#include <vlib/vlib.h>
#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
-#include <vnet/udp/udp.h>
#include <plugins/ikev2/ikev2.h>
#include <plugins/ikev2/ikev2_priv.h>
#include <openssl/obj_mac.h>
clib_memcpy (nonce + IKEV2_GCM_SALT_SIZE, iv, IKEV2_GCM_IV_SIZE);
}
-u8 *
+int
ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_sa_transform_t * tr_encr, u8 * data,
- int data_len, u8 * aad, u32 aad_len, u8 * tag)
+ int data_len, u8 * aad, u32 aad_len, u8 * tag,
+ u32 * out_len)
{
EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
int len = 0;
data += IKEV2_GCM_IV_SIZE;
data_len -= IKEV2_GCM_IV_SIZE;
- v8 *r = vec_new (u8, data_len);
EVP_DecryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0);
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0);
EVP_DecryptInit_ex (ctx, 0, 0, key, nonce);
EVP_DecryptUpdate (ctx, 0, &len, aad, aad_len);
- EVP_DecryptUpdate (ctx, r, &len, data, data_len);
+ EVP_DecryptUpdate (ctx, data, &len, data, data_len);
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, IKEV2_GCM_ICV_SIZE, tag);
- if (EVP_DecryptFinal_ex (ctx, r + len, &len) > 0)
+ if (EVP_DecryptFinal_ex (ctx, data + len, &len) > 0)
{
- /* remove padding */
- _vec_len (r) -= r[vec_len (r) - 1] + 1;
- return r;
+ *out_len = data_len - data[data_len - 1] - 1;
+ return 1;
}
- vec_free (r);
return 0;
}
-v8 *
+int
ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
- ikev2_sa_transform_t * tr_encr, u8 * data, int len)
+ ikev2_sa_transform_t * tr_encr, u8 * data, int len,
+ u32 * out_len)
{
EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
- int out_len = 0, block_size;
+ int tmp_len = 0, block_size;
u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei;
block_size = tr_encr->block_size;
+ u8 *iv = data;
/* check if data is multiplier of cipher block size */
if (len % block_size)
ikev2_elog_error ("wrong data length");
return 0;
}
+ data += block_size;
+ len -= block_size;
- v8 *r = vec_new (u8, len - block_size);
- EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
- EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
- EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
- /* remove padding */
- _vec_len (r) -= r[vec_len (r) - 1] + 1;
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv);
+ EVP_CIPHER_CTX_set_padding (ctx, 0);
+ EVP_DecryptUpdate (ctx, data, &tmp_len, data, len);
- return r;
+ if (EVP_DecryptFinal_ex (ctx, data + tmp_len, &tmp_len) > 0)
+ {
+ *out_len = len - data[len - 1] - 1;
+ return 1;
+ }
+
+ return 0;
}
int
int out_len = 0, len = 0;
u8 nonce[IKEV2_GCM_NONCE_SIZE];
u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
+ if (!key)
+ return 0;
/* generate IV; its length must be 8 octets for aes-gcm (rfc5282) */
RAND_bytes (dst, IKEV2_GCM_IV_SIZE);
int out_len = 0, len = 0;
int bs = tr_encr->block_size;
u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
+ if (!key)
+ return 0;
/* generate IV */
u8 *iv = dst;
int
BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen)
{
- int r = BN_bn2bin (a, to);
+ int r = BN_num_bytes (a);
ASSERT (tolen >= r);
int pad = tolen - r;
if (pad)
{
- vec_insert (to, pad, 0);
clib_memset (to, 0, pad);
- _vec_len (to) -= pad;
}
+ BN_bn2bin (a, to + pad);
return tolen;
}
#endif
{
vec_insert (sa->dh_shared_key, pad, 0);
clib_memset (sa->dh_shared_key, 0, pad);
- _vec_len (sa->dh_shared_key) -= pad;
+ vec_dec_len (sa->dh_shared_key, pad);
}
BN_clear_free (ex);
}
{
vec_insert (sa->dh_shared_key, pad, 0);
clib_memset (sa->dh_shared_key, 0, pad);
- _vec_len (sa->dh_shared_key) -= pad;
+ vec_dec_len (sa->dh_shared_key, pad);
}
BN_clear_free (ex);
DH_free (dh);
}
pkey = X509_get_pubkey (x509);
+ X509_free (x509);
if (pkey == NULL)
ikev2_log_error ("get pubkey %s failed", file);