif return SEC_RESULT_SUCCESS; } @@ -382,7 +427,7 @@ Sec_Result SecAsn1KC_GetAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t *va Sec_Result SecAsn1KC_GetAttrBuffer(Sec_Asn1KC *kc, const char *key, SEC_BYTE *buffer, SEC_SIZE buffer_len, SEC_SIZE *written) { Asn1KCAttribute_t *attr = NULL; - unsigned char *str_data = NULL; + const unsigned char *str_data = NULL; attr = SecAsn1KC_GetAttr(kc, key); if (attr == NULL) @@ -407,7 +452,11 @@ Sec_Result SecAsn1KC_GetAttrBuffer(Sec_Asn1KC *kc, const char *key, SEC_BYTE *bu return SEC_RESULT_FAILURE; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L str_data = ASN1_STRING_data(attr->value->c.octetstring); +#else + str_data = ASN1_STRING_get0_data(attr->value->c.octetstring); +#endif if(str_data == NULL) { SEC_LOG_ERROR("Call to ASN1_STRING_data failed"); @@ -423,7 +472,7 @@ Sec_Result SecAsn1KC_GetAttrBuffer(Sec_Asn1KC *kc, const char *key, SEC_BYTE *bu Sec_Result SecAsn1KC_GetAttrString(Sec_Asn1KC *kc, const char *key, char *buffer, SEC_SIZE buffer_len, SEC_SIZE *written) { Asn1KCAttribute_t *attr = NULL; - unsigned char *str_data = NULL; + const unsigned char *str_data = NULL; attr = SecAsn1KC_GetAttr(kc, key); if (attr == NULL) @@ -447,7 +496,11 @@ Sec_Result SecAsn1KC_GetAttrString(Sec_Asn1KC *kc, const char *key, char *buffer return SEC_RESULT_FAILURE; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L str_data = ASN1_STRING_data(attr->value->c.octetstring); +#else + str_data = ASN1_STRING_get0_data(attr->value->c.octetstring); +#endif if(str_data == NULL) { SEC_LOG_ERROR("Call to ASN1_STRING_data failed"); @@ -527,7 +580,9 @@ Sec_Result SecAsn1KC_AddAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t val) { Sec_Result res = SEC_RESULT_FAILURE; Asn1KCAttribute_t *ptr = SecAsn1KC_AllocAttr(asn1_integer); +#if OPENSSL_VERSION_NUMBER < 0x10100000L SEC_BYTE be_val[sizeof(val)]; +#endif if (ptr == NULL) { @@ -541,6 +596,7 @@ Sec_Result SecAsn1KC_AddAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t val) goto done; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L Sec_Uint64ToBEBytes((uint64_t)val, be_val); if(setBE_ASN1_INTEGER(ptr->value->c.integer, be_val, sizeof(val)) != SEC_RESULT_SUCCESS) @@ -548,6 +604,13 @@ Sec_Result SecAsn1KC_AddAttrInt64(Sec_Asn1KC *kc, const char *key, int64_t val) SEC_LOG_ERROR("setBE_ASN1_INTEGER failed"); goto done; } +#else + if (0 == ASN1_INTEGER_set_int64(ptr->value->c.integer, val)) + { + SEC_LOG_ERROR("ASN1_INTEGER_set_int64 failed"); + goto done; + } +#endif if (SEC_RESULT_SUCCESS != SecAsn1KC_AddAttr(kc, ptr)) { @@ -616,7 +679,9 @@ Sec_Result SecAsn1KC_AddAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t val { Sec_Result res = SEC_RESULT_FAILURE; Asn1KCAttribute_t *ptr = SecAsn1KC_AllocAttr(asn1_integer); +#if OPENSSL_VERSION_NUMBER < 0x10100000L SEC_BYTE be_val[sizeof(val)]; +#endif if (ptr == NULL) { @@ -630,6 +695,7 @@ Sec_Result SecAsn1KC_AddAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t val goto done; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L Sec_Uint64ToBEBytes(val, be_val); if(setBE_ASN1_INTEGER(ptr->value->c.integer, be_val, sizeof(val)) != SEC_RESULT_SUCCESS) @@ -637,6 +703,13 @@ Sec_Result SecAsn1KC_AddAttrUint64(Sec_Asn1KC *kc, const char *key, uint64_t val SEC_LOG_ERROR("setBE_ASN1_INTEGER failed"); goto done; } +#else + if (0 == ASN1_INTEGER_set_uint64(ptr->value->c.integer, val)) + { + SEC_LOG_ERROR("ASN1_INTEGER_set_uint64 failed"); + goto done; + } +#endif if (SEC_RESULT_SUCCESS != SecAsn1KC_AddAttr(kc, ptr)) { @@ -760,7 +833,7 @@ Sec_Asn1KC *SecAsn1KC_Decode(SEC_BYTE *buf, SEC_SIZE buf_len) const unsigned char *c_buf = buf; Sec_Asn1KC *ret = NULL; - if (UINT32_MAX > LONG_MAX) + if (buf_len > INT_MAX) { if (buf_len > LONG_MAX) { diff --git a/src/sec_security_asn1kc.h b/src/sec_security_asn1kc.h index c774332..066d2d4 100644 --- a/src/sec_security_asn1kc.h +++ b/src/sec_security_asn1kc.h @@ -62,9 +62,13 @@ typedef struct { typedef STACK_OF(Asn1KCAttribute_t) Sec_Asn1KC; +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define sk_Asn1KCAttribute_t_num(st) sk_num(CHECKED_STACK_OF(Asn1KCAttribute_t, st)) #define sk_Asn1KCAttribute_t_value(st, i) ((Asn1KCAttribute_t *)sk_value(CHECKED_STACK_OF(Asn1KCAttribute_t, st), i)) #define sk_Asn1KCAttribute_t_push(st, val) sk_push(CHECKED_STACK_OF(Asn1KCAttribute_t, st), CHECKED_PTR_OF(Asn1KCAttribute_t, val)) +#else +DEFINE_STACK_OF(Asn1KCAttribute_t); +#endif Sec_Asn1KC *SecAsn1KC_Alloc(); void SecAsn1KC_Free(Sec_Asn1KC *kc); diff --git a/src/sec_security_engine.c b/src/sec_security_engine.c index 449a750..2b8b784 100644 --- a/src/sec_security_engine.c +++ b/src/sec_security_engine.c @@ -266,6 +266,7 @@ static void ENGINE_load_securityapi(void) #if OPENSSL_VERSION_NUMBER < 0x10100000L || !ENGINE_set_RSA(engine, &g_sec_openssl_rsamethod) #else + || !ENGINE_set_RSA(engine, _GetRSAMethod()) #endif ) { diff --git a/src/sec_security_openssl.c b/src/sec_security_openssl.c index da81513..ddda8bb 100644 --- a/src/sec_security_openssl.c +++ b/src/sec_security_openssl.c @@ -36,6 +36,7 @@ #include "sec_security_outprot.h" #include #include "outprot.h" +#include #ifndef SEC_OBJECTID_COMCAST_XCALSESSIONMACKEY #define SEC_OBJECTID_COMCAST_XCALSESSIONMACKEY 0xffffffff00000001ULL @@ -165,6 +166,7 @@ static Sec_Result _store_exported(Sec_ProcessorHandle *proc, SEC_BYTE *derivatio *exported_written = 0; + Sec_Result export_res = SEC_RESULT_FAILURE; if (exported_len < SEC_AES_BLOCK_SIZE) { SEC_LOG_ERROR("Not enough room to write derivation input"); goto done_export; @@ -186,7 +188,6 @@ static Sec_Result _store_exported(Sec_ProcessorHandle *proc, SEC_BYTE *derivatio pthread_mutex_lock(&g_export_mutex); - Sec_Result export_res = SEC_RESULT_FAILURE; export_res = _provision_export_keys(proc, derivationInput); if (SEC_RESULT_SUCCESS != export_res) { SEC_LOG_ERROR("_provision_export_keys failed"); @@ -2640,7 +2641,7 @@ static size_t bytesToProcessToRollover(uint64_t ctr, size_t sub_block_offset, si maxBlocksToProcess -= 1; //add the rest up to rollover - uint64_t inputBlocks = inputLen/SEC_AES_BLOCK_SIZE + (inputLen%SEC_AES_BLOCK_SIZE > 0) ? 1 : 0; + uint64_t inputBlocks = inputLen/SEC_AES_BLOCK_SIZE + (inputLen%SEC_AES_BLOCK_SIZE > 0 ? 1 : 0); uint64_t blocksToProcess = SEC_MIN(inputBlocks, maxBlocksToProcess); bytesToProcess += SEC_MIN(inputLen, (size_t) blocksToProcess * SEC_AES_BLOCK_SIZE); @@ -5509,7 +5510,8 @@ Sec_Result SecCodeIntegrity_SecureBootEnabled(void) } Sec_Result SecSVP_SetTime(time_t time) { - if (0 != stime(&time)) { + struct timespec ts = {time, 0}; + if (0 != clock_settime(CLOCK_REALTIME, &ts)) { SEC_LOG_ERROR("stime failed"); return SEC_RESULT_FAILURE; } @@ -5692,8 +5694,7 @@ Sec_Result SecProcessor_GetInfo(Sec_ProcessorHandle* secProcHandle, return SEC_RESULT_INVALID_PARAMETERS; Sec_Memset(secProcInfo, 0x00, sizeof(Sec_ProcessorInfo)); - strncpy((char *)secProcInfo->version, SEC_API_VERSION, strlen(SEC_API_VERSION)); - secProcInfo->version[strlen(SEC_API_VERSION)] = '\0'; + strncpy((char *)secProcInfo->version, SEC_API_VERSION, strlen(SEC_API_VERSION) + 1); return SEC_RESULT_SUCCESS; } diff --git a/src/sec_version.h b/src/sec_version.h index 54aa661..05feba8 100644 --- a/src/sec_version.h +++ b/src/sec_version.h @@ -17,4 +17,4 @@ * limitations under the License. */ -#define SEC_API_VERSION "2.3.2.2" +#define SEC_API_VERSION "2.3.2.25"