#ifndef __ESP_H__
#define __ESP_H__
+#include <vnet/ip/ip.h>
+#include <vnet/ipsec/ipsec.h>
+
#include <openssl/hmac.h>
#include <openssl/rand.h>
#include <openssl/evp.h>
typedef struct
{
const EVP_CIPHER *type;
-} esp_crypto_alg_t;
+} ipsec_proto_main_crypto_alg_t;
typedef struct
{
const EVP_MD *md;
u8 trunc_size;
-} esp_integ_alg_t;
+} ipsec_proto_main_integ_alg_t;
typedef struct
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *encrypt_ctx;
+#else
EVP_CIPHER_CTX encrypt_ctx;
+#endif
CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *decrypt_ctx;
+#else
EVP_CIPHER_CTX decrypt_ctx;
+#endif
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hmac_ctx;
+#else
HMAC_CTX hmac_ctx;
+#endif
ipsec_crypto_alg_t last_encrypt_alg;
ipsec_crypto_alg_t last_decrypt_alg;
ipsec_integ_alg_t last_integ_alg;
-} esp_main_per_thread_data_t;
+} ipsec_proto_main_per_thread_data_t;
typedef struct
{
- esp_crypto_alg_t *esp_crypto_algs;
- esp_integ_alg_t *esp_integ_algs;
- esp_main_per_thread_data_t *per_thread_data;
-} esp_main_t;
+ ipsec_proto_main_crypto_alg_t *ipsec_proto_main_crypto_algs;
+ ipsec_proto_main_integ_alg_t *ipsec_proto_main_integ_algs;
+ ipsec_proto_main_per_thread_data_t *per_thread_data;
+} ipsec_proto_main_t;
-esp_main_t esp_main;
+extern ipsec_proto_main_t ipsec_proto_main;
#define ESP_WINDOW_SIZE (64)
#define ESP_SEQ_MAX (4294967295UL)
+u8 *format_esp_header (u8 * s, va_list * args);
always_inline int
esp_replay_check (ipsec_sa_t * sa, u32 seq)
}
always_inline void
-esp_init ()
+ipsec_proto_init ()
{
- esp_main_t *em = &esp_main;
+ ipsec_proto_main_t *em = &ipsec_proto_main;
vlib_thread_main_t *tm = vlib_get_thread_main ();
memset (em, 0, sizeof (em[0]));
- vec_validate (em->esp_crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
- em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].type = EVP_aes_128_cbc ();
- em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].type = EVP_aes_192_cbc ();
- em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].type = EVP_aes_256_cbc ();
+ vec_validate (em->ipsec_proto_main_crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].type =
+ EVP_aes_128_cbc ();
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].type =
+ EVP_aes_192_cbc ();
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].type =
+ EVP_aes_256_cbc ();
- vec_validate (em->esp_integ_algs, IPSEC_INTEG_N_ALG - 1);
- esp_integ_alg_t *i;
+ vec_validate (em->ipsec_proto_main_integ_algs, IPSEC_INTEG_N_ALG - 1);
+ ipsec_proto_main_integ_alg_t *i;
- i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA1_96];
+ i = &em->ipsec_proto_main_integ_algs[IPSEC_INTEG_ALG_SHA1_96];
i->md = EVP_sha1 ();
i->trunc_size = 12;
- i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
+ i = &em->ipsec_proto_main_integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
i->md = EVP_sha256 ();
i->trunc_size = 12;
- i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
+ i = &em->ipsec_proto_main_integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
i->md = EVP_sha256 ();
i->trunc_size = 16;
- i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
+ i = &em->ipsec_proto_main_integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
i->md = EVP_sha384 ();
i->trunc_size = 24;
- i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
+ i = &em->ipsec_proto_main_integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
i->md = EVP_sha512 ();
i->trunc_size = 32;
for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ em->per_thread_data[thread_id].encrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].decrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].hmac_ctx = HMAC_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
+#endif
}
}
int key_len,
u8 * data, int data_len, u8 * signature, u8 use_esn, u32 seq_hi)
{
- esp_main_t *em = &esp_main;
+ ipsec_proto_main_t *em = &ipsec_proto_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx = em->per_thread_data[thread_index].hmac_ctx;
+#else
HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx);
+#endif
const EVP_MD *md = NULL;
unsigned int len;
ASSERT (alg < IPSEC_INTEG_N_ALG);
- if (PREDICT_FALSE (em->esp_integ_algs[alg].md == 0))
+ if (PREDICT_FALSE (em->ipsec_proto_main_integ_algs[alg].md == 0))
return 0;
if (PREDICT_FALSE (alg != em->per_thread_data[thread_index].last_integ_alg))
{
- md = em->esp_integ_algs[alg].md;
+ md = em->ipsec_proto_main_integ_algs[alg].md;
em->per_thread_data[thread_index].last_integ_alg = alg;
}
- HMAC_Init (ctx, key, key_len, md);
+ HMAC_Init_ex (ctx, key, key_len, md, NULL);
HMAC_Update (ctx, data, data_len);
HMAC_Update (ctx, (u8 *) & seq_hi, sizeof (seq_hi));
HMAC_Final (ctx, signature, &len);
- return em->esp_integ_algs[alg].trunc_size;
+ return em->ipsec_proto_main_integ_algs[alg].trunc_size;
}
#endif /* __ESP_H__ */
Code Review / vpp.git / blobdiff