build: drop support for openssl 1

The OpenSSL 1.1 branch has reached End Of Live in September 2023. It's
time to rip out the support in upstream for this version of OpenSSL.

That means TLS and authentication for the fabrics commands won't be
supported anymore. The rest will continue to work.

Signed-off-by: Daniel Wagner <wagi@kernel.org>

Author: igaw

meson.build

@@ -79,36 +79,23 @@ if get_option('openssl').disabled()
   openssl_dep = dependency('', required: false)
 else
   openssl_dep = dependency('openssl',
-                           version: '>=1.1.0',
+                           version: '>=3.0.0',
                            required: get_option('openssl'),
                            fallback : ['openssl', 'libssl_dep'])
-
-  if openssl_dep.found()
-    if openssl_dep.version().version_compare('<2.0.0')
-      api_version = 1
-    endif
-
-    if openssl_dep.version().version_compare('>=3.0.0')
-      api_version = 3
-    endif
-
-    # Test for LibreSSL v3.x with incomplete OpenSSL v3 APIs
-    if openssl_dep.type_name() != 'internal'
-      is_libressl = cc.has_header_symbol('openssl/opensslv.h',
-                                         'LIBRESSL_VERSION_NUMBER',
-                                         dependencies: openssl_dep)
-      has_header = cc.has_header('openssl/core_names.h',
-                                 dependencies: openssl_dep)
-      if is_libressl and not has_header
-        api_version = 1
-      endif
+endif
+if openssl_dep.found()
+  # Test for LibreSSL v3.x with incomplete OpenSSL v3 APIs
+  if openssl_dep.type_name() != 'internal'
+    is_libressl = cc.has_header_symbol('openssl/opensslv.h',
+                                       'LIBRESSL_VERSION_NUMBER',
+                                       dependencies: openssl_dep)
+    has_header = cc.has_header('openssl/core_names.h',
+                               dependencies: openssl_dep)
+    if is_libressl and not has_header
+      openssl_dep = dependency('', required: false)
     endif
-
-    conf.set('CONFIG_OPENSSL_@0@'.format(api_version), true,
-             description: 'OpenSSL/LibreSSL API version @0@'.format(api_version))
   endif
 endif
-
 conf.set('CONFIG_OPENSSL', openssl_dep.found(),
          description: 'Is OpenSSL/LibreSSL available?')
 

src/nvme/linux.c

@@ -21,12 +21,9 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/kdf.h>
-
-#ifdef CONFIG_OPENSSL_3
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #endif
-#endif
 
 #ifdef CONFIG_KEYUTILS
 #include <keyutils.h>
@@ -812,149 +809,7 @@ static int derive_tls_key(int version, unsigned char cipher,
 
 	return key_len;
 }
-#endif /* CONFIG_OPENSSL */
-
-#ifdef CONFIG_OPENSSL_1
-static DEFINE_CLEANUP_FUNC(cleanup_hmac_ctx, HMAC_CTX *, HMAC_CTX_free)
-#define _cleanup_hmac_ctx_ __cleanup__(cleanup_hmac_ctx)
-
-int nvme_gen_dhchap_key(char *hostnqn, enum nvme_hmac_alg hmac,
-			unsigned int key_len, unsigned char *secret,
-			unsigned char *key)
-{
-	const char hmac_seed[] = "NVMe-over-Fabrics";
-	_cleanup_hmac_ctx_ HMAC_CTX *hmac_ctx = NULL;
-	const EVP_MD *md;
-
-	hmac_ctx = HMAC_CTX_new();
-	if (!hmac_ctx) {
-		errno = ENOMEM;
-		return -1;
-	}
-
-	switch (hmac) {
-	case NVME_HMAC_ALG_NONE:
-		memcpy(key, secret, key_len);
-		return 0;
-	case NVME_HMAC_ALG_SHA2_256:
-		md = EVP_sha256();
-		break;
-	case NVME_HMAC_ALG_SHA2_384:
-		md = EVP_sha384();
-		break;
-	case NVME_HMAC_ALG_SHA2_512:
-		md = EVP_sha512();
-		break;
-	default:
-		errno = EINVAL;
-		return -1;
-	}
-
-	if (!md) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	if (!HMAC_Init_ex(hmac_ctx, secret, key_len, md, NULL)) {
-		errno = ENOMEM;
-		return -1;
-	}
-
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)hostnqn,
-			 strlen(hostnqn))) {
-		errno = ENOKEY;
-		return -1;
-	}
-
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)hmac_seed,
-			 strlen(hmac_seed))) {
-		errno = ENOKEY;
-		return -1;
-	}
-
-	if (!HMAC_Final(hmac_ctx, key, &key_len)) {
-		errno = ENOKEY;
-		return -1;
-	}
-
-	return 0;
-}
-
-static int derive_psk_digest(const char *hostnqn, const char *subsysnqn,
-			     int version, int cipher,
-			     unsigned char *retained, size_t key_len,
-			     char *digest, size_t digest_len)
-{
-	static const char hmac_seed[] = "NVMe-over-Fabrics";
-	_cleanup_hmac_ctx_ HMAC_CTX *hmac_ctx = NULL;
-	_cleanup_free_ unsigned char *psk_ctx = NULL;
-	const EVP_MD *md;
-	size_t hmac_len;
-	size_t len;
-
-	hmac_ctx = HMAC_CTX_new();
-	if (!hmac_ctx) {
-		errno = ENOMEM;
-		return -1;
-	}
-	md = select_hmac(cipher, &hmac_len);
-	if (!md || !hmac_len) {
-		errno = EINVAL;
-		return -1;
-	}
-
-	psk_ctx = malloc(key_len);
-	if (!psk_ctx) {
-		errno = ENOMEM;
-		return -1;
-	}
-	if (!HMAC_Init_ex(hmac_ctx, retained, key_len, md, NULL)) {
-		errno = ENOMEM;
-		return -1;
-	}
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)hostnqn,
-			 strlen(hostnqn))) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)" ", 1)) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)subsysnqn,
-			 strlen(subsysnqn))) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)" ", 1)) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (!HMAC_Update(hmac_ctx, (unsigned char *)hmac_seed,
-			 strlen(hmac_seed))) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (!HMAC_Final(hmac_ctx, psk_ctx, (unsigned int *)&key_len)) {
-		errno = ENOKEY;
-		return -1;
-	}
-	if (key_len * 2 > digest_len) {
-		errno = EINVAL;
-		return -1;
-	}
-	memset(digest, 0, digest_len);
-	len = base64_encode(psk_ctx, key_len, digest);
-	if (len < 0) {
-		errno = ENOKEY;
-		return len;
-	}
-	return strlen(digest);
-}
-
-#endif /* !CONFIG_OPENSSL_1 */
 
-#ifdef CONFIG_OPENSSL_3
 static DEFINE_CLEANUP_FUNC(
 	cleanup_ossl_lib_ctx, OSSL_LIB_CTX *, OSSL_LIB_CTX_free)
 #define _cleanup_ossl_lib_ctx_ __cleanup__(cleanup_ossl_lib_ctx)
@@ -1148,7 +1003,7 @@ static int derive_psk_digest(const char *hostnqn, const char *subsysnqn,
 	}
 	return strlen(digest);
 }
-#endif /* !CONFIG_OPENSSL_3 */
+#endif /* !CONFIG_OPENSSL */
 
 static int gen_tls_identity(const char *hostnqn, const char *subsysnqn,
 			    int version, int cipher, char *digest,