X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=src%2Fplugins%2Fikev2%2Fikev2_crypto.c;h=26ff43387e72331fd7240089168959cbee6e214a;hb=8ebcb7a99d7b73a1ee5874780b4efdc69d32c82f;hp=c8fed4393051f99eb791df613cdb0d9c25e05d29;hpb=de2dd6c35653225525b071d4dc748451e0d6bd7d;p=vpp.git diff --git a/src/plugins/ikev2/ikev2_crypto.c b/src/plugins/ikev2/ikev2_crypto.c index c8fed439305..26ff43387e7 100644 --- a/src/plugins/ikev2/ikev2_crypto.c +++ b/src/plugins/ikev2/ikev2_crypto.c @@ -270,6 +270,7 @@ ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data) HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL); HMAC_Update (ctx, data, vec_len (data)); HMAC_Final (ctx, prf, &len); + HMAC_CTX_free (ctx); #else HMAC_CTX_init (&ctx); HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL); @@ -341,11 +342,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) if (tr->md == EVP_sha1 ()) { - clib_warning ("integrity checking with sha1"); + ikev2_elog_debug ("integrity checking with sha1"); } else if (tr->md == EVP_sha256 ()) { - clib_warning ("integrity checking with sha256"); + ikev2_elog_debug ("integrity checking with sha256"); } /* verify integrity of data */ @@ -354,6 +355,7 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL); HMAC_Update (hctx, (const u8 *) data, len); HMAC_Final (hctx, r, &l); + HMAC_CTX_free (hctx); #else HMAC_CTX_init (&hctx); HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL); @@ -387,7 +389,7 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) /* check if data is multiplier of cipher block size */ if (len % block_size) { - clib_warning ("wrong data length"); + ikev2_elog_error ("wrong data length"); return 0; } @@ -411,7 +413,9 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) /* remove padding */ _vec_len (r) -= r[vec_len (r) - 1] + 1; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX_free (ctx); +#else EVP_CIPHER_CTX_cleanup (&ctx); #endif return r; @@ -441,6 +445,7 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) ctx = EVP_CIPHER_CTX_new (); EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src)); + EVP_CIPHER_CTX_free (ctx); #else EVP_CIPHER_CTX_init (&ctx); EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); @@ -697,6 +702,7 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data) { + int verify; #if OPENSSL_VERSION_NUMBER >= 0x10100000L EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); #else @@ -713,10 +719,13 @@ ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data) #endif #if OPENSSL_VERSION_NUMBER >= 0x10100000L - return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey); + verify = EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey); + EVP_MD_CTX_free (md_ctx); #else - return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey); + verify = EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey); + EVP_MD_CTX_cleanup (&md_ctx); #endif + return verify; } u8 * @@ -726,6 +735,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data) EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); #else EVP_MD_CTX md_ctx; + EVP_MD_CTX_init (&md_ctx); #endif unsigned int sig_len = 0; u8 *sign; @@ -738,6 +748,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data) sign = vec_new (u8, sig_len); /* calc sign */ EVP_SignFinal (md_ctx, sign, &sig_len, pkey); + EVP_MD_CTX_free (md_ctx); #else EVP_SignInit (&md_ctx, EVP_sha1 ()); EVP_SignUpdate (&md_ctx, data, vec_len (data)); @@ -746,6 +757,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data) sign = vec_new (u8, sig_len); /* calc sign */ EVP_SignFinal (&md_ctx, sign, &sig_len, pkey); + EVP_MD_CTX_cleanup (&md_ctx); #endif return sign; } @@ -760,7 +772,7 @@ ikev2_load_cert_file (u8 * file) fp = fopen ((char *) file, "r"); if (!fp) { - clib_warning ("open %s failed", file); + ikev2_log_error ("open %s failed", file); goto end; } @@ -768,13 +780,13 @@ ikev2_load_cert_file (u8 * file) fclose (fp); if (x509 == NULL) { - clib_warning ("read cert %s failed", file); + ikev2_log_error ("read cert %s failed", file); goto end; } pkey = X509_get_pubkey (x509); if (pkey == NULL) - clib_warning ("get pubkey %s failed", file); + ikev2_log_error ("get pubkey %s failed", file); end: return pkey; @@ -789,14 +801,14 @@ ikev2_load_key_file (u8 * file) fp = fopen ((char *) file, "r"); if (!fp) { - clib_warning ("open %s failed", file); + ikev2_log_error ("open %s failed", file); goto end; } pkey = PEM_read_PrivateKey (fp, NULL, NULL, NULL); fclose (fp); if (pkey == NULL) - clib_warning ("read %s failed", file); + ikev2_log_error ("read %s failed", file); end: return pkey; @@ -834,21 +846,21 @@ ikev2_crypto_init (ikev2_main_t * km) vec_add2 (km->supported_transforms, tr, 1); tr->type = IKEV2_TRANSFORM_TYPE_ENCR; - tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM; + tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16; tr->key_len = 256 / 8; tr->block_size = 128 / 8; tr->cipher = EVP_aes_256_gcm (); vec_add2 (km->supported_transforms, tr, 1); tr->type = IKEV2_TRANSFORM_TYPE_ENCR; - tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM; + tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16; tr->key_len = 192 / 8; tr->block_size = 128 / 8; tr->cipher = EVP_aes_192_gcm (); vec_add2 (km->supported_transforms, tr, 1); tr->type = IKEV2_TRANSFORM_TYPE_ENCR; - tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM; + tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16; tr->key_len = 128 / 8; tr->block_size = 128 / 8; tr->cipher = EVP_aes_128_gcm ();