Merge pull request #18 from flatcar/wrl/openssl-3.0

upgrade OpenSSL API to version 3

Author: tormath1

.github/workflows/c-cpp.yml

@@ -9,13 +9,13 @@ on:
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
     - uses: actions/checkout@v2
     - name: install deps
       run: |
-        sudo apt update && sudo apt install -y libblkid-dev libext2fs-dev libmount-dev curl unzip libdbus-glib-1-dev protobuf-compiler libbz2-dev libgflags-dev libssl-dev libgoogle-glog-dev libcurl4-openssl-dev libxml2-dev libprotobuf-dev cmake wget libtool autoconf libgtest-dev libgmock-dev libbrotli-dev libdivsufsort-dev
+        sudo apt update && sudo apt install -y libunwind-dev && sudo apt install -y libblkid-dev libext2fs-dev libmount-dev curl unzip libdbus-glib-1-dev protobuf-compiler libbz2-dev libgflags-dev libssl-dev libgoogle-glog-dev libcurl4-openssl-dev libxml2-dev libprotobuf-dev cmake wget libtool autoconf libgtest-dev libgmock-dev libbrotli-dev libdivsufsort-dev libsodium-dev
     - name: prep rootdev
       run: |
         curl -sSL -o /tmp/seismograph.zip https://github.com/kinvolk/seismograph/archive/flatcar-master.zip

configure.ac

@@ -81,6 +81,7 @@ PKG_CHECK_MODULES([DEPS],
                    libcrypto
                    libcurl
                    libglog
+                   libsodium
                    libssl
                    libxml-2.0
                    protobuf])

src/update_engine/main.cc

@@ -5,6 +5,7 @@
 #include <gflags/gflags.h>
 #include <glib.h>
 #include <glog/logging.h>
+#include <sodium.h>
 
 #include "update_engine/certificate_checker.h"
 #include "update_engine/dbus_constants.h"
@@ -74,6 +75,8 @@ void SetupDbusService(UpdateEngineService* service) {
 }  // namespace chromeos_update_engine
 
 int main(int argc, char** argv) {
+  PLOG_IF(FATAL, sodium_init() < 0 ) << "the cryptographic lib couldn't be initialized; it is not safe to use";
+
   // Disable glog's default behavior of logging to files.
   FLAGS_logtostderr = true;
   GFLAGS_NAMESPACE::ParseCommandLineFlags(&argc, &argv, true);

src/update_engine/omaha_hash_calculator.cc

@@ -52,18 +52,20 @@ class ScopedBioHandle {
 };
 
 OmahaHashCalculator::OmahaHashCalculator() : valid_(false) {
-  valid_ = (SHA256_Init(&ctx_) == 1);
-  LOG_IF(ERROR, !valid_) << "SHA256_Init failed";
+  valid_ = !crypto_hash_sha256_init(&hash_state_);
+  LOG_IF(ERROR, !valid_) << "crypto_hash_sha256_init() failed";
 }
 
 // Update is called with all of the data that should be hashed in order.
 // Mostly just passes the data through to OpenSSL's SHA256_Update()
 bool OmahaHashCalculator::Update(const char* data, size_t length) {
   TEST_AND_RETURN_FALSE(valid_);
   TEST_AND_RETURN_FALSE(hash_.empty());
-  static_assert(sizeof(size_t) <= sizeof(unsigned long),
-                "length param may be truncated in SHA256_Update");
-  TEST_AND_RETURN_FALSE(SHA256_Update(&ctx_, data, length) == 1);
+  static_assert(sizeof(size_t) <= sizeof(unsigned long long),
+                "length param may be truncated in crypto_hash_sha256_update");
+
+  TEST_AND_RETURN_FALSE(crypto_hash_sha256_update(&hash_state_,
+    reinterpret_cast<const unsigned char *>(data), length) == 0);
   return true;
 }
 
@@ -170,13 +172,14 @@ bool OmahaHashCalculator::Base64Decode(const string& raw_in,
 bool OmahaHashCalculator::Finalize() {
   TEST_AND_RETURN_FALSE(hash_.empty());
   TEST_AND_RETURN_FALSE(raw_hash_.empty());
-  raw_hash_.resize(SHA256_DIGEST_LENGTH);
+  raw_hash_.resize(crypto_hash_sha256_BYTES);
+
   TEST_AND_RETURN_FALSE(
-      SHA256_Final(reinterpret_cast<unsigned char*>(&raw_hash_[0]),
-                   &ctx_) == 1);
+    crypto_hash_sha256_final(&hash_state_,
+      reinterpret_cast<unsigned char*>(raw_hash_.data())) == 0);
 
   // Convert raw_hash_ to base64 encoding and store it in hash_.
-  return Base64Encode(&raw_hash_[0], raw_hash_.size(), &hash_);
+  return Base64Encode(raw_hash_.data(), raw_hash_.size(), &hash_);
 }
 
 bool OmahaHashCalculator::RawHashOfBytes(const char* data,
@@ -221,16 +224,16 @@ string OmahaHashCalculator::OmahaHashOfString(const string& str) {
 }
 
 string OmahaHashCalculator::OmahaHashOfData(const vector<char>& data) {
-  return OmahaHashOfBytes(&data[0], data.size());
+  return OmahaHashOfBytes(data.data(), data.size());
 }
 
 string OmahaHashCalculator::GetContext() const {
-  return string(reinterpret_cast<const char*>(&ctx_), sizeof(ctx_));
+  return string(reinterpret_cast<const char*>(&hash_state_), sizeof(hash_state_));
 }
 
 bool OmahaHashCalculator::SetContext(const std::string& context) {
-  TEST_AND_RETURN_FALSE(context.size() == sizeof(ctx_));
-  memcpy(&ctx_, context.data(), sizeof(ctx_));
+  TEST_AND_RETURN_FALSE(context.size() == sizeof(hash_state_));
+  memcpy(&hash_state_, context.data(), sizeof(hash_state_));
   return true;
 }
 

src/update_engine/omaha_hash_calculator.h

@@ -10,7 +10,7 @@
 #include <vector>
 
 #include <glog/logging.h>
-#include <openssl/sha.h>
+#include <sodium.h>
 
 #include "macros.h"
 
@@ -94,7 +94,7 @@ class OmahaHashCalculator {
   bool valid_;
 
   // The hash state used by OpenSSL
-  SHA256_CTX ctx_;
+  struct crypto_hash_sha256_state hash_state_;
   DISALLOW_COPY_AND_ASSIGN(OmahaHashCalculator);
 };
 

src/update_engine/payload_processor.cc

@@ -361,7 +361,6 @@ ActionExitCode PayloadProcessor::VerifyPayload() {
   TEST_AND_RETURN_VAL(kActionCodeDownloadPayloadPubKeyVerificationError,
                       signed_hasher.Finalize());
   vector<char> hash_data = signed_hasher.raw_hash();
-  PayloadSigner::PadRSA2048SHA256Hash(&hash_data);
   TEST_AND_RETURN_VAL(kActionCodeDownloadPayloadPubKeyVerificationError,
                       !hash_data.empty());
   if (hash_data != signed_hash_data) {

src/update_engine/payload_processor_unittest.cc

@@ -204,15 +204,14 @@ static void SignGeneratedShellPayload(SignatureTest signature_test,
   // Pad the hash
   vector<char> hash;
   ASSERT_TRUE(utils::ReadFile(hash_file, &hash));
-  ASSERT_TRUE(PayloadSigner::PadRSA2048SHA256Hash(&hash));
   ASSERT_TRUE(WriteFileVector(hash_file, hash));
 
   string sig_file;
   ASSERT_TRUE(utils::MakeTempFile("/tmp/signature.XXXXXX", &sig_file, NULL));
   ScopedPathUnlinker sig_unlinker(sig_file);
   ASSERT_EQ(0,
             System(StringPrintf(
-                "openssl rsautl -raw -sign -inkey %s -in %s -out %s",
+                "openssl pkeyutl -sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pkcs1 -inkey %s -in %s -out %s",
                 private_key_path.c_str(),
                 hash_file.c_str(),
                 sig_file.c_str())));
@@ -223,7 +222,7 @@ static void SignGeneratedShellPayload(SignatureTest signature_test,
       signature_test == kSignatureGeneratedShellRotateCl2) {
     ASSERT_EQ(0,
               System(StringPrintf(
-                  "openssl rsautl -raw -sign -inkey %s -in %s -out %s",
+                  "openssl pkeyutl -sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pkcs1 -inkey %s -in %s -out %s",
                   kUnittestPrivateKey2Path,
                   hash_file.c_str(),
                   sig_file2.c_str())));

src/update_engine/payload_signer.cc

@@ -6,6 +6,7 @@
 
 #include <glog/logging.h>
 #include <openssl/pem.h>
+#include <openssl/evp.h>
 
 #include "update_engine/delta_diff_generator.h"
 #include "update_engine/delta_metadata.h"
@@ -23,59 +24,6 @@ const uint32_t kSignatureMessageCurrentVersion = 2;
 
 namespace {
 
-// The following is a standard PKCS1-v1_5 padding for SHA256 signatures, as
-// defined in RFC3447. It is prepended to the actual signature (32 bytes) to
-// form a sequence of 256 bytes (2048 bits) that is amenable to RSA signing. The
-// padded hash will look as follows:
-//
-//    0x00 0x01 0xff ... 0xff 0x00  ASN1HEADER  SHA256HASH
-//   |--------------205-----------||----19----||----32----|
-//
-// where ASN1HEADER is the ASN.1 description of the signed data. The complete 51
-// bytes of actual data (i.e. the ASN.1 header complete with the hash) are
-// packed as follows:
-//
-//  SEQUENCE(2+49) {
-//   SEQUENCE(2+13) {
-//    OBJECT(2+9) id-sha256
-//    NULL(2+0)
-//   }
-//   OCTET STRING(2+32) <actual signature bytes...>
-//  }
-const unsigned char kRSA2048SHA256Padding[] = {
-  // PKCS1-v1_5 padding
-  0x00, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-  0xff, 0xff, 0xff, 0xff, 0x00,
-  // ASN.1 header
-  0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
-  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
-  0x00, 0x04, 0x20,
-};
-
 // Given raw |signatures|, packs them into a protobuf and serializes it into a
 // binary blob. Returns true on success, false otherwise.
 bool ConvertSignatureToProtobufBlob(const vector<vector<char> >& signatures,
@@ -178,14 +126,13 @@ bool PayloadSigner::SignHash(const vector<char>& hash,
   // We expect unpadded SHA256 hash coming in
   TEST_AND_RETURN_FALSE(hash.size() == 32);
   vector<char> padded_hash(hash);
-  PadRSA2048SHA256Hash(&padded_hash);
   TEST_AND_RETURN_FALSE(utils::WriteFile(hash_path.c_str(),
                                          padded_hash.data(),
                                          padded_hash.size()));
 
   // This runs on the server, so it's okay to cop out and call openssl
   // executable rather than properly use the library
-  vector<string> cmd = {"openssl", "rsautl", "-raw", "-sign",
+  vector<string> cmd = {"openssl", "pkeyutl", "-sign", "-pkeyopt", "digest:sha256", "-pkeyopt", "rsa_padding_mode:pkcs1",
                         "-inkey", private_key_path,
                         "-in", hash_path,
                         "-out", sig_path};
@@ -292,27 +239,44 @@ bool PayloadSigner::GetRawHashFromSignature(
   }
 
   char dummy_password[] = { ' ', 0 };  // Ensure no password is read from stdin.
-  RSA* rsa = PEM_read_RSA_PUBKEY(fpubkey, NULL, NULL, dummy_password);
+  EVP_PKEY* pkey = PEM_read_PUBKEY(fpubkey, NULL, NULL, dummy_password);
   fclose(fpubkey);
-  TEST_AND_RETURN_FALSE(rsa != NULL);
-  unsigned int keysize = RSA_size(rsa);
+  TEST_AND_RETURN_FALSE(pkey != NULL);
+  size_t keysize = EVP_PKEY_get_size(pkey);
   if (sig_data.size() > 2 * keysize) {
     LOG(ERROR) << "Signature size is too big for public key size.";
-    RSA_free(rsa);
+    EVP_PKEY_free(pkey);
     return false;
   }
 
-  // Decrypts the signature.
   vector<char> hash_data(keysize);
-  int decrypt_size = RSA_public_decrypt(
-      sig_data.size(),
-      reinterpret_cast<const unsigned char*>(sig_data.data()),
+
+  // Decrypts the signature.
+  EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
+  if (!ctx
+      || EVP_PKEY_verify_recover_init(ctx) <= 0
+      || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0
+      || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {
+    LOG(ERROR) << "Couldn't initialise EVP_PKEY_CTX";
+    EVP_PKEY_free(pkey);
+    return false;
+  }
+
+  size_t decrypt_size = keysize;
+
+  if (EVP_PKEY_verify_recover(ctx,
       reinterpret_cast<unsigned char*>(hash_data.data()),
-      rsa,
-      RSA_NO_PADDING);
-  RSA_free(rsa);
+      &decrypt_size,
+      reinterpret_cast<const unsigned char*>(sig_data.data()),
+      sig_data.size()) <= 0 ) {
+    decrypt_size = 0;
+  }
+
+  EVP_PKEY_CTX_free(ctx);
+  EVP_PKEY_free(pkey);
+
   TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
-                        decrypt_size <= static_cast<int>(hash_data.size()));
+                        (ssize_t) decrypt_size <= static_cast<int>(hash_data.size()));
   hash_data.resize(decrypt_size);
   out_hash_data->swap(hash_data);
   return true;
@@ -341,7 +305,6 @@ bool PayloadSigner::VerifySignedPayload(const std::string& payload_path,
   vector<char> hash;
   TEST_AND_RETURN_FALSE(OmahaHashCalculator::RawHashOfBytes(
       payload.data(), metadata_size + manifest.signatures_offset(), &hash));
-  PadRSA2048SHA256Hash(&hash);
   TEST_AND_RETURN_FALSE(hash == signed_hash);
   return true;
 }
@@ -414,14 +377,4 @@ bool PayloadSigner::AddSignatureToPayload(
   return true;
 }
 
-bool PayloadSigner::PadRSA2048SHA256Hash(std::vector<char>* hash) {
-  TEST_AND_RETURN_FALSE(hash->size() == 32);
-  hash->insert(hash->begin(),
-               reinterpret_cast<const char*>(kRSA2048SHA256Padding),
-               reinterpret_cast<const char*>(kRSA2048SHA256Padding +
-                                             sizeof(kRSA2048SHA256Padding)));
-  TEST_AND_RETURN_FALSE(hash->size() == 256);
-  return true;
-}
-
 }  // namespace chromeos_update_engine

src/update_engine/payload_signer.h

@@ -113,13 +113,6 @@ class PayloadSigner {
                                   const std::string& public_key_path,
                                   uint32_t client_key_check_version);
 
-  // Pads a SHA256 hash so that it may be encrypted/signed with RSA2048
-  // using the PKCS#1 v1.5 scheme.
-  // hash should be a pointer to vector of exactly 256 bits. The vector
-  // will be modified in place and will result in having a length of
-  // 2048 bits. Returns true on success, false otherwise.
-  static bool PadRSA2048SHA256Hash(std::vector<char>* hash);
-
   // Reads the payload from the given |payload_path| into the |out_payload|
   // vector. It also parses the manifest protobuf in the payload and returns it
   // in |out_manifest| along with the size of the entire metadata in

src/update_engine/payload_signer_unittest.cc

@@ -130,7 +130,6 @@ TEST(PayloadSignerTest, VerifySignatureTest) {
   vector<char> padded_hash_data(reinterpret_cast<const char *>(kDataHash),
                                 reinterpret_cast<const char *>(kDataHash +
                                                          sizeof(kDataHash)));
-  PayloadSigner::PadRSA2048SHA256Hash(&padded_hash_data);
   ASSERT_EQ(padded_hash_data.size(), hash_data.size());
   for (size_t i = 0; i < padded_hash_data.size(); i++) {
     EXPECT_EQ(padded_hash_data[i], hash_data[i]);