v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *ctx;
-#else
- HMAC_CTX ctx;
-#endif
+ ikev2_main_t *km = &ikev2_main;
+ u32 thread_index = vlib_get_thread_index ();
+ ikev2_main_per_thread_data_t *ptd =
+ vec_elt_at_index (km->per_thread_data, thread_index);
+ HMAC_CTX *ctx = ptd->hmac_ctx;
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ctx = HMAC_CTX_new ();
HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (ctx, data, vec_len (data));
HMAC_Final (ctx, prf, &len);
- HMAC_CTX_free (ctx);
-#else
- HMAC_CTX_init (&ctx);
- HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
- HMAC_Update (&ctx, data, vec_len (data));
- HMAC_Final (&ctx, prf, &len);
- HMAC_CTX_cleanup (&ctx);
-#endif
ASSERT (len == tr->key_trunc);
return prf;
v8 *
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
+ ikev2_main_t *km = &ikev2_main;
+ u32 thread_index = vlib_get_thread_index ();
+ ikev2_main_per_thread_data_t *ptd =
+ vec_elt_at_index (km->per_thread_data, thread_index);
+ HMAC_CTX *ctx = ptd->hmac_ctx;
v8 *r;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *hctx;
-#else
- HMAC_CTX hctx;
-#endif
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
}
/* verify integrity of data */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- hctx = HMAC_CTX_new ();
- HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
- HMAC_Update (hctx, (const u8 *) data, len);
- HMAC_Final (hctx, r, &l);
- HMAC_CTX_free (hctx);
-#else
- HMAC_CTX_init (&hctx);
- HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
- HMAC_Update (&hctx, (const u8 *) data, len);
- HMAC_Final (&hctx, r, &l);
- HMAC_CTX_cleanup (&hctx);
-#endif
-
+ HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (ctx, (const u8 *) data, len);
+ HMAC_Final (ctx, r, &l);
ASSERT (l == tr->key_len);
return r;
v8 *
ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- EVP_CIPHER_CTX *ctx;
-#else
- EVP_CIPHER_CTX ctx;
-#endif
- v8 *r;
+ ikev2_main_t *km = &ikev2_main;
+ u32 thread_index = vlib_get_thread_index ();
+ ikev2_main_per_thread_data_t *ptd =
+ vec_elt_at_index (km->per_thread_data, thread_index);
+ EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
int out_len = 0, block_size;
ikev2_sa_transform_t *tr_encr;
u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei;
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ctx = EVP_CIPHER_CTX_new ();
-#else
- EVP_CIPHER_CTX_init (&ctx);
-#endif
-
- r = vec_new (u8, len - block_size);
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ v8 *r = vec_new (u8, len - block_size);
EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
-#else
- EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
- EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
- EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-#endif
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- EVP_CIPHER_CTX_free (ctx);
-#else
- EVP_CIPHER_CTX_cleanup (&ctx);
-#endif
return r;
}
int
ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- EVP_CIPHER_CTX *ctx;
-#else
- EVP_CIPHER_CTX ctx;
-#endif
+ ikev2_main_t *km = &ikev2_main;
+ u32 thread_index = vlib_get_thread_index ();
+ ikev2_main_per_thread_data_t *ptd =
+ vec_elt_at_index (km->per_thread_data, thread_index);
+ EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
int out_len;
int bs;
ikev2_sa_transform_t *tr_encr;
/* generate IV */
RAND_bytes (dst, bs);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ctx = EVP_CIPHER_CTX_new ();
EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
- EVP_CIPHER_CTX_free (ctx);
-#else
- EVP_CIPHER_CTX_init (&ctx);
- EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
- EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
- EVP_CIPHER_CTX_cleanup (&ctx);
-#endif
ASSERT (vec_len (src) == out_len);
return out_len + bs;
}
+#ifndef BN_bn2binpad
+int
+BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen)
+{
+ int r = BN_bn2bin (a, to);
+ ASSERT (tolen >= r);
+ int pad = tolen - r;
+ if (pad)
+ {
+ vec_insert (to, pad, 0);
+ clib_memset (to, 0, pad);
+ _vec_len (to) -= pad;
+ }
+ return tolen;
+}
+#endif
+
void
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
sa->dh_private_key = vec_new (u8, t->key_len);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
DH_get0_key (dh, &pub_key, &priv_key);
- r = BN_bn2bin (pub_key, sa->i_dh_data);
+ r = BN_bn2binpad (pub_key, sa->i_dh_data, t->key_len);
ASSERT (r == t->key_len);
- r = BN_bn2bin (priv_key, sa->dh_private_key);
+ r = BN_bn2binpad (priv_key, sa->dh_private_key, t->key_len);
#else
- r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
+ r = BN_bn2binpad (dh->pub_key, sa->i_dh_data, t->key_len);
ASSERT (r == t->key_len);
- r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
+ r = BN_bn2binpad (dh->priv_key, sa->dh_private_key, t->key_len);
#endif
ASSERT (r == t->key_len);
}
sa->r_dh_data = vec_new (u8, t->key_len);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
DH_get0_key (dh, &pub_key, &priv_key);
- r = BN_bn2bin (pub_key, sa->r_dh_data);
+ r = BN_bn2binpad (pub_key, sa->r_dh_data, t->key_len);
#else
- r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
+ r = BN_bn2binpad (dh->pub_key, sa->r_dh_data, t->key_len);
#endif
ASSERT (r == t->key_len);
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
r = DH_compute_key (sa->dh_shared_key, ex, dh);
- ASSERT (r == t->key_len);
+ ASSERT (t->key_len >= r);
+ int pad = t->key_len - r;
+ if (pad)
+ {
+ vec_insert (sa->dh_shared_key, pad, 0);
+ clib_memset (sa->dh_shared_key, 0, pad);
+ _vec_len (sa->dh_shared_key) -= pad;
+ }
BN_clear_free (ex);
}
DH_free (dh);
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
r = DH_compute_key (sa->dh_shared_key, ex, dh);
- ASSERT (r == t->key_len);
+ ASSERT (t->key_len >= r);
+ int pad = t->key_len - r;
+ if (pad)
+ {
+ vec_insert (sa->dh_shared_key, pad, 0);
+ clib_memset (sa->dh_shared_key, 0, pad);
+ _vec_len (sa->dh_shared_key) -= pad;
+ }
BN_clear_free (ex);
DH_free (dh);
}