Allow Openssl 1.1.0

This patch addresses all the code changes required to VPP to support openssl 1.1.0 API. All the changes have been done so that VPP can still be built against current openssl API whilst forward-looking to version 1.1.0. Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc Signed-off-by: Marco Varlese <marco.varlese@suse.com>
author: Marco Varlese <marco.varlese@suse.com> 2017-11-09 15:16:20 +0100
committer: Damjan Marion <dmarion.lists@gmail.com> 2017-11-10 20:24:00 +0000
commit: f616d10d04d5c444e20e617841a54cfb2c58d07d (patch)
tree: 5af3062476065673d67009bbf5fd76ba28eb99ac /src/vnet/ipsec/ikev2_crypto.c
parent: 6a6f4f7fe777dc77f8496fae1fc1075372ad16b6 (diff)
1 files changed, 124 insertions, 11 deletions
diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c
index ca56158f898..32e687e37c0 100644
--- a/src/vnet/ipsec/ikev2_crypto.c
+++ b/src/vnet/ipsec/ikev2_crypto.c
@@ -25,6 +25,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
+#include <openssl/dh.h>
 
 /* from RFC7296 */
 static const char modp_dh_768_prime[] =
@@ -255,17 +256,27 @@ static const char modp_dh_2048_256_generator[] =
 v8 *
 ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  HMAC_CTX *ctx;
+#else
   HMAC_CTX ctx;
+#endif
   v8 *prf;
   unsigned int len = 0;
 
   prf = vec_new (u8, tr->key_trunc);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  ctx = HMAC_CTX_new ();
+  HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+  HMAC_Update (ctx, data, vec_len (data));
+  HMAC_Final (ctx, prf, &len);
+#else
   HMAC_CTX_init (&ctx);
   HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
   HMAC_Update (&ctx, data, vec_len (data));
   HMAC_Final (&ctx, prf, &len);
   HMAC_CTX_cleanup (&ctx);
-
+#endif
   ASSERT (len == tr->key_trunc);
 
   return prf;
@@ -317,7 +328,11 @@ v8 *
 ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
 {
   v8 *r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  HMAC_CTX *hctx;
+#else
   HMAC_CTX hctx;
+#endif
   unsigned int l;
 
   ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
@@ -325,11 +340,18 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
   r = vec_new (u8, tr->key_len);
 
   /* verify integrity of data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  hctx = HMAC_CTX_new ();
+  HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
+  HMAC_Update (hctx, (const u8 *) data, len);
+  HMAC_Final (hctx, r, &l);
+#else
   HMAC_CTX_init (&hctx);
-  HMAC_Init (&hctx, key, vec_len (key), tr->md);
+  HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
   HMAC_Update (&hctx, (const u8 *) data, len);
   HMAC_Final (&hctx, r, &l);
   HMAC_CTX_cleanup (&hctx);
+#endif
 
   ASSERT (l == tr->key_len);
 
@@ -339,7 +361,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
 v8 *
 ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *ctx;
+#else
   EVP_CIPHER_CTX ctx;
+#endif
   v8 *r;
   int out_len = 0, block_size;
   ikev2_sa_transform_t *tr_encr;
@@ -356,23 +382,40 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
       return 0;
     }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  ctx = EVP_CIPHER_CTX_new ();
+#else
   EVP_CIPHER_CTX_init (&ctx);
+#endif
+
   r = vec_new (u8, len - block_size);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
+  EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
+  EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
+#else
   EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
   EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
   EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-
+#endif
   /* remove padding */
   _vec_len (r) -= r[vec_len (r) - 1] + 1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
   EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
   return r;
 }
 
 int
 ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *ctx;
+#else
   EVP_CIPHER_CTX ctx;
+#endif
   int out_len;
   int bs;
   ikev2_sa_transform_t *tr_encr;
@@ -385,12 +428,16 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
   /* generate IV */
   RAND_bytes (dst, bs);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  ctx = EVP_CIPHER_CTX_new ();
+  EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
+  EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
+#else
   EVP_CIPHER_CTX_init (&ctx);
-
   EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
   EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
-
   EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
 
   ASSERT (vec_len (src) == out_len);
 
@@ -401,30 +448,54 @@ void
 ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 {
   int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  BIGNUM *p = BN_new ();
+  BIGNUM *q = BN_new ();
+  BIGNUM *g = BN_new ();
+  BIGNUM *pub_key = BN_new ();
+  BIGNUM *priv_key = BN_new ();
+#endif
 
   if (t->dh_group == IKEV2_DH_GROUP_MODP)
     {
       DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      BN_hex2bn (&p, t->dh_p);
+      BN_hex2bn (&g, t->dh_g);
+      DH_set0_pqg (dh, p, q, g);
+#else
       BN_hex2bn (&dh->p, t->dh_p);
       BN_hex2bn (&dh->g, t->dh_g);
+#endif
       DH_generate_key (dh);
 
       if (sa->is_initiator)
 	{
 	  sa->i_dh_data = vec_new (u8, t->key_len);
+	  sa->dh_private_key = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	  r = BN_bn2bin (pub_key, sa->i_dh_data);
+	  ASSERT (r == t->key_len);
+	  r = BN_bn2bin (priv_key, sa->dh_private_key);
+	  DH_set0_key (dh, pub_key, priv_key);
+#else
 	  r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
 	  ASSERT (r == t->key_len);
-
-	  sa->dh_private_key = vec_new (u8, t->key_len);
 	  r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
 	  ASSERT (r == t->key_len);
-
+#endif
 	}
       else
 	{
 	  sa->r_dh_data = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	  r = BN_bn2bin (pub_key, sa->i_dh_data);
+	  ASSERT (r == t->key_len);
+	  DH_set0_key (dh, pub_key, NULL);
+#else
 	  r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
 	  ASSERT (r == t->key_len);
+#endif
 	  BIGNUM *ex;
 	  sa->dh_shared_key = vec_new (u8, t->key_len);
 	  ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
@@ -509,15 +580,31 @@ void
 ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 {
   int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  BIGNUM *p = BN_new ();
+  BIGNUM *q = BN_new ();
+  BIGNUM *g = BN_new ();
+  BIGNUM *priv_key = BN_new ();
+#endif
 
   if (t->dh_group == IKEV2_DH_GROUP_MODP)
     {
       DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      BN_hex2bn (&p, t->dh_p);
+      BN_hex2bn (&g, t->dh_g);
+      DH_set0_pqg (dh, p, q, g);
+
+      priv_key =
+	BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
+      DH_set0_key (dh, NULL, priv_key);
+#else
       BN_hex2bn (&dh->p, t->dh_p);
       BN_hex2bn (&dh->g, t->dh_g);
+
       dh->priv_key =
 	BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
-
+#endif
       BIGNUM *ex;
       sa->dh_shared_key = vec_new (u8, t->key_len);
       ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
@@ -582,21 +669,47 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 int
 ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
   EVP_MD_CTX md_ctx;
+#endif
 
-  EVP_VerifyInit (&md_ctx, EVP_sha1 ());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_VerifyInit (md_ctx, EVP_sha1 ());
+  EVP_VerifyUpdate (md_ctx, data, vec_len (data));
+#else
+  EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL);
   EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
+#endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#else
   return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#endif
 }
 
 u8 *
 ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
   EVP_MD_CTX md_ctx;
+#endif
   unsigned int sig_len = 0;
   u8 *sign;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_SignInit (md_ctx, EVP_sha1 ());
+  EVP_SignUpdate (md_ctx, data, vec_len (data));
+  /* get sign len */
+  EVP_SignFinal (md_ctx, NULL, &sig_len, pkey);
+  sign = vec_new (u8, sig_len);
+  /* calc sign */
+  EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+#else
   EVP_SignInit (&md_ctx, EVP_sha1 ());
   EVP_SignUpdate (&md_ctx, data, vec_len (data));
   /* get sign len */
@@ -604,7 +717,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
   sign = vec_new (u8, sig_len);
   /* calc sign */
   EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
-
+#endif
   return sign;
 }
author	Marco Varlese <marco.varlese@suse.com>	2017-11-09 15:16:20 +0100
committer	Damjan Marion <dmarion.lists@gmail.com>	2017-11-10 20:24:00 +0000
commit	f616d10d04d5c444e20e617841a54cfb2c58d07d (patch)
tree	5af3062476065673d67009bbf5fd76ba28eb99ac /src/vnet/ipsec/ikev2_crypto.c
parent	6a6f4f7fe777dc77f8496fae1fc1075372ad16b6 (diff)