All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 080bf584 authored by David Johnson's avatar David Johnson

Merge branch 'openssl-1-1-0' into 'master'

Merge clientside openssl-1-1-0 branch

See merge request emulab/emulab-devel!40
parents 30534012 1c7eceac
......@@ -1701,7 +1701,7 @@ int
event_notification_insert_hmac(event_handle_t handle,
event_notification_t notification)
{
HMAC_CTX ctx;
HMAC_CTX *ctxp;
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int len = EVP_MAX_MD_SIZE;
......@@ -1720,22 +1720,42 @@ event_notification_insert_hmac(event_handle_t handle,
pubsub_notification_remove(notification->pubsub_notification,
"___elvin_ordered___", &handle->status);
memset(&ctx, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ctxp = HMAC_CTX_new();
if (!ctxp) {
ERROR("HMAC_CTX_new failed to alloc ctx\n");
return 1;
}
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#else
HMAC_CTX ctx;
ctxp = &ctx;
memset(ctxp, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER < 0x0090703f)
HMAC_Init(&ctx, handle->keydata, handle->keylen, EVP_sha1());
HMAC_Init(ctxp, handle->keydata, handle->keylen, EVP_sha1());
#else
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx, handle->keydata, handle->keylen, EVP_sha1(), NULL);
HMAC_CTX_init(ctxp);
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#endif
#endif
if (!pubsub_notification_traverse(notification->pubsub_notification,
hmac_traverse,
&ctx, &handle->status)) {
ctxp, &handle->status)) {
ERROR("event_notification_insert_hmac failed: hmac_traverse\n");
HMAC_cleanup(&ctx);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return 1;
}
HMAC_Final(&ctx, mac, &len);
HMAC_cleanup(&ctx);
HMAC_Final(ctxp, mac, &len);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
ctxp = NULL;
if (0) {
hmac_dump("event_notification_insert_hmac", mac, len);
......@@ -1833,7 +1853,10 @@ static int
event_notification_check_hmac(event_handle_t handle,
event_notification_t notification)
{
HMAC_CTX ctx;
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
HMAC_CTX ctx;
#endif
HMAC_CTX *ctxp = NULL;
unsigned char srcmac[EVP_MAX_MD_SIZE], mac[EVP_MAX_MD_SIZE];
char *pmac;
unsigned int srclen, len = EVP_MAX_MD_SIZE;
......@@ -1842,6 +1865,11 @@ event_notification_check_hmac(event_handle_t handle,
#ifdef ELVIN_COMPAT
struct elvin_hashtable *hashtable;
#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
ctxp = &ctx;
#endif
if (0)
INFO("event_notification_check_hmac (key): %s\n",
handle->keydata);
......@@ -1900,18 +1928,32 @@ event_notification_check_hmac(event_handle_t handle,
* order, and uses __hmac__ to compare against.
*/
if (! elvin_ordered) {
memset(&ctx, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ctxp = HMAC_CTX_new();
if (!ctxp) {
ERROR("HMAC_CTX_new failed to alloc ctx\n");
return 1;
}
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#else
memset(ctxp, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER < 0x0090703f)
HMAC_Init(&ctx, handle->keydata, handle->keylen, EVP_sha1());
HMAC_Init(ctxp, handle->keydata, handle->keylen, EVP_sha1());
#else
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx, handle->keydata, handle->keylen,
HMAC_CTX_init(ctxp);
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen,
EVP_sha1(), NULL);
#endif
#endif
hashtable = elvin_hashtable_alloc(0, &handle->status);
if (hashtable == NULL) {
ERROR("event_notification_check_hmac failed: "
"hashtable alloc\n");
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1;
}
if (!pubsub_notification_traverse(pubsub_notification,
......@@ -1921,18 +1963,32 @@ event_notification_check_hmac(event_handle_t handle,
ERROR("event_notification_check_hmac failed: "
"hmac_fill_hash\n");
elvin_hashtable_free(hashtable);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1;
}
if (!elvin_hashtable_traverse(hashtable, hmac_traverse,
&ctx, &handle->status)) {
ctxp, &handle->status)) {
ERROR("event_notification_check_hmac failed: "
"notify_traverse\n");
elvin_hashtable_free(hashtable);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1;
}
elvin_hashtable_free(hashtable);
HMAC_Final(&ctx, mac, &len);
HMAC_cleanup(&ctx);
HMAC_Final(ctxp, mac, &len);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_reset(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
if (0) {
hmac_dump("event_notification_check_hmac (elvin)",
......@@ -1945,22 +2001,44 @@ event_notification_check_hmac(event_handle_t handle,
/*
* Do a normal HMAC check.
*/
memset(&ctx, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
if (!ctxp) {
ctxp = HMAC_CTX_new();
if (!ctxp) {
ERROR("HMAC_CTX_new failed to alloc ctx\n");
return 1;
}
}
else {
HMAC_CTX_reset(ctxp);
}
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#else
memset(ctxp, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER < 0x0090703f)
HMAC_Init(&ctx, handle->keydata, handle->keylen, EVP_sha1());
HMAC_Init(ctxp, handle->keydata, handle->keylen, EVP_sha1());
#else
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx, handle->keydata, handle->keylen, EVP_sha1(), NULL);
HMAC_CTX_init(ctxp);
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#endif
#endif
if (!pubsub_notification_traverse(pubsub_notification,
hmac_traverse,
&ctx, &handle->status)) {
HMAC_cleanup(&ctx);
ctxp, &handle->status)) {
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1;
}
HMAC_Final(&ctx, mac, &len);
HMAC_cleanup(&ctx);
HMAC_Final(ctxp, mac, &len);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
if (0) {
hmac_dump("event_notification_check_hmac (plain)", mac, len);
......
......@@ -750,8 +750,12 @@ convpubkey(struct pubkeydata *k)
BN_bin2bn(k->modulus, k->keylength, mod);
BN_bin2bn(k->exponent, k->expsize, exp);
/* set up the RSA public key structure */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
RSA_set0_key(rsa,mod,exp,NULL);
#else
rsa->n = mod;
rsa->e = exp;
#endif
return rsa;
}
......
......@@ -71,6 +71,8 @@ init_checksum(char *keyfile)
{
char str[1024];
FILE *file;
BIGNUM *n, *e, *dmp1, *dmq1, *iqmp;
n = e = dmp1 = dmq1 = iqmp = NULL;
if (keyfile == NULL || (file = fopen(keyfile, "r")) == NULL) {
fprintf(stderr, "%s: cannot open keyfile\n", keyfile);
......@@ -81,22 +83,33 @@ init_checksum(char *keyfile)
return 0;
}
if (fscanf(file, "%1024s", str) != 1)
goto bad;
BN_hex2bn(&signature_key->n, str);
BN_hex2bn(&n, str);
if (fscanf(file, "%1024s", str) != 1)
goto bad;
BN_hex2bn(&signature_key->e, str);
BN_hex2bn(&e, str);
if (fscanf(file, "%1024s", str) != 1)
goto bad;
BN_hex2bn(&signature_key->dmp1, str);
BN_hex2bn(&dmp1, str);
if (fscanf(file, "%1024s", str) != 1)
goto bad;
BN_hex2bn(&signature_key->dmq1, str);
BN_hex2bn(&dmq1, str);
if (fscanf(file, "%1024s", str) != 1)
goto bad;
BN_hex2bn(&signature_key->iqmp, str);
BN_hex2bn(&iqmp, str);
fclose(file);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
RSA_set0_key(signature_key, n, e, NULL);
RSA_set0_crt_params(signature_key, dmp1, dmq1, iqmp);
#else
signature_key->n = n;
signature_key->e = e;
signature_key->dmp1 = dmp1;
signature_key->dmq1 = dmq1;
signature_key->iqmp = iqmp;
#endif
return 1;
bad:
......
......@@ -1396,21 +1396,29 @@ decrypt_buffer(unsigned char *dest, const unsigned char *source,
int update_count = 0;
int final_count = 0;
int error = 0;
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
EVP_CIPHER_CTX context;
#endif
EVP_CIPHER_CTX *contextp;
EVP_CIPHER const *ecipher;
EVP_CIPHER_CTX_init(&context);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
contextp = EVP_CIPHER_CTX_new();
#else
contextp = &context;
EVP_CIPHER_CTX_init(contextp);
#endif
ecipher = EVP_bf_cbc();
EVP_DecryptInit(&context, ecipher, NULL, header->enc_iv);
EVP_CIPHER_CTX_set_key_length(&context, ENC_MAX_KEYLEN);
EVP_DecryptInit(&context, NULL, encryption_key, NULL);
EVP_DecryptInit(contextp, ecipher, NULL, header->enc_iv);
EVP_CIPHER_CTX_set_key_length(contextp, ENC_MAX_KEYLEN);
EVP_DecryptInit(contextp, NULL, encryption_key, NULL);
/* decrypt */
EVP_DecryptUpdate(&context, dest, &update_count, source, header->size);
EVP_DecryptUpdate(contextp, dest, &update_count, source, header->size);
/* cleanup */
error = EVP_DecryptFinal(&context, dest + update_count, &final_count);
error = EVP_DecryptFinal(contextp, dest + update_count, &final_count);
if (!error) {
char keystr[ENC_MAX_KEYLEN*2 + 1];
fprintf(stderr, "Padding was incorrect.\n");
......
......@@ -3215,6 +3215,21 @@ output_public_key(char *imagename, RSA *key)
fprintf(stderr, "Cannot create keyfile %s\n", fname);
exit(1);
}
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
const BIGNUM *n = NULL, *e = NULL;
const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
RSA_get0_key(key,&n,&e,NULL);
BN_print_fp(file, n);
fprintf(file, "\n");
BN_print_fp(file, e);
fprintf(file, "\n");
BN_print_fp(file, dmp1);
fprintf(file, "\n");
BN_print_fp(file, dmq1);
fprintf(file, "\n");
BN_print_fp(file, iqmp);
fprintf(file, "\n");
#else
BN_print_fp(file, key->n);
fprintf(file, "\n");
BN_print_fp(file, key->e);
......@@ -3225,6 +3240,7 @@ output_public_key(char *imagename, RSA *key)
fprintf(file, "\n");
BN_print_fp(file, key->iqmp);
fprintf(file, "\n");
#endif
fclose(file);
fprintf(stderr, "Signing pubkey written to %s\n", fname);
......@@ -3305,7 +3321,12 @@ checksum_finish(blockhdr_t *hdr)
/*
* Encryption functions
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
static EVP_CIPHER_CTX *cipher_ctxp;
#else
static EVP_CIPHER_CTX cipher_ctx;
static EVP_CIPHER_CTX *cipher_ctxp = &cipher_ctx;
#endif
static const EVP_CIPHER *ecipher;
/* XXX: the size of the IV may have to change with different ciphers */
static uint8_t iv[ENC_MAX_KEYLEN];
......@@ -3325,7 +3346,11 @@ encrypt_start(blockhdr_t *hdr)
/*
* Pick our cipher - currently, only Blowfish in CBC mode is supported
*/
EVP_CIPHER_CTX_init(&cipher_ctx);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
cipher_ctxp = EVP_CIPHER_CTX_new();
#else
EVP_CIPHER_CTX_init(cipher_ctxp);
#endif
ecipher = EVP_bf_cbc();
/*
......@@ -3367,13 +3392,13 @@ encrypt_start(blockhdr_t *hdr)
/*
* Set the cipher and IV
*/
EVP_EncryptInit(&cipher_ctx, ecipher, NULL, iv);
EVP_EncryptInit(cipher_ctxp, ecipher, NULL, iv);
/*
* Bump up the key length and set the key
*/
EVP_CIPHER_CTX_set_key_length(&cipher_ctx, ENC_MAX_KEYLEN);
EVP_EncryptInit(&cipher_ctx, NULL, enc_key, NULL);
EVP_CIPHER_CTX_set_key_length(cipher_ctxp, ENC_MAX_KEYLEN);
EVP_EncryptInit(cipher_ctxp, NULL, enc_key, NULL);
/*
* Copy the IV into the header
......@@ -3393,9 +3418,9 @@ encrypt_chunk(uint8_t *buf, off_t size, off_t maxsize)
int encrypted_this_round = 0;
/* man page says encrypted output could be this large */
assert(size + EVP_CIPHER_CTX_block_size(&cipher_ctx) - 1 <= maxsize);
assert(size + EVP_CIPHER_CTX_block_size(cipher_ctxp) - 1 <= maxsize);
EVP_EncryptUpdate(&cipher_ctx, ebuffer_current, &encrypted_this_round,
EVP_EncryptUpdate(cipher_ctxp, ebuffer_current, &encrypted_this_round,
buf, size);
encrypted_bytes += encrypted_this_round;
ebuffer_current = encryption_buffer + encrypted_bytes;
......@@ -3406,7 +3431,7 @@ encrypt_finish(blockhdr_t *hdr, uint8_t *outbuf, uint32_t *out_size)
{
int encrypted_this_round = 0;
EVP_EncryptFinal(&cipher_ctx, ebuffer_current, &encrypted_this_round);
EVP_EncryptFinal(cipher_ctxp, ebuffer_current, &encrypted_this_round);
encrypted_bytes += encrypted_this_round;
/*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment