From dae346539e35359513bd5eb59ef8fcb5d1c16e3b Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Date: Thu, 16 Mar 2017 21:52:59 -0300
Subject: [PATCH] Adapt EVP_CIPHER to new API for AES to support openssl-1.1

Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
---
 src/e_pkcs11.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 81 insertions(+), 1 deletion(-)

diff --git a/src/e_pkcs11.c b/src/e_pkcs11.c
index 278d14b..6629a36 100644
--- a/src/e_pkcs11.c
+++ b/src/e_pkcs11.c
@@ -381,9 +381,9 @@ static void pkcs11_tdes_##lmode##_destroy(void)				      \
 
 DECLARE_TDES_EVP(ecb, ECB)
 DECLARE_TDES_EVP(cbc, CBC)
-
 #endif
 
+#ifdef OLDER_OPENSSL
 /* AES ECB */
 const EVP_CIPHER pkcs11_aes_128_ecb = {
 	NID_aes_128_cbc,	/* NID */
@@ -400,6 +400,7 @@ const EVP_CIPHER pkcs11_aes_128_ecb = {
 	NULL,			/* misc ctrl ops */
 	NULL			/* app data (ctx->cipher_data) */
 };
+
 const EVP_CIPHER pkcs11_aes_192_ecb = {
 	NID_aes_192_ecb,	/* NID */
 	16,			/* Block size */
@@ -415,6 +416,7 @@ const EVP_CIPHER pkcs11_aes_192_ecb = {
 	NULL,			/* misc ctrl ops */
 	NULL			/* app data (ctx->cipher_data) */
 };
+
 const EVP_CIPHER pkcs11_aes_256_ecb = {
 	NID_aes_256_ecb,	/* NID */
 	16,			/* Block size */
@@ -447,6 +449,7 @@ const EVP_CIPHER pkcs11_aes_128_cbc = {
 	NULL,			/* misc ctrl ops */
 	NULL			/* app data (ctx->cipher_data) */
 };
+
 const EVP_CIPHER pkcs11_aes_192_cbc = {
 	NID_aes_192_cbc,	/* NID */
 	16,			/* Block size */
@@ -462,6 +465,7 @@ const EVP_CIPHER pkcs11_aes_192_cbc = {
 	NULL,			/* misc ctrl ops */
 	NULL			/* app data (ctx->cipher_data) */
 };
+
 const EVP_CIPHER pkcs11_aes_256_cbc = {
 	NID_aes_256_cbc,	/* NID */
 	16,			/* Block size */
@@ -477,6 +481,52 @@ const EVP_CIPHER pkcs11_aes_256_cbc = {
 	NULL,			/* misc ctrl ops */
 	NULL			/* app data (ctx->cipher_data) */
 };
+#else
+#define EVP_CIPHER_keylen_AES_128 16
+#define EVP_CIPHER_keylen_AES_192 24
+#define EVP_CIPHER_keylen_AES_256 32
+
+#define DECLARE_AES_EVP(ksize, lmode, umode)				      \
+static EVP_CIPHER *aes_##ksize##_##lmode = NULL;			      \
+static const EVP_CIPHER *pkcs11_aes_##ksize##_##lmode(void)		      \
+{									      \
+	if (aes_##ksize##_##lmode == NULL) {				      \
+		EVP_CIPHER *cipher;					      \
+		if (( cipher = EVP_CIPHER_meth_new(NID_aes_##ksize##_##lmode, \
+				    8,					      \
+				    EVP_CIPHER_keylen_AES_##ksize)) == NULL   \
+		|| !EVP_CIPHER_meth_set_iv_length(cipher, 16)		      \
+		|| !EVP_CIPHER_meth_set_flags(cipher, EVP_CIPH_##umode##_MODE)\
+		|| !EVP_CIPHER_meth_set_init(cipher, pkcs11_aes_init_key)     \
+		|| !EVP_CIPHER_meth_set_do_cipher(cipher, pkcs11_cipher)      \
+		|| !EVP_CIPHER_meth_set_cleanup(cipher, pkcs11_cipher_cleanup)\
+		|| !EVP_CIPHER_meth_set_impl_ctx_size(cipher, sizeof(	      \
+							struct token_session))\
+		|| !EVP_CIPHER_meth_set_set_asn1_params(cipher,		      \
+						EVP_CIPHER_set_asn1_iv)       \
+		|| !EVP_CIPHER_meth_set_get_asn1_params(cipher,		      \
+						EVP_CIPHER_get_asn1_iv)) {    \
+			EVP_CIPHER_meth_free(cipher);			      \
+			cipher = NULL;					      \
+		}							      \
+		aes_##ksize##_##lmode = cipher;				      \
+	}								      \
+	return aes_##ksize##_##lmode;					      \
+}									      \
+									      \
+static void pkcs11_aes_##ksize##_##lmode##_destroy(void)		      \
+{									      \
+	EVP_CIPHER_meth_free(aes_##ksize##_##lmode);			      \
+	aes_##ksize##_##lmode = NULL;					      \
+}
+
+DECLARE_AES_EVP(128, cbc, CBC)
+DECLARE_AES_EVP(192, cbc, CBC)
+DECLARE_AES_EVP(256, cbc, CBC)
+DECLARE_AES_EVP(128, ecb, ECB)
+DECLARE_AES_EVP(192, ecb, ECB)
+DECLARE_AES_EVP(256, ecb, ECB)
+#endif
 
 /* Message Digests */
 const EVP_MD pkcs11_sha1 = {
@@ -906,22 +956,46 @@ static int pkcs11_engine_ciphers(ENGINE * e, const EVP_CIPHER ** cipher,
 	if (pkcs11_token->pkcs11_implemented_ciphers[nid]) {
 		switch (nid) {
 			case NID_aes_128_ecb:
+#ifdef OLDER_OPENSSL
 				*cipher = &pkcs11_aes_128_ecb;
+#else
+				*cipher = pkcs11_aes_128_ecb();
+#endif
 				break;
 			case NID_aes_192_ecb:
+#ifdef OLDER_OPENSSL
 				*cipher = &pkcs11_aes_192_ecb;
+#else
+				*cipher = pkcs11_aes_192_ecb();
+#endif
 				break;
 			case NID_aes_256_ecb:
+#ifdef OLDER_OPENSSL
 				*cipher = &pkcs11_aes_256_ecb;
+#else
+				*cipher = pkcs11_aes_256_ecb();
+#endif
 				break;
 			case NID_aes_128_cbc:
+#ifdef OLDER_OPENSSL
 				*cipher = &pkcs11_aes_128_cbc;
+#else
+				*cipher = pkcs11_aes_128_cbc();
+#endif
 				break;
 			case NID_aes_192_cbc:
+#ifdef OLDER_OPENSSL
 				*cipher = &pkcs11_aes_192_cbc;
+#else
+				*cipher = pkcs11_aes_192_cbc();
+#endif
 				break;
 			case NID_aes_256_cbc:
+#ifdef OLDER_OPENSSL
 				*cipher = &pkcs11_aes_256_cbc;
+#else
+				*cipher = pkcs11_aes_256_cbc();
+#endif
 				break;
 			case NID_des_ecb:
 #ifdef OLDER_OPENSSL
@@ -1552,6 +1626,12 @@ static int pkcs11_destroy(ENGINE *e)
 	pkcs11_des_cbc_destroy();
 	pkcs11_tdes_ecb_destroy();
 	pkcs11_tdes_cbc_destroy();
+	pkcs11_aes_128_cbc_destroy();
+	pkcs11_aes_192_cbc_destroy();
+	pkcs11_aes_256_cbc_destroy();
+	pkcs11_aes_128_ecb_destroy();
+	pkcs11_aes_192_ecb_destroy();
+	pkcs11_aes_256_ecb_destroy();
 #endif
 
 	free_PKCS11_LIBNAME();