GNU bug report logs - #69275
[PATCH] gnu: ecryptfs-utils: Add the openssl key module.

Previous Next

To reply to this bug, email your comments to 69275 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brian Kubisiak <brian <at> kubisiak.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: ecryptfs-utils: Add the openssl key module.
Date: Mon, 19 Feb 2024 07:15:08 -0800

* gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add the patch.
* gnu/packages/linux.scm (ecryptfs-utils)[source]: Apply the patch.
[inputs]: Add openssl-1.1.

Change-Id: I89cc15534e93cf20f2b5084157cbefaec5084ec8
---
 gnu/local.mk                                  |  1 +
 gnu/packages/linux.scm                        |  4 +-
 .../patches/ecryptfs-utils-openssl-1.1.patch  | 52 +++++++++++++++++++
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 58011d1149..cb5741dc60 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1107,6 +1107,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/dvd+rw-tools-add-include.patch 		\
   %D%/packages/patches/dynaconf-unvendor-deps.patch		\
   %D%/packages/patches/dyninst-fix-glibc-compatibility.patch	\
+  %D%/packages/patches/ecryptfs-utils-openssl-1.1.patch	\
   %D%/packages/patches/efivar-211.patch			\
   %D%/packages/patches/eigen-fix-strict-aliasing-bug.patch	\
   %D%/packages/patches/einstein-build.patch			\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index d798c44a8f..100f322afd 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -7024,7 +7024,8 @@ (define-public ecryptfs-utils
                            version ".orig.tar.gz"))
        (sha256
         (base32
-         "0zwq19siiwf09h7lwa7n7mgmrr8cxifp45lmwgcfr8c1gviv6b0i"))))
+         "0zwq19siiwf09h7lwa7n7mgmrr8cxifp45lmwgcfr8c1gviv6b0i"))
+       (patches (search-patches "ecryptfs-utils-openssl-1.1.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags (list "--disable-pywrap")
@@ -7106,6 +7107,7 @@ (define-public ecryptfs-utils
            linux-pam
            lsof
            lvm2
+           openssl-1.1
            nss
            rsync
            sed
diff --git a/gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch b/gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch
new file mode 100644
index 0000000000..87b24829b4
--- /dev/null
+++ b/gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch
@@ -0,0 +1,52 @@
+diff --git a/src/key_mod/ecryptfs_key_mod_openssl.c b/src/key_mod/ecryptfs_key_mod_openssl.c
+index 56ebe2d..3959974 100644
+--- a/src/key_mod/ecryptfs_key_mod_openssl.c
++++ b/src/key_mod/ecryptfs_key_mod_openssl.c
+@@ -141,6 +141,7 @@ ecryptfs_openssl_destroy_subgraph_ctx(struct ecryptfs_subgraph_ctx *ctx)
+ static int ecryptfs_openssl_generate_signature(char *sig, RSA *key)
+ {
+ 	int len, nbits, ebits, i;
++	const BIGNUM *n, *e;
+ 	int nbytes, ebytes;
+ 	unsigned char *hash;
+ 	unsigned char *data = NULL;
+@@ -152,11 +153,14 @@ static int ecryptfs_openssl_generate_signature(char *sig, RSA *key)
+ 		rc = -ENOMEM;
+ 		goto out;
+ 	}
+-	nbits = BN_num_bits(key->n);
++
++	RSA_get0_key(key, &n, &e, NULL);
++
++	nbits = BN_num_bits(n);
+ 	nbytes = nbits / 8;
+ 	if (nbits % 8)
+ 		nbytes++;
+-	ebits = BN_num_bits(key->e);
++	ebits = BN_num_bits(e);
+ 	ebytes = ebits / 8;
+ 	if (ebits % 8)
+ 		ebytes++;
+@@ -179,11 +183,11 @@ static int ecryptfs_openssl_generate_signature(char *sig, RSA *key)
+ 	data[i++] = '\02';
+ 	data[i++] = (nbits >> 8);
+ 	data[i++] = nbits;
+-	BN_bn2bin(key->n, &(data[i]));
++	BN_bn2bin(n, &(data[i]));
+ 	i += nbytes;
+ 	data[i++] = (ebits >> 8);
+ 	data[i++] = ebits;
+-	BN_bn2bin(key->e, &(data[i]));
++	BN_bn2bin(e, &(data[i]));
+ 	i += ebytes;
+ 	SHA1(data, len + 3, hash);
+ 	to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);
+@@ -278,7 +282,7 @@ static int ecryptfs_openssl_read_key(RSA **rsa, unsigned char *blob)
+ 	BIO *in = NULL;
+ 	int rc;
+ 
+-	CRYPTO_malloc_init();
++	OPENSSL_malloc_init();
+ 	ERR_load_crypto_strings();
+ 	OpenSSL_add_all_algorithms();
+ 	ENGINE_load_builtin_engines();

base-commit: a35372cc0b9525b401c9a8b8c5eea6c3a83c9f4b
prerequisite-patch-id: 22abd79e623712e121f73c89488a47c1b5b9cd7d
prerequisite-patch-id: ebb44601cec0b6a5cf73e980522a864b2aae824e
prerequisite-patch-id: 56702abf84319ed57932ea9a895700eb87954a20
prerequisite-patch-id: 26b2a4d0d2d944a4e8c9b5277781daa080836c03
prerequisite-patch-id: 3b30c17f33cfe426c2643be26bb5b8ff83ae7c0c
-- 
2.41.0

Message #8 received at 69275 <at> debbugs.gnu.org (full text, mbox):

From: Steve George <steve <at> futurile.net>
To: 69275 <at> debbugs.gnu.org
Subject: RE: ecryptfs-utils: Add the openssl key module
Date: Sat, 2 Nov 2024 11:58:04 +0000

Hi Brian,

You sent through a patch for adding the openssl module, your commit message doesn't say why it's required?

As I don't use ecryptfs-utils I was wondering if you have a small example test of how it's used?

Also, there's a bunch of pre-requisite patches, are these still needed?

Thanks so much!

Steve / Futurile

Message #11 received at 69275 <at> debbugs.gnu.org (full text, mbox):

From: Brian Kubisiak <brian <at> kubisiak.com>
To: 69275 <at> debbugs.gnu.org
Cc: steve <at> futurile.net
Subject: RE: ecryptfs-utils: Add the openssl key module
Date: Wed, 2 Apr 2025 19:40:57 -0700

Hi Steve,

I apologize for the late reply---I somehow missed that you had
responded to my patch.

To be honest, I don't actually use ecryptfs with guix; I used guix
with this patch to reproduce a linux kernel bug I had discovered [1]
(this bug only happened when using the openssl key module). After
testing the fix for the kernel bug, I figured it was better to send
this patch upstream rather than delete it forever.

> You sent through a patch for adding the openssl module, your commit
> message doesn't say why it's required?

eCryptfs allows you to mount a filesystem overlay similar to overlayfs
but with an added layer of encryption (i.e. files written to the
overlay are encrypted before being written to the underlying
storage). Keys are set up using "key modules" from
ecryptfs-utils. Without my patch, the only available module on guix is
the "passphrase" module that uses a user-supplied passphrase for
encryption/decryption. My patch also enables the "openssl" module that
performs encryption/decryption using an assymmetric key using openssl.

> As I don't use ecryptfs-utils I was wondering if you have a small
> example test of how it's used?

Unfortunately I've lost the scripts that I was using to test this, but
'mount -t ecryptfs' should ask a sequence of questions about which
module and key to use etc.

> Also, there's a bunch of pre-requisite patches, are these still
> needed?

These are not required, I think this was just because I had a handful
of other WIP commits on my local checkout when I created this patch.

Brian

[1] https://lore.kernel.org/ecryptfs/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7 <at> hoecdztoplbl/

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.