Commit 080bf584 authored by David Johnson's avatar David Johnson

Merge branch 'openssl-1-1-0' into 'master'

Merge clientside openssl-1-1-0 branch

See merge request emulab-devel!40
parents 30534012 1c7eceac
...@@ -1701,7 +1701,7 @@ int ...@@ -1701,7 +1701,7 @@ int
event_notification_insert_hmac(event_handle_t handle, event_notification_insert_hmac(event_handle_t handle,
event_notification_t notification) event_notification_t notification)
{ {
HMAC_CTX ctx; HMAC_CTX *ctxp;
unsigned char mac[EVP_MAX_MD_SIZE]; unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int len = EVP_MAX_MD_SIZE; unsigned int len = EVP_MAX_MD_SIZE;
...@@ -1720,22 +1720,42 @@ event_notification_insert_hmac(event_handle_t handle, ...@@ -1720,22 +1720,42 @@ event_notification_insert_hmac(event_handle_t handle,
pubsub_notification_remove(notification->pubsub_notification, pubsub_notification_remove(notification->pubsub_notification,
"___elvin_ordered___", &handle->status); "___elvin_ordered___", &handle->status);
memset(&ctx, 0, sizeof(ctx)); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ctxp = HMAC_CTX_new();
if (!ctxp) {
ERROR("HMAC_CTX_new failed to alloc ctx\n");
return 1;
}
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#else
HMAC_CTX ctx;
ctxp = &ctx;
memset(ctxp, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER < 0x0090703f) #if (OPENSSL_VERSION_NUMBER < 0x0090703f)
HMAC_Init(&ctx, handle->keydata, handle->keylen, EVP_sha1()); HMAC_Init(ctxp, handle->keydata, handle->keylen, EVP_sha1());
#else #else
HMAC_CTX_init(&ctx); HMAC_CTX_init(ctxp);
HMAC_Init_ex(&ctx, handle->keydata, handle->keylen, EVP_sha1(), NULL); HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#endif
#endif #endif
if (!pubsub_notification_traverse(notification->pubsub_notification, if (!pubsub_notification_traverse(notification->pubsub_notification,
hmac_traverse, hmac_traverse,
&ctx, &handle->status)) { ctxp, &handle->status)) {
ERROR("event_notification_insert_hmac failed: hmac_traverse\n"); ERROR("event_notification_insert_hmac failed: hmac_traverse\n");
HMAC_cleanup(&ctx); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return 1; return 1;
} }
HMAC_Final(&ctx, mac, &len); HMAC_Final(ctxp, mac, &len);
HMAC_cleanup(&ctx); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
ctxp = NULL;
if (0) { if (0) {
hmac_dump("event_notification_insert_hmac", mac, len); hmac_dump("event_notification_insert_hmac", mac, len);
...@@ -1833,7 +1853,10 @@ static int ...@@ -1833,7 +1853,10 @@ static int
event_notification_check_hmac(event_handle_t handle, event_notification_check_hmac(event_handle_t handle,
event_notification_t notification) event_notification_t notification)
{ {
HMAC_CTX ctx; #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
HMAC_CTX ctx;
#endif
HMAC_CTX *ctxp = NULL;
unsigned char srcmac[EVP_MAX_MD_SIZE], mac[EVP_MAX_MD_SIZE]; unsigned char srcmac[EVP_MAX_MD_SIZE], mac[EVP_MAX_MD_SIZE];
char *pmac; char *pmac;
unsigned int srclen, len = EVP_MAX_MD_SIZE; unsigned int srclen, len = EVP_MAX_MD_SIZE;
...@@ -1842,6 +1865,11 @@ event_notification_check_hmac(event_handle_t handle, ...@@ -1842,6 +1865,11 @@ event_notification_check_hmac(event_handle_t handle,
#ifdef ELVIN_COMPAT #ifdef ELVIN_COMPAT
struct elvin_hashtable *hashtable; struct elvin_hashtable *hashtable;
#endif #endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
ctxp = &ctx;
#endif
if (0) if (0)
INFO("event_notification_check_hmac (key): %s\n", INFO("event_notification_check_hmac (key): %s\n",
handle->keydata); handle->keydata);
...@@ -1900,18 +1928,32 @@ event_notification_check_hmac(event_handle_t handle, ...@@ -1900,18 +1928,32 @@ event_notification_check_hmac(event_handle_t handle,
* order, and uses __hmac__ to compare against. * order, and uses __hmac__ to compare against.
*/ */
if (! elvin_ordered) { if (! elvin_ordered) {
memset(&ctx, 0, sizeof(ctx)); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
ctxp = HMAC_CTX_new();
if (!ctxp) {
ERROR("HMAC_CTX_new failed to alloc ctx\n");
return 1;
}
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#else
memset(ctxp, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER < 0x0090703f) #if (OPENSSL_VERSION_NUMBER < 0x0090703f)
HMAC_Init(&ctx, handle->keydata, handle->keylen, EVP_sha1()); HMAC_Init(ctxp, handle->keydata, handle->keylen, EVP_sha1());
#else #else
HMAC_CTX_init(&ctx); HMAC_CTX_init(ctxp);
HMAC_Init_ex(&ctx, handle->keydata, handle->keylen, HMAC_Init_ex(ctxp, handle->keydata, handle->keylen,
EVP_sha1(), NULL); EVP_sha1(), NULL);
#endif
#endif #endif
hashtable = elvin_hashtable_alloc(0, &handle->status); hashtable = elvin_hashtable_alloc(0, &handle->status);
if (hashtable == NULL) { if (hashtable == NULL) {
ERROR("event_notification_check_hmac failed: " ERROR("event_notification_check_hmac failed: "
"hashtable alloc\n"); "hashtable alloc\n");
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1; return -1;
} }
if (!pubsub_notification_traverse(pubsub_notification, if (!pubsub_notification_traverse(pubsub_notification,
...@@ -1921,18 +1963,32 @@ event_notification_check_hmac(event_handle_t handle, ...@@ -1921,18 +1963,32 @@ event_notification_check_hmac(event_handle_t handle,
ERROR("event_notification_check_hmac failed: " ERROR("event_notification_check_hmac failed: "
"hmac_fill_hash\n"); "hmac_fill_hash\n");
elvin_hashtable_free(hashtable); elvin_hashtable_free(hashtable);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1; return -1;
} }
if (!elvin_hashtable_traverse(hashtable, hmac_traverse, if (!elvin_hashtable_traverse(hashtable, hmac_traverse,
&ctx, &handle->status)) { ctxp, &handle->status)) {
ERROR("event_notification_check_hmac failed: " ERROR("event_notification_check_hmac failed: "
"notify_traverse\n"); "notify_traverse\n");
elvin_hashtable_free(hashtable); elvin_hashtable_free(hashtable);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1; return -1;
} }
elvin_hashtable_free(hashtable); elvin_hashtable_free(hashtable);
HMAC_Final(&ctx, mac, &len); HMAC_Final(ctxp, mac, &len);
HMAC_cleanup(&ctx); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_reset(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
if (0) { if (0) {
hmac_dump("event_notification_check_hmac (elvin)", hmac_dump("event_notification_check_hmac (elvin)",
...@@ -1945,22 +2001,44 @@ event_notification_check_hmac(event_handle_t handle, ...@@ -1945,22 +2001,44 @@ event_notification_check_hmac(event_handle_t handle,
/* /*
* Do a normal HMAC check. * Do a normal HMAC check.
*/ */
memset(&ctx, 0, sizeof(ctx)); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
if (!ctxp) {
ctxp = HMAC_CTX_new();
if (!ctxp) {
ERROR("HMAC_CTX_new failed to alloc ctx\n");
return 1;
}
}
else {
HMAC_CTX_reset(ctxp);
}
HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#else
memset(ctxp, 0, sizeof(ctx));
#if (OPENSSL_VERSION_NUMBER < 0x0090703f) #if (OPENSSL_VERSION_NUMBER < 0x0090703f)
HMAC_Init(&ctx, handle->keydata, handle->keylen, EVP_sha1()); HMAC_Init(ctxp, handle->keydata, handle->keylen, EVP_sha1());
#else #else
HMAC_CTX_init(&ctx); HMAC_CTX_init(ctxp);
HMAC_Init_ex(&ctx, handle->keydata, handle->keylen, EVP_sha1(), NULL); HMAC_Init_ex(ctxp, handle->keydata, handle->keylen, EVP_sha1(), NULL);
#endif
#endif #endif
if (!pubsub_notification_traverse(pubsub_notification, if (!pubsub_notification_traverse(pubsub_notification,
hmac_traverse, hmac_traverse,
&ctx, &handle->status)) { ctxp, &handle->status)) {
HMAC_cleanup(&ctx); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
return -1; return -1;
} }
HMAC_Final(&ctx, mac, &len); HMAC_Final(ctxp, mac, &len);
HMAC_cleanup(&ctx); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
HMAC_CTX_free(ctxp);
#else
HMAC_cleanup(ctxp);
#endif
if (0) { if (0) {
hmac_dump("event_notification_check_hmac (plain)", mac, len); hmac_dump("event_notification_check_hmac (plain)", mac, len);
......
...@@ -750,8 +750,12 @@ convpubkey(struct pubkeydata *k) ...@@ -750,8 +750,12 @@ convpubkey(struct pubkeydata *k)
BN_bin2bn(k->modulus, k->keylength, mod); BN_bin2bn(k->modulus, k->keylength, mod);
BN_bin2bn(k->exponent, k->expsize, exp); BN_bin2bn(k->exponent, k->expsize, exp);
/* set up the RSA public key structure */ /* set up the RSA public key structure */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
RSA_set0_key(rsa,mod,exp,NULL);
#else
rsa->n = mod; rsa->n = mod;
rsa->e = exp; rsa->e = exp;
#endif
return rsa; return rsa;
} }
......
...@@ -71,6 +71,8 @@ init_checksum(char *keyfile) ...@@ -71,6 +71,8 @@ init_checksum(char *keyfile)
{ {
char str[1024]; char str[1024];
FILE *file; FILE *file;
BIGNUM *n, *e, *dmp1, *dmq1, *iqmp;
n = e = dmp1 = dmq1 = iqmp = NULL;
if (keyfile == NULL || (file = fopen(keyfile, "r")) == NULL) { if (keyfile == NULL || (file = fopen(keyfile, "r")) == NULL) {
fprintf(stderr, "%s: cannot open keyfile\n", keyfile); fprintf(stderr, "%s: cannot open keyfile\n", keyfile);
...@@ -81,22 +83,33 @@ init_checksum(char *keyfile) ...@@ -81,22 +83,33 @@ init_checksum(char *keyfile)
return 0; return 0;
} }
if (fscanf(file, "%1024s", str) != 1) if (fscanf(file, "%1024s", str) != 1)
goto bad; goto bad;
BN_hex2bn(&signature_key->n, str); BN_hex2bn(&n, str);
if (fscanf(file, "%1024s", str) != 1) if (fscanf(file, "%1024s", str) != 1)
goto bad; goto bad;
BN_hex2bn(&signature_key->e, str); BN_hex2bn(&e, str);
if (fscanf(file, "%1024s", str) != 1) if (fscanf(file, "%1024s", str) != 1)
goto bad; goto bad;
BN_hex2bn(&signature_key->dmp1, str); BN_hex2bn(&dmp1, str);
if (fscanf(file, "%1024s", str) != 1) if (fscanf(file, "%1024s", str) != 1)
goto bad; goto bad;
BN_hex2bn(&signature_key->dmq1, str); BN_hex2bn(&dmq1, str);
if (fscanf(file, "%1024s", str) != 1) if (fscanf(file, "%1024s", str) != 1)
goto bad; goto bad;
BN_hex2bn(&signature_key->iqmp, str); BN_hex2bn(&iqmp, str);
fclose(file); fclose(file);
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
RSA_set0_key(signature_key, n, e, NULL);
RSA_set0_crt_params(signature_key, dmp1, dmq1, iqmp);
#else
signature_key->n = n;
signature_key->e = e;
signature_key->dmp1 = dmp1;
signature_key->dmq1 = dmq1;
signature_key->iqmp = iqmp;
#endif
return 1; return 1;
bad: bad:
......
...@@ -1396,21 +1396,29 @@ decrypt_buffer(unsigned char *dest, const unsigned char *source, ...@@ -1396,21 +1396,29 @@ decrypt_buffer(unsigned char *dest, const unsigned char *source,
int update_count = 0; int update_count = 0;
int final_count = 0; int final_count = 0;
int error = 0; int error = 0;
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
EVP_CIPHER_CTX context; EVP_CIPHER_CTX context;
#endif
EVP_CIPHER_CTX *contextp;
EVP_CIPHER const *ecipher; EVP_CIPHER const *ecipher;
EVP_CIPHER_CTX_init(&context); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
contextp = EVP_CIPHER_CTX_new();
#else
contextp = &context;
EVP_CIPHER_CTX_init(contextp);
#endif
ecipher = EVP_bf_cbc(); ecipher = EVP_bf_cbc();
EVP_DecryptInit(&context, ecipher, NULL, header->enc_iv); EVP_DecryptInit(contextp, ecipher, NULL, header->enc_iv);
EVP_CIPHER_CTX_set_key_length(&context, ENC_MAX_KEYLEN); EVP_CIPHER_CTX_set_key_length(contextp, ENC_MAX_KEYLEN);
EVP_DecryptInit(&context, NULL, encryption_key, NULL); EVP_DecryptInit(contextp, NULL, encryption_key, NULL);
/* decrypt */ /* decrypt */
EVP_DecryptUpdate(&context, dest, &update_count, source, header->size); EVP_DecryptUpdate(contextp, dest, &update_count, source, header->size);
/* cleanup */ /* cleanup */
error = EVP_DecryptFinal(&context, dest + update_count, &final_count); error = EVP_DecryptFinal(contextp, dest + update_count, &final_count);
if (!error) { if (!error) {
char keystr[ENC_MAX_KEYLEN*2 + 1]; char keystr[ENC_MAX_KEYLEN*2 + 1];
fprintf(stderr, "Padding was incorrect.\n"); fprintf(stderr, "Padding was incorrect.\n");
......
...@@ -3215,6 +3215,21 @@ output_public_key(char *imagename, RSA *key) ...@@ -3215,6 +3215,21 @@ output_public_key(char *imagename, RSA *key)
fprintf(stderr, "Cannot create keyfile %s\n", fname); fprintf(stderr, "Cannot create keyfile %s\n", fname);
exit(1); exit(1);
} }
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
const BIGNUM *n = NULL, *e = NULL;
const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
RSA_get0_key(key,&n,&e,NULL);
BN_print_fp(file, n);
fprintf(file, "\n");
BN_print_fp(file, e);
fprintf(file, "\n");
BN_print_fp(file, dmp1);
fprintf(file, "\n");
BN_print_fp(file, dmq1);
fprintf(file, "\n");
BN_print_fp(file, iqmp);
fprintf(file, "\n");
#else
BN_print_fp(file, key->n); BN_print_fp(file, key->n);
fprintf(file, "\n"); fprintf(file, "\n");
BN_print_fp(file, key->e); BN_print_fp(file, key->e);
...@@ -3225,6 +3240,7 @@ output_public_key(char *imagename, RSA *key) ...@@ -3225,6 +3240,7 @@ output_public_key(char *imagename, RSA *key)
fprintf(file, "\n"); fprintf(file, "\n");
BN_print_fp(file, key->iqmp); BN_print_fp(file, key->iqmp);
fprintf(file, "\n"); fprintf(file, "\n");
#endif
fclose(file); fclose(file);
fprintf(stderr, "Signing pubkey written to %s\n", fname); fprintf(stderr, "Signing pubkey written to %s\n", fname);
...@@ -3305,7 +3321,12 @@ checksum_finish(blockhdr_t *hdr) ...@@ -3305,7 +3321,12 @@ checksum_finish(blockhdr_t *hdr)
/* /*
* Encryption functions * Encryption functions
*/ */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
static EVP_CIPHER_CTX *cipher_ctxp;
#else
static EVP_CIPHER_CTX cipher_ctx; static EVP_CIPHER_CTX cipher_ctx;
static EVP_CIPHER_CTX *cipher_ctxp = &cipher_ctx;
#endif
static const EVP_CIPHER *ecipher; static const EVP_CIPHER *ecipher;
/* XXX: the size of the IV may have to change with different ciphers */ /* XXX: the size of the IV may have to change with different ciphers */
static uint8_t iv[ENC_MAX_KEYLEN]; static uint8_t iv[ENC_MAX_KEYLEN];
...@@ -3325,7 +3346,11 @@ encrypt_start(blockhdr_t *hdr) ...@@ -3325,7 +3346,11 @@ encrypt_start(blockhdr_t *hdr)
/* /*
* Pick our cipher - currently, only Blowfish in CBC mode is supported * Pick our cipher - currently, only Blowfish in CBC mode is supported
*/ */
EVP_CIPHER_CTX_init(&cipher_ctx); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
cipher_ctxp = EVP_CIPHER_CTX_new();
#else
EVP_CIPHER_CTX_init(cipher_ctxp);
#endif
ecipher = EVP_bf_cbc(); ecipher = EVP_bf_cbc();
/* /*
...@@ -3367,13 +3392,13 @@ encrypt_start(blockhdr_t *hdr) ...@@ -3367,13 +3392,13 @@ encrypt_start(blockhdr_t *hdr)
/* /*
* Set the cipher and IV * Set the cipher and IV
*/ */
EVP_EncryptInit(&cipher_ctx, ecipher, NULL, iv); EVP_EncryptInit(cipher_ctxp, ecipher, NULL, iv);
/* /*
* Bump up the key length and set the key * Bump up the key length and set the key
*/ */
EVP_CIPHER_CTX_set_key_length(&cipher_ctx, ENC_MAX_KEYLEN); EVP_CIPHER_CTX_set_key_length(cipher_ctxp, ENC_MAX_KEYLEN);
EVP_EncryptInit(&cipher_ctx, NULL, enc_key, NULL); EVP_EncryptInit(cipher_ctxp, NULL, enc_key, NULL);
/* /*
* Copy the IV into the header * Copy the IV into the header
...@@ -3393,9 +3418,9 @@ encrypt_chunk(uint8_t *buf, off_t size, off_t maxsize) ...@@ -3393,9 +3418,9 @@ encrypt_chunk(uint8_t *buf, off_t size, off_t maxsize)
int encrypted_this_round = 0; int encrypted_this_round = 0;
/* man page says encrypted output could be this large */ /* man page says encrypted output could be this large */
assert(size + EVP_CIPHER_CTX_block_size(&cipher_ctx) - 1 <= maxsize); assert(size + EVP_CIPHER_CTX_block_size(cipher_ctxp) - 1 <= maxsize);
EVP_EncryptUpdate(&cipher_ctx, ebuffer_current, &encrypted_this_round, EVP_EncryptUpdate(cipher_ctxp, ebuffer_current, &encrypted_this_round,
buf, size); buf, size);
encrypted_bytes += encrypted_this_round; encrypted_bytes += encrypted_this_round;
ebuffer_current = encryption_buffer + encrypted_bytes; ebuffer_current = encryption_buffer + encrypted_bytes;
...@@ -3406,7 +3431,7 @@ encrypt_finish(blockhdr_t *hdr, uint8_t *outbuf, uint32_t *out_size) ...@@ -3406,7 +3431,7 @@ encrypt_finish(blockhdr_t *hdr, uint8_t *outbuf, uint32_t *out_size)
{ {
int encrypted_this_round = 0; int encrypted_this_round = 0;
EVP_EncryptFinal(&cipher_ctx, ebuffer_current, &encrypted_this_round); EVP_EncryptFinal(cipher_ctxp, ebuffer_current, &encrypted_this_round);
encrypted_bytes += encrypted_this_round; encrypted_bytes += encrypted_this_round;
/* /*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment