This patch addresses all the code changes required to VPP to support
openssl 1.1.0 API.
All the changes have been done so that VPP can still be built against
current openssl API whilst forward-looking to version 1.1.0.
Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
typedef struct
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
typedef struct
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *encrypt_ctx;
+#else
EVP_CIPHER_CTX encrypt_ctx;
EVP_CIPHER_CTX encrypt_ctx;
CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *decrypt_ctx;
+#else
EVP_CIPHER_CTX decrypt_ctx;
EVP_CIPHER_CTX decrypt_ctx;
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hmac_ctx;
+#else
ipsec_crypto_alg_t last_encrypt_alg;
ipsec_crypto_alg_t last_decrypt_alg;
ipsec_integ_alg_t last_integ_alg;
ipsec_crypto_alg_t last_encrypt_alg;
ipsec_crypto_alg_t last_decrypt_alg;
ipsec_integ_alg_t last_integ_alg;
for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
{
for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ em->per_thread_data[thread_id].encrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].decrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].hmac_ctx = HMAC_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx = em->per_thread_data[thread_index].hmac_ctx;
+#else
HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx);
HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx);
const EVP_MD *md = NULL;
unsigned int len;
const EVP_MD *md = NULL;
unsigned int len;
em->per_thread_data[thread_index].last_integ_alg = alg;
}
em->per_thread_data[thread_index].last_integ_alg = alg;
}
- HMAC_Init (ctx, key, key_len, md);
+ HMAC_Init_ex (ctx, key, key_len, md, NULL);
HMAC_Update (ctx, data, data_len);
HMAC_Update (ctx, data, data_len);
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].decrypt_ctx;
+#else
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx);
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx);
const EVP_CIPHER *cipher = NULL;
int out_len;
const EVP_CIPHER *cipher = NULL;
int out_len;
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].encrypt_ctx;
+#else
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].encrypt_ctx);
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].encrypt_ctx);
const EVP_CIPHER *cipher = NULL;
int out_len;
const EVP_CIPHER *cipher = NULL;
int out_len;
sa.i_auth.method = p->auth.method;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
sa.i_auth.method = p->auth.method;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
+#else
sa.i_auth.key = vec_dup (p->auth.key);
sa.i_auth.key = vec_dup (p->auth.key);
vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
/* from RFC7296 */
static const char modp_dh_768_prime[] =
/* from RFC7296 */
static const char modp_dh_768_prime[] =
v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx;
+#else
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = HMAC_CTX_new ();
+ HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (ctx, data, vec_len (data));
+ HMAC_Final (ctx, prf, &len);
+#else
HMAC_CTX_init (&ctx);
HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&ctx, data, vec_len (data));
HMAC_Final (&ctx, prf, &len);
HMAC_CTX_cleanup (&ctx);
HMAC_CTX_init (&ctx);
HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&ctx, data, vec_len (data));
HMAC_Final (&ctx, prf, &len);
HMAC_CTX_cleanup (&ctx);
ASSERT (len == tr->key_trunc);
return prf;
ASSERT (len == tr->key_trunc);
return prf;
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
v8 *r;
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
v8 *r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hctx;
+#else
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
r = vec_new (u8, tr->key_len);
/* verify integrity of data */
r = vec_new (u8, tr->key_len);
/* verify integrity of data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ hctx = HMAC_CTX_new ();
+ HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (hctx, (const u8 *) data, len);
+ HMAC_Final (hctx, r, &l);
+#else
- HMAC_Init (&hctx, key, vec_len (key), tr->md);
+ HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&hctx, (const u8 *) data, len);
HMAC_Final (&hctx, r, &l);
HMAC_CTX_cleanup (&hctx);
HMAC_Update (&hctx, (const u8 *) data, len);
HMAC_Final (&hctx, r, &l);
HMAC_CTX_cleanup (&hctx);
ASSERT (l == tr->key_len);
ASSERT (l == tr->key_len);
v8 *
ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
{
v8 *
ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
v8 *r;
int out_len = 0, block_size;
ikev2_sa_transform_t *tr_encr;
v8 *r;
int out_len = 0, block_size;
ikev2_sa_transform_t *tr_encr;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&ctx);
EVP_CIPHER_CTX_init (&ctx);
r = vec_new (u8, len - block_size);
r = vec_new (u8, len - block_size);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
+ EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
+ EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
+#else
EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_CIPHER_CTX_cleanup (&ctx);
EVP_CIPHER_CTX_cleanup (&ctx);
return r;
}
int
ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
{
return r;
}
int
ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
int out_len;
int bs;
ikev2_sa_transform_t *tr_encr;
int out_len;
int bs;
ikev2_sa_transform_t *tr_encr;
/* generate IV */
RAND_bytes (dst, bs);
/* generate IV */
RAND_bytes (dst, bs);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+ EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
+ EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
+#else
EVP_CIPHER_CTX_init (&ctx);
EVP_CIPHER_CTX_init (&ctx);
EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
EVP_CIPHER_CTX_cleanup (&ctx);
EVP_CIPHER_CTX_cleanup (&ctx);
ASSERT (vec_len (src) == out_len);
ASSERT (vec_len (src) == out_len);
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *pub_key = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
DH_generate_key (dh);
if (sa->is_initiator)
{
sa->i_dh_data = vec_new (u8, t->key_len);
DH_generate_key (dh);
if (sa->is_initiator)
{
sa->i_dh_data = vec_new (u8, t->key_len);
+ sa->dh_private_key = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ r = BN_bn2bin (priv_key, sa->dh_private_key);
+ DH_set0_key (dh, pub_key, priv_key);
+#else
r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
ASSERT (r == t->key_len);
r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
ASSERT (r == t->key_len);
-
- sa->dh_private_key = vec_new (u8, t->key_len);
r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
ASSERT (r == t->key_len);
r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
ASSERT (r == t->key_len);
}
else
{
sa->r_dh_data = vec_new (u8, t->key_len);
}
else
{
sa->r_dh_data = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ DH_set0_key (dh, pub_key, NULL);
+#else
r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
ASSERT (r == t->key_len);
r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
ASSERT (r == t->key_len);
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+
+ priv_key =
+ BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
+ DH_set0_key (dh, NULL, priv_key);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
dh->priv_key =
BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
dh->priv_key =
BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
int
ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
{
int
ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
- EVP_VerifyInit (&md_ctx, EVP_sha1 ());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_VerifyInit (md_ctx, EVP_sha1 ());
+ EVP_VerifyUpdate (md_ctx, data, vec_len (data));
+#else
+ EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL);
EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#else
return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
}
u8 *
ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
{
}
u8 *
ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
unsigned int sig_len = 0;
u8 *sign;
unsigned int sig_len = 0;
u8 *sign;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_SignInit (md_ctx, EVP_sha1 ());
+ EVP_SignUpdate (md_ctx, data, vec_len (data));
+ /* get sign len */
+ EVP_SignFinal (md_ctx, NULL, &sig_len, pkey);
+ sign = vec_new (u8, sig_len);
+ /* calc sign */
+ EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+#else
EVP_SignInit (&md_ctx, EVP_sha1 ());
EVP_SignUpdate (&md_ctx, data, vec_len (data));
/* get sign len */
EVP_SignInit (&md_ctx, EVP_sha1 ());
EVP_SignUpdate (&md_ctx, data, vec_len (data));
/* get sign len */
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);