Allow Openssl 1.1.0

This patch addresses all the code changes required to VPP to support openssl 1.1.0 API. All the changes have been done so that VPP can still be built against current openssl API whilst forward-looking to version 1.1.0. Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc Signed-off-by: Marco Varlese <marco.varlese@suse.com>
author: Marco Varlese <marco.varlese@suse.com> 2017-11-09 15:16:20 +0100
committer: Damjan Marion <dmarion.lists@gmail.com> 2017-11-10 20:24:00 +0000
commit: f616d10d04d5c444e20e617841a54cfb2c58d07d (patch)
tree: 5af3062476065673d67009bbf5fd76ba28eb99ac /src/vnet
parent: 6a6f4f7fe777dc77f8496fae1fc1075372ad16b6 (diff)
5 files changed, 159 insertions, 12 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index bc67f9d0783..d9ab1d855a8 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -63,11 +63,23 @@ typedef struct
 typedef struct
 {
   CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *encrypt_ctx;
+#else
   EVP_CIPHER_CTX encrypt_ctx;
+#endif
     CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *decrypt_ctx;
+#else
   EVP_CIPHER_CTX decrypt_ctx;
+#endif
     CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  HMAC_CTX *hmac_ctx;
+#else
   HMAC_CTX hmac_ctx;
+#endif
   ipsec_crypto_alg_t last_encrypt_alg;
   ipsec_crypto_alg_t last_decrypt_alg;
   ipsec_integ_alg_t last_integ_alg;
@@ -273,9 +285,15 @@ esp_init ()
 
   for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
     {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      em->per_thread_data[thread_id].encrypt_ctx = EVP_CIPHER_CTX_new ();
+      em->per_thread_data[thread_id].decrypt_ctx = EVP_CIPHER_CTX_new ();
+      em->per_thread_data[thread_id].hmac_ctx = HMAC_CTX_new ();
+#else
       EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
       EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
       HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
+#endif
     }
 }
 
@@ -287,7 +305,11 @@ hmac_calc (ipsec_integ_alg_t alg,
 {
   esp_main_t *em = &esp_main;
   u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  HMAC_CTX *ctx = em->per_thread_data[thread_index].hmac_ctx;
+#else
   HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx);
+#endif
   const EVP_MD *md = NULL;
   unsigned int len;
 
@@ -302,7 +324,7 @@ hmac_calc (ipsec_integ_alg_t alg,
       em->per_thread_data[thread_index].last_integ_alg = alg;
     }
 
-  HMAC_Init (ctx, key, key_len, md);
+  HMAC_Init_ex (ctx, key, key_len, md, NULL);
 
   HMAC_Update (ctx, data, data_len);
 
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index de4cc6dd4dd..81ebbe55301 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -86,7 +86,11 @@ esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg,
 {
   esp_main_t *em = &esp_main;
   u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].decrypt_ctx;
+#else
   EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx);
+#endif
   const EVP_CIPHER *cipher = NULL;
   int out_len;
 
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index b6ee25808b6..7bf1256acca 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -90,7 +90,11 @@ esp_encrypt_aes_cbc (ipsec_crypto_alg_t alg,
 {
   esp_main_t *em = &esp_main;
   u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].encrypt_ctx;
+#else
   EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].encrypt_ctx);
+#endif
   const EVP_CIPHER *cipher = NULL;
   int out_len;
 
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 49bae17f730..34ab87c3e56 100644
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -3030,7 +3030,11 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
     sa.i_auth.method = p->auth.method;
     sa.i_auth.hex = p->auth.hex;
     sa.i_auth.data = vec_dup (p->auth.data);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
+#else
     sa.i_auth.key = vec_dup (p->auth.key);
+#endif
     vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
     vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
 
diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c
index ca56158f898..32e687e37c0 100644
--- a/src/vnet/ipsec/ikev2_crypto.c
+++ b/src/vnet/ipsec/ikev2_crypto.c
@@ -25,6 +25,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
+#include <openssl/dh.h>
 
 /* from RFC7296 */
 static const char modp_dh_768_prime[] =
@@ -255,17 +256,27 @@ static const char modp_dh_2048_256_generator[] =
 v8 *
 ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  HMAC_CTX *ctx;
+#else
   HMAC_CTX ctx;
+#endif
   v8 *prf;
   unsigned int len = 0;
 
   prf = vec_new (u8, tr->key_trunc);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  ctx = HMAC_CTX_new ();
+  HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+  HMAC_Update (ctx, data, vec_len (data));
+  HMAC_Final (ctx, prf, &len);
+#else
   HMAC_CTX_init (&ctx);
   HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
   HMAC_Update (&ctx, data, vec_len (data));
   HMAC_Final (&ctx, prf, &len);
   HMAC_CTX_cleanup (&ctx);
-
+#endif
   ASSERT (len == tr->key_trunc);
 
   return prf;
@@ -317,7 +328,11 @@ v8 *
 ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
 {
   v8 *r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  HMAC_CTX *hctx;
+#else
   HMAC_CTX hctx;
+#endif
   unsigned int l;
 
   ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
@@ -325,11 +340,18 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
   r = vec_new (u8, tr->key_len);
 
   /* verify integrity of data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  hctx = HMAC_CTX_new ();
+  HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
+  HMAC_Update (hctx, (const u8 *) data, len);
+  HMAC_Final (hctx, r, &l);
+#else
   HMAC_CTX_init (&hctx);
-  HMAC_Init (&hctx, key, vec_len (key), tr->md);
+  HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
   HMAC_Update (&hctx, (const u8 *) data, len);
   HMAC_Final (&hctx, r, &l);
   HMAC_CTX_cleanup (&hctx);
+#endif
 
   ASSERT (l == tr->key_len);
 
@@ -339,7 +361,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
 v8 *
 ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *ctx;
+#else
   EVP_CIPHER_CTX ctx;
+#endif
   v8 *r;
   int out_len = 0, block_size;
   ikev2_sa_transform_t *tr_encr;
@@ -356,23 +382,40 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
       return 0;
     }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  ctx = EVP_CIPHER_CTX_new ();
+#else
   EVP_CIPHER_CTX_init (&ctx);
+#endif
+
   r = vec_new (u8, len - block_size);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
+  EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
+  EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
+#else
   EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
   EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
   EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-
+#endif
   /* remove padding */
   _vec_len (r) -= r[vec_len (r) - 1] + 1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
   EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
   return r;
 }
 
 int
 ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_CIPHER_CTX *ctx;
+#else
   EVP_CIPHER_CTX ctx;
+#endif
   int out_len;
   int bs;
   ikev2_sa_transform_t *tr_encr;
@@ -385,12 +428,16 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
   /* generate IV */
   RAND_bytes (dst, bs);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  ctx = EVP_CIPHER_CTX_new ();
+  EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
+  EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
+#else
   EVP_CIPHER_CTX_init (&ctx);
-
   EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
   EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
-
   EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
 
   ASSERT (vec_len (src) == out_len);
 
@@ -401,30 +448,54 @@ void
 ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 {
   int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  BIGNUM *p = BN_new ();
+  BIGNUM *q = BN_new ();
+  BIGNUM *g = BN_new ();
+  BIGNUM *pub_key = BN_new ();
+  BIGNUM *priv_key = BN_new ();
+#endif
 
   if (t->dh_group == IKEV2_DH_GROUP_MODP)
     {
       DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      BN_hex2bn (&p, t->dh_p);
+      BN_hex2bn (&g, t->dh_g);
+      DH_set0_pqg (dh, p, q, g);
+#else
       BN_hex2bn (&dh->p, t->dh_p);
       BN_hex2bn (&dh->g, t->dh_g);
+#endif
       DH_generate_key (dh);
 
       if (sa->is_initiator)
 	{
 	  sa->i_dh_data = vec_new (u8, t->key_len);
+	  sa->dh_private_key = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	  r = BN_bn2bin (pub_key, sa->i_dh_data);
+	  ASSERT (r == t->key_len);
+	  r = BN_bn2bin (priv_key, sa->dh_private_key);
+	  DH_set0_key (dh, pub_key, priv_key);
+#else
 	  r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
 	  ASSERT (r == t->key_len);
-
-	  sa->dh_private_key = vec_new (u8, t->key_len);
 	  r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
 	  ASSERT (r == t->key_len);
-
+#endif
 	}
       else
 	{
 	  sa->r_dh_data = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	  r = BN_bn2bin (pub_key, sa->i_dh_data);
+	  ASSERT (r == t->key_len);
+	  DH_set0_key (dh, pub_key, NULL);
+#else
 	  r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
 	  ASSERT (r == t->key_len);
+#endif
 	  BIGNUM *ex;
 	  sa->dh_shared_key = vec_new (u8, t->key_len);
 	  ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
@@ -509,15 +580,31 @@ void
 ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 {
   int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  BIGNUM *p = BN_new ();
+  BIGNUM *q = BN_new ();
+  BIGNUM *g = BN_new ();
+  BIGNUM *priv_key = BN_new ();
+#endif
 
   if (t->dh_group == IKEV2_DH_GROUP_MODP)
     {
       DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      BN_hex2bn (&p, t->dh_p);
+      BN_hex2bn (&g, t->dh_g);
+      DH_set0_pqg (dh, p, q, g);
+
+      priv_key =
+	BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
+      DH_set0_key (dh, NULL, priv_key);
+#else
       BN_hex2bn (&dh->p, t->dh_p);
       BN_hex2bn (&dh->g, t->dh_g);
+
       dh->priv_key =
 	BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
-
+#endif
       BIGNUM *ex;
       sa->dh_shared_key = vec_new (u8, t->key_len);
       ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
@@ -582,21 +669,47 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 int
 ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
   EVP_MD_CTX md_ctx;
+#endif
 
-  EVP_VerifyInit (&md_ctx, EVP_sha1 ());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_VerifyInit (md_ctx, EVP_sha1 ());
+  EVP_VerifyUpdate (md_ctx, data, vec_len (data));
+#else
+  EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL);
   EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
+#endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#else
   return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#endif
 }
 
 u8 *
 ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
   EVP_MD_CTX md_ctx;
+#endif
   unsigned int sig_len = 0;
   u8 *sign;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  EVP_SignInit (md_ctx, EVP_sha1 ());
+  EVP_SignUpdate (md_ctx, data, vec_len (data));
+  /* get sign len */
+  EVP_SignFinal (md_ctx, NULL, &sig_len, pkey);
+  sign = vec_new (u8, sig_len);
+  /* calc sign */
+  EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+#else
   EVP_SignInit (&md_ctx, EVP_sha1 ());
   EVP_SignUpdate (&md_ctx, data, vec_len (data));
   /* get sign len */
@@ -604,7 +717,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
   sign = vec_new (u8, sig_len);
   /* calc sign */
   EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
-
+#endif
   return sign;
 }
author	Marco Varlese <marco.varlese@suse.com>	2017-11-09 15:16:20 +0100
committer	Damjan Marion <dmarion.lists@gmail.com>	2017-11-10 20:24:00 +0000
commit	f616d10d04d5c444e20e617841a54cfb2c58d07d (patch)
tree	5af3062476065673d67009bbf5fd76ba28eb99ac /src/vnet
parent	6a6f4f7fe777dc77f8496fae1fc1075372ad16b6 (diff)