#include <vlib/vlib.h>
#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
-#include <vnet/udp/udp.h>
#include <plugins/ikev2/ikev2.h>
#include <plugins/ikev2/ikev2_priv.h>
#include <openssl/obj_mac.h>
v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *ctx;
-#else
- HMAC_CTX ctx;
-#endif
+ ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
+ HMAC_CTX *ctx = ptd->hmac_ctx;
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ctx = HMAC_CTX_new ();
HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (ctx, data, vec_len (data));
HMAC_Final (ctx, prf, &len);
-#else
- HMAC_CTX_init (&ctx);
- HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
- HMAC_Update (&ctx, data, vec_len (data));
- HMAC_Final (&ctx, prf, &len);
- HMAC_CTX_cleanup (&ctx);
-#endif
ASSERT (len == tr->key_trunc);
return prf;
v8 *
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
+ ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
+ HMAC_CTX *ctx = ptd->hmac_ctx;
v8 *r;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *hctx;
-#else
- HMAC_CTX hctx;
-#endif
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
if (tr->md == EVP_sha1 ())
{
- clib_warning ("integrity checking with sha1");
+ ikev2_elog_debug ("integrity checking with sha1");
}
else if (tr->md == EVP_sha256 ())
{
- clib_warning ("integrity checking with sha256");
+ ikev2_elog_debug ("integrity checking with sha256");
}
/* verify integrity of data */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- hctx = HMAC_CTX_new ();
- HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
- HMAC_Update (hctx, (const u8 *) data, len);
- HMAC_Final (hctx, r, &l);
-#else
- HMAC_CTX_init (&hctx);
- HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
- HMAC_Update (&hctx, (const u8 *) data, len);
- HMAC_Final (&hctx, r, &l);
- HMAC_CTX_cleanup (&hctx);
-#endif
-
+ HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (ctx, (const u8 *) data, len);
+ HMAC_Final (ctx, r, &l);
ASSERT (l == tr->key_len);
return r;
}
-v8 *
-ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
+static_always_inline void
+ikev2_init_gcm_nonce (u8 * nonce, u8 * salt, u8 * iv)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- EVP_CIPHER_CTX *ctx;
-#else
- EVP_CIPHER_CTX ctx;
-#endif
- v8 *r;
- int out_len = 0, block_size;
- ikev2_sa_transform_t *tr_encr;
+ clib_memcpy (nonce, salt, IKEV2_GCM_SALT_SIZE);
+ clib_memcpy (nonce + IKEV2_GCM_SALT_SIZE, iv, IKEV2_GCM_IV_SIZE);
+}
+
+int
+ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+ ikev2_sa_transform_t * tr_encr, u8 * data,
+ int data_len, u8 * aad, u32 aad_len, u8 * tag,
+ u32 * out_len)
+{
+ EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
+ int len = 0;
u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei;
+ u8 nonce[IKEV2_GCM_NONCE_SIZE];
+
+ if (data_len <= IKEV2_GCM_IV_SIZE)
+ /* runt data */
+ return 0;
- tr_encr =
- ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
+ /* extract salt from the end of the key */
+ u8 *salt = key + vec_len (key) - IKEV2_GCM_SALT_SIZE;
+ ikev2_init_gcm_nonce (nonce, salt, data);
+
+ data += IKEV2_GCM_IV_SIZE;
+ data_len -= IKEV2_GCM_IV_SIZE;
+
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0);
+ EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0);
+ EVP_DecryptInit_ex (ctx, 0, 0, key, nonce);
+ EVP_DecryptUpdate (ctx, 0, &len, aad, aad_len);
+ EVP_DecryptUpdate (ctx, data, &len, data, data_len);
+ EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, IKEV2_GCM_ICV_SIZE, tag);
+
+ if (EVP_DecryptFinal_ex (ctx, data + len, &len) > 0)
+ {
+ *out_len = data_len - data[data_len - 1] - 1;
+ return 1;
+ }
+
+ return 0;
+}
+
+int
+ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+ ikev2_sa_transform_t * tr_encr, u8 * data, int len,
+ u32 * out_len)
+{
+ EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
+ int tmp_len = 0, block_size;
+ u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei;
block_size = tr_encr->block_size;
+ u8 *iv = data;
/* check if data is multiplier of cipher block size */
if (len % block_size)
{
- clib_warning ("wrong data length");
+ ikev2_elog_error ("wrong data length");
return 0;
}
+ data += block_size;
+ len -= block_size;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ctx = EVP_CIPHER_CTX_new ();
-#else
- EVP_CIPHER_CTX_init (&ctx);
-#endif
-
- r = vec_new (u8, len - block_size);
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv);
+ EVP_CIPHER_CTX_set_padding (ctx, 0);
+ EVP_DecryptUpdate (ctx, data, &tmp_len, data, len);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
- EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
- EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
-#else
- EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
- EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
- EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-#endif
- /* remove padding */
- _vec_len (r) -= r[vec_len (r) - 1] + 1;
+ if (EVP_DecryptFinal_ex (ctx, data + tmp_len, &tmp_len) > 0)
+ {
+ *out_len = len - data[len - 1] - 1;
+ return 1;
+ }
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- EVP_CIPHER_CTX_cleanup (&ctx);
-#endif
- return r;
+ return 0;
}
int
-ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
+ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+ ikev2_sa_transform_t * tr_encr,
+ v8 * src, u8 * dst, u8 * aad, u32 aad_len, u8 * tag)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- EVP_CIPHER_CTX *ctx;
-#else
- EVP_CIPHER_CTX ctx;
-#endif
- int out_len;
- int bs;
- ikev2_sa_transform_t *tr_encr;
+ EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
+ int out_len = 0, len = 0;
+ u8 nonce[IKEV2_GCM_NONCE_SIZE];
u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
+ if (!key)
+ return 0;
+
+ /* generate IV; its length must be 8 octets for aes-gcm (rfc5282) */
+ RAND_bytes (dst, IKEV2_GCM_IV_SIZE);
+ ikev2_init_gcm_nonce (nonce, key + vec_len (key) - IKEV2_GCM_SALT_SIZE,
+ dst);
+ dst += IKEV2_GCM_IV_SIZE;
+
+ EVP_EncryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0);
+ EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL);
+ EVP_EncryptInit_ex (ctx, 0, 0, key, nonce);
+ EVP_EncryptUpdate (ctx, NULL, &out_len, aad, aad_len);
+ EVP_EncryptUpdate (ctx, dst, &out_len, src, vec_len (src));
+ EVP_EncryptFinal_ex (ctx, dst + out_len, &len);
+ EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_GET_TAG, 16, tag);
+ out_len += len;
+ ASSERT (vec_len (src) == out_len);
+
+ return out_len + IKEV2_GCM_IV_SIZE;
+}
- tr_encr =
- ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
- bs = tr_encr->block_size;
+int
+ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+ ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst)
+{
+ EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
+ int out_len = 0, len = 0;
+ int bs = tr_encr->block_size;
+ u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
+ if (!key)
+ return 0;
/* generate IV */
- RAND_bytes (dst, bs);
+ u8 *iv = dst;
+ RAND_bytes (iv, bs);
+ dst += bs;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ctx = EVP_CIPHER_CTX_new ();
- EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
- EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
-#else
- EVP_CIPHER_CTX_init (&ctx);
- EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
- EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
- EVP_CIPHER_CTX_cleanup (&ctx);
-#endif
+ EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv);
+ /* disable padding as pad data were added before */
+ EVP_CIPHER_CTX_set_padding (ctx, 0);
+ EVP_EncryptUpdate (ctx, dst, &out_len, src, vec_len (src));
+ EVP_EncryptFinal_ex (ctx, dst + out_len, &len);
+ out_len += len;
ASSERT (vec_len (src) == out_len);
return out_len + bs;
}
+#ifndef BN_bn2binpad
+int
+BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen)
+{
+ int r = BN_num_bytes (a);
+ ASSERT (tolen >= r);
+ int pad = tolen - r;
+ if (pad)
+ {
+ clib_memset (to, 0, pad);
+ }
+ BN_bn2bin (a, to + pad);
+ return tolen;
+}
+#endif
+
void
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *p = BN_new ();
- BIGNUM *q = BN_new ();
- BIGNUM *g = BN_new ();
- BIGNUM *pub_key = BN_new ();
- BIGNUM *priv_key = BN_new ();
-#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ const BIGNUM *pub_key, *priv_key;
+
BN_hex2bn (&p, t->dh_p);
BN_hex2bn (&g, t->dh_g);
- DH_set0_pqg (dh, p, q, g);
+ DH_set0_pqg (dh, p, NULL, g);
#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
sa->i_dh_data = vec_new (u8, t->key_len);
sa->dh_private_key = vec_new (u8, t->key_len);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- r = BN_bn2bin (pub_key, sa->i_dh_data);
+ DH_get0_key (dh, &pub_key, &priv_key);
+ r = BN_bn2binpad (pub_key, sa->i_dh_data, t->key_len);
ASSERT (r == t->key_len);
- r = BN_bn2bin (priv_key, sa->dh_private_key);
- DH_set0_key (dh, pub_key, priv_key);
+ r = BN_bn2binpad (priv_key, sa->dh_private_key, t->key_len);
#else
- r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
- ASSERT (r == t->key_len);
- r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
+ r = BN_bn2binpad (dh->pub_key, sa->i_dh_data, t->key_len);
ASSERT (r == t->key_len);
+ r = BN_bn2binpad (dh->priv_key, sa->dh_private_key, t->key_len);
#endif
+ ASSERT (r == t->key_len);
}
else
{
sa->r_dh_data = vec_new (u8, t->key_len);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- r = BN_bn2bin (pub_key, sa->i_dh_data);
- ASSERT (r == t->key_len);
- DH_set0_key (dh, pub_key, NULL);
+ DH_get0_key (dh, &pub_key, &priv_key);
+ r = BN_bn2binpad (pub_key, sa->r_dh_data, t->key_len);
#else
- r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
- ASSERT (r == t->key_len);
+ r = BN_bn2binpad (dh->pub_key, sa->r_dh_data, t->key_len);
#endif
+ ASSERT (r == t->key_len);
+
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
r = DH_compute_key (sa->dh_shared_key, ex, dh);
- ASSERT (r == t->key_len);
+ ASSERT (t->key_len >= r);
+ int pad = t->key_len - r;
+ if (pad)
+ {
+ vec_insert (sa->dh_shared_key, pad, 0);
+ clib_memset (sa->dh_shared_key, 0, pad);
+ vec_dec_len (sa->dh_shared_key, pad);
+ }
BN_clear_free (ex);
}
DH_free (dh);
ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *p = BN_new ();
- BIGNUM *q = BN_new ();
- BIGNUM *g = BN_new ();
- BIGNUM *priv_key = BN_new ();
-#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ BIGNUM *priv_key;
+
BN_hex2bn (&p, t->dh_p);
BN_hex2bn (&g, t->dh_g);
- DH_set0_pqg (dh, p, q, g);
+ DH_set0_pqg (dh, p, NULL, g);
priv_key =
BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
r = DH_compute_key (sa->dh_shared_key, ex, dh);
- ASSERT (r == t->key_len);
+ ASSERT (t->key_len >= r);
+ int pad = t->key_len - r;
+ if (pad)
+ {
+ vec_insert (sa->dh_shared_key, pad, 0);
+ clib_memset (sa->dh_shared_key, 0, pad);
+ vec_dec_len (sa->dh_shared_key, pad);
+ }
BN_clear_free (ex);
DH_free (dh);
}
int
ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
{
+ int verify;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
#else
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+ verify = EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+ EVP_MD_CTX_free (md_ctx);
#else
- return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+ verify = EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+ EVP_MD_CTX_cleanup (&md_ctx);
#endif
+ return verify;
}
u8 *
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
#else
EVP_MD_CTX md_ctx;
+ EVP_MD_CTX_init (&md_ctx);
#endif
unsigned int sig_len = 0;
u8 *sign;
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+ EVP_MD_CTX_free (md_ctx);
#else
EVP_SignInit (&md_ctx, EVP_sha1 ());
EVP_SignUpdate (&md_ctx, data, vec_len (data));
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
+ EVP_MD_CTX_cleanup (&md_ctx);
#endif
return sign;
}
fp = fopen ((char *) file, "r");
if (!fp)
{
- clib_warning ("open %s failed", file);
+ ikev2_log_error ("open %s failed", file);
goto end;
}
fclose (fp);
if (x509 == NULL)
{
- clib_warning ("read cert %s failed", file);
+ ikev2_log_error ("read cert %s failed", file);
goto end;
}
pkey = X509_get_pubkey (x509);
+ X509_free (x509);
if (pkey == NULL)
- clib_warning ("get pubkey %s failed", file);
+ ikev2_log_error ("get pubkey %s failed", file);
end:
return pkey;
fp = fopen ((char *) file, "r");
if (!fp)
{
- clib_warning ("open %s failed", file);
+ ikev2_log_error ("open %s failed", file);
goto end;
}
pkey = PEM_read_PrivateKey (fp, NULL, NULL, NULL);
fclose (fp);
if (pkey == NULL)
- clib_warning ("read %s failed", file);
+ ikev2_log_error ("read %s failed", file);
end:
return pkey;
tr->block_size = 128 / 8;
tr->cipher = EVP_aes_128_cbc ();
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_ENCR;
+ tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
+ tr->key_len = 256 / 8;
+ tr->block_size = 128 / 8;
+ tr->cipher = EVP_aes_256_gcm ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_ENCR;
+ tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
+ tr->key_len = 192 / 8;
+ tr->block_size = 128 / 8;
+ tr->cipher = EVP_aes_192_gcm ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_ENCR;
+ tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
+ tr->key_len = 128 / 8;
+ tr->block_size = 128 / 8;
+ tr->cipher = EVP_aes_128_gcm ();
+
//PRF
vec_add2 (km->supported_transforms, tr, 1);
tr->type = IKEV2_TRANSFORM_TYPE_PRF;