Google Git
Sign in
cos / third_party / overlays / chromiumos-overlay / c505e6208b711a4de4bd3ef1807c6b1b3d2ebfb5 / . / chromeos-base / update_engine / files / update_engine-0.0.3-openssl-3.patch
blob: d0c47f08479052c8d458e0a241616cc113dc369f [file] [log] [blame]
diff --git a/payload_consumer/payload_verifier.cc b/payload_consumer/payload_verifier.cc
index 85902c80e844..d86763be761e 100644
--- a/payload_consumer/payload_verifier.cc
+++ b/payload_consumer/payload_verifier.cc
@@ -175,7 +175,7 @@ bool PayloadVerifier::VerifyRawSignature(
}
if (key_type == EVP_PKEY_EC) {
- EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(public_key.get());
+ EC_KEY* ec_key = EVP_PKEY_get1_EC_KEY(public_key.get());
TEST_AND_RETURN_FALSE(ec_key != nullptr);
if (ECDSA_verify(0,
sha256_hash_data.data(),
@@ -183,8 +183,10 @@ bool PayloadVerifier::VerifyRawSignature(
sig_data.data(),
sig_data.size(),
ec_key) == 1) {
+ EC_KEY_free(ec_key);
return true;
}
+ EC_KEY_free(ec_key);
}
LOG(ERROR) << "Unsupported key type " << key_type;
@@ -203,12 +205,13 @@ bool PayloadVerifier::GetRawHashFromSignature(
//
// openssl rsautl -verify -pubin -inkey <(echo pem_public_key)
// -in |sig_data| -out |out_hash_data|
- RSA* rsa = EVP_PKEY_get0_RSA(const_cast<EVP_PKEY*>(public_key));
+ RSA* rsa = EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(public_key));
TEST_AND_RETURN_FALSE(rsa != nullptr);
unsigned int keysize = RSA_size(rsa);
if (sig_data.size() > 2 * keysize) {
LOG(ERROR) << "Signature size is too big for public key size.";
+ RSA_free(rsa);
return false;
}
@@ -216,6 +219,7 @@ bool PayloadVerifier::GetRawHashFromSignature(
brillo::Blob hash_data(keysize);
int decrypt_size = RSA_public_decrypt(
sig_data.size(), sig_data.data(), hash_data.data(), rsa, RSA_NO_PADDING);
+ RSA_free(rsa);
TEST_AND_RETURN_FALSE(decrypt_size > 0 &&
decrypt_size <= static_cast<int>(hash_data.size()));
hash_data.resize(decrypt_size);
diff --git a/payload_generator/payload_signer.cc b/payload_generator/payload_signer.cc
index dd87ab7ae465..795bf886ea5b 100644
--- a/payload_generator/payload_signer.cc
+++ b/payload_generator/payload_signer.cc
@@ -309,7 +309,7 @@ bool PayloadSigner::SignHash(const brillo::Blob& hash,
int key_type = EVP_PKEY_id(private_key.get());
brillo::Blob signature;
if (key_type == EVP_PKEY_RSA) {
- RSA* rsa = EVP_PKEY_get0_RSA(private_key.get());
+ RSA* rsa = EVP_PKEY_get1_RSA(private_key.get());
TEST_AND_RETURN_FALSE(rsa != nullptr);
brillo::Blob padded_hash = hash;
@@ -324,12 +324,14 @@ bool PayloadSigner::SignHash(const brillo::Blob& hash,
if (signature_size < 0) {
LOG(ERROR) << "Signing hash failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
+ RSA_free(rsa);
return false;
}
+ RSA_free(rsa);
TEST_AND_RETURN_FALSE(static_cast<size_t>(signature_size) ==
signature.size());
} else if (key_type == EVP_PKEY_EC) {
- EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(private_key.get());
+ EC_KEY* ec_key = EVP_PKEY_get1_EC_KEY(private_key.get());
TEST_AND_RETURN_FALSE(ec_key != nullptr);
signature.resize(ECDSA_size(ec_key));
@@ -342,8 +344,10 @@ bool PayloadSigner::SignHash(const brillo::Blob& hash,
ec_key) != 1) {
LOG(ERROR) << "Signing hash failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
+ EC_KEY_free(ec_key);
return false;
}
+ EC_KEY_free(ec_key);
// NIST P-256
LOG(ERROR) << "signature max size " << signature.size() << " size "