From f616d10d04d5c444e20e617841a54cfb2c58d07d Mon Sep 17 00:00:00 2001 From: Marco Varlese Date: Thu, 9 Nov 2017 15:16:20 +0100 Subject: Allow Openssl 1.1.0 This patch addresses all the code changes required to VPP to support openssl 1.1.0 API. All the changes have been done so that VPP can still be built against current openssl API whilst forward-looking to version 1.1.0. Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc Signed-off-by: Marco Varlese --- src/vnet/ipsec/esp.h | 24 +++++++- src/vnet/ipsec/esp_decrypt.c | 4 ++ src/vnet/ipsec/esp_encrypt.c | 4 ++ src/vnet/ipsec/ikev2.c | 4 ++ src/vnet/ipsec/ikev2_crypto.c | 135 ++++++++++++++++++++++++++++++++++++++---- 5 files changed, 159 insertions(+), 12 deletions(-) diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index bc67f9d0783..d9ab1d855a8 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -63,11 +63,23 @@ typedef struct typedef struct { CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *encrypt_ctx; +#else EVP_CIPHER_CTX encrypt_ctx; +#endif CLIB_CACHE_LINE_ALIGN_MARK (cacheline1); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *decrypt_ctx; +#else EVP_CIPHER_CTX decrypt_ctx; +#endif CLIB_CACHE_LINE_ALIGN_MARK (cacheline2); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_CTX *hmac_ctx; +#else HMAC_CTX hmac_ctx; +#endif ipsec_crypto_alg_t last_encrypt_alg; ipsec_crypto_alg_t last_decrypt_alg; ipsec_integ_alg_t last_integ_alg; @@ -273,9 +285,15 @@ esp_init () for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + em->per_thread_data[thread_id].encrypt_ctx = EVP_CIPHER_CTX_new (); + em->per_thread_data[thread_id].decrypt_ctx = EVP_CIPHER_CTX_new (); + em->per_thread_data[thread_id].hmac_ctx = HMAC_CTX_new (); +#else EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx)); EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx)); HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx)); +#endif } } @@ -287,7 +305,11 @@ hmac_calc (ipsec_integ_alg_t alg, { esp_main_t *em = &esp_main; u32 thread_index = vlib_get_thread_index (); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_CTX *ctx = em->per_thread_data[thread_index].hmac_ctx; +#else HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx); +#endif const EVP_MD *md = NULL; unsigned int len; @@ -302,7 +324,7 @@ hmac_calc (ipsec_integ_alg_t alg, em->per_thread_data[thread_index].last_integ_alg = alg; } - HMAC_Init (ctx, key, key_len, md); + HMAC_Init_ex (ctx, key, key_len, md, NULL); HMAC_Update (ctx, data, data_len); diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index de4cc6dd4dd..81ebbe55301 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -86,7 +86,11 @@ esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg, { esp_main_t *em = &esp_main; u32 thread_index = vlib_get_thread_index (); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].decrypt_ctx; +#else EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx); +#endif const EVP_CIPHER *cipher = NULL; int out_len; diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index b6ee25808b6..7bf1256acca 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -90,7 +90,11 @@ esp_encrypt_aes_cbc (ipsec_crypto_alg_t alg, { esp_main_t *em = &esp_main; u32 thread_index = vlib_get_thread_index (); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].encrypt_ctx; +#else EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].encrypt_ctx); +#endif const EVP_CIPHER *cipher = NULL; int out_len; diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c index 49bae17f730..34ab87c3e56 100644 --- a/src/vnet/ipsec/ikev2.c +++ b/src/vnet/ipsec/ikev2.c @@ -3030,7 +3030,11 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name) sa.i_auth.method = p->auth.method; sa.i_auth.hex = p->auth.hex; sa.i_auth.data = vec_dup (p->auth.data); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key)); +#else sa.i_auth.key = vec_dup (p->auth.key); +#endif vec_add (sa.childs[0].tsi, &p->loc_ts, 1); vec_add (sa.childs[0].tsr, &p->rem_ts, 1); diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c index ca56158f898..32e687e37c0 100644 --- a/src/vnet/ipsec/ikev2_crypto.c +++ b/src/vnet/ipsec/ikev2_crypto.c @@ -25,6 +25,7 @@ #include #include #include +#include /* from RFC7296 */ static const char modp_dh_768_prime[] = @@ -255,17 +256,27 @@ static const char modp_dh_2048_256_generator[] = v8 * ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_CTX *ctx; +#else HMAC_CTX ctx; +#endif v8 *prf; unsigned int len = 0; prf = vec_new (u8, tr->key_trunc); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ctx = HMAC_CTX_new (); + HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL); + HMAC_Update (ctx, data, vec_len (data)); + HMAC_Final (ctx, prf, &len); +#else HMAC_CTX_init (&ctx); HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL); HMAC_Update (&ctx, data, vec_len (data)); HMAC_Final (&ctx, prf, &len); HMAC_CTX_cleanup (&ctx); - +#endif ASSERT (len == tr->key_trunc); return prf; @@ -317,7 +328,11 @@ v8 * ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) { v8 *r; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_CTX *hctx; +#else HMAC_CTX hctx; +#endif unsigned int l; ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG); @@ -325,11 +340,18 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) r = vec_new (u8, tr->key_len); /* verify integrity of data */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + hctx = HMAC_CTX_new (); + HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL); + HMAC_Update (hctx, (const u8 *) data, len); + HMAC_Final (hctx, r, &l); +#else HMAC_CTX_init (&hctx); - HMAC_Init (&hctx, key, vec_len (key), tr->md); + HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL); HMAC_Update (&hctx, (const u8 *) data, len); HMAC_Final (&hctx, r, &l); HMAC_CTX_cleanup (&hctx); +#endif ASSERT (l == tr->key_len); @@ -339,7 +361,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) v8 * ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *ctx; +#else EVP_CIPHER_CTX ctx; +#endif v8 *r; int out_len = 0, block_size; ikev2_sa_transform_t *tr_encr; @@ -356,23 +382,40 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) return 0; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ctx = EVP_CIPHER_CTX_new (); +#else EVP_CIPHER_CTX_init (&ctx); +#endif + r = vec_new (u8, len - block_size); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data); + EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size); + EVP_DecryptFinal_ex (ctx, r + out_len, &out_len); +#else EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data); EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size); EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len); - +#endif /* remove padding */ _vec_len (r) -= r[vec_len (r) - 1] + 1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX_cleanup (&ctx); +#endif return r; } int ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *ctx; +#else EVP_CIPHER_CTX ctx; +#endif int out_len; int bs; ikev2_sa_transform_t *tr_encr; @@ -385,12 +428,16 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) /* generate IV */ RAND_bytes (dst, bs); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ctx = EVP_CIPHER_CTX_new (); + EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); + EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src)); +#else EVP_CIPHER_CTX_init (&ctx); - EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src)); - EVP_CIPHER_CTX_cleanup (&ctx); +#endif ASSERT (vec_len (src) == out_len); @@ -401,30 +448,54 @@ void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) { int r; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *p = BN_new (); + BIGNUM *q = BN_new (); + BIGNUM *g = BN_new (); + BIGNUM *pub_key = BN_new (); + BIGNUM *priv_key = BN_new (); +#endif if (t->dh_group == IKEV2_DH_GROUP_MODP) { DH *dh = DH_new (); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_hex2bn (&p, t->dh_p); + BN_hex2bn (&g, t->dh_g); + DH_set0_pqg (dh, p, q, g); +#else BN_hex2bn (&dh->p, t->dh_p); BN_hex2bn (&dh->g, t->dh_g); +#endif DH_generate_key (dh); if (sa->is_initiator) { sa->i_dh_data = vec_new (u8, t->key_len); + sa->dh_private_key = vec_new (u8, t->key_len); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + r = BN_bn2bin (pub_key, sa->i_dh_data); + ASSERT (r == t->key_len); + r = BN_bn2bin (priv_key, sa->dh_private_key); + DH_set0_key (dh, pub_key, priv_key); +#else r = BN_bn2bin (dh->pub_key, sa->i_dh_data); ASSERT (r == t->key_len); - - sa->dh_private_key = vec_new (u8, t->key_len); r = BN_bn2bin (dh->priv_key, sa->dh_private_key); ASSERT (r == t->key_len); - +#endif } else { sa->r_dh_data = vec_new (u8, t->key_len); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + r = BN_bn2bin (pub_key, sa->i_dh_data); + ASSERT (r == t->key_len); + DH_set0_key (dh, pub_key, NULL); +#else r = BN_bn2bin (dh->pub_key, sa->r_dh_data); ASSERT (r == t->key_len); +#endif BIGNUM *ex; sa->dh_shared_key = vec_new (u8, t->key_len); ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL); @@ -509,15 +580,31 @@ void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) { int r; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *p = BN_new (); + BIGNUM *q = BN_new (); + BIGNUM *g = BN_new (); + BIGNUM *priv_key = BN_new (); +#endif if (t->dh_group == IKEV2_DH_GROUP_MODP) { DH *dh = DH_new (); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_hex2bn (&p, t->dh_p); + BN_hex2bn (&g, t->dh_g); + DH_set0_pqg (dh, p, q, g); + + priv_key = + BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL); + DH_set0_key (dh, NULL, priv_key); +#else BN_hex2bn (&dh->p, t->dh_p); BN_hex2bn (&dh->g, t->dh_g); + dh->priv_key = BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL); - +#endif BIGNUM *ex; sa->dh_shared_key = vec_new (u8, t->key_len); ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL); @@ -582,21 +669,47 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); +#else EVP_MD_CTX md_ctx; +#endif - EVP_VerifyInit (&md_ctx, EVP_sha1 ()); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_VerifyInit (md_ctx, EVP_sha1 ()); + EVP_VerifyUpdate (md_ctx, data, vec_len (data)); +#else + EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL); EVP_VerifyUpdate (&md_ctx, data, vec_len (data)); +#endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey); +#else return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey); +#endif } u8 * ikev2_calc_sign (EVP_PKEY * pkey, u8 * data) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); +#else EVP_MD_CTX md_ctx; +#endif unsigned int sig_len = 0; u8 *sign; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_SignInit (md_ctx, EVP_sha1 ()); + EVP_SignUpdate (md_ctx, data, vec_len (data)); + /* get sign len */ + EVP_SignFinal (md_ctx, NULL, &sig_len, pkey); + sign = vec_new (u8, sig_len); + /* calc sign */ + EVP_SignFinal (md_ctx, sign, &sig_len, pkey); +#else EVP_SignInit (&md_ctx, EVP_sha1 ()); EVP_SignUpdate (&md_ctx, data, vec_len (data)); /* get sign len */ @@ -604,7 +717,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data) sign = vec_new (u8, sig_len); /* calc sign */ EVP_SignFinal (&md_ctx, sign, &sig_len, pkey); - +#endif return sign; } -- cgit 1.2.3-korg