X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fikev2%2Fikev2_crypto.c;h=3d4ad0a28ed631844765308dfa0de92ee34cd4c4;hb=16cc15b23227c4ec866405b1bf205faf3d0f4a56;hp=49629a5dab535856323e2202013bcf63df222c58;hpb=c41217ab85f8bdd68db717e95eecb5edc58d620b;p=vpp.git diff --git a/src/plugins/ikev2/ikev2_crypto.c b/src/plugins/ikev2/ikev2_crypto.c index 49629a5dab5..3d4ad0a28ed 100644 --- a/src/plugins/ikev2/ikev2_crypto.c +++ b/src/plugins/ikev2/ikev2_crypto.c @@ -15,9 +15,7 @@ #include #include -#include #include -#include #include #include #include @@ -256,28 +254,15 @@ static const char modp_dh_2048_256_generator[] = v8 * ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - HMAC_CTX *ctx; -#else - HMAC_CTX ctx; -#endif + ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data (); + HMAC_CTX *ctx = ptd->hmac_ctx; v8 *prf; unsigned int len = 0; prf = vec_new (u8, tr->key_trunc); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ctx = HMAC_CTX_new (); HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL); HMAC_Update (ctx, data, vec_len (data)); HMAC_Final (ctx, prf, &len); - HMAC_CTX_free (ctx); -#else - HMAC_CTX_init (&ctx); - HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (&ctx, data, vec_len (data)); - HMAC_Final (&ctx, prf, &len); - HMAC_CTX_cleanup (&ctx); -#endif ASSERT (len == tr->key_trunc); return prf; @@ -328,12 +313,9 @@ ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed, int len) v8 * ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) { + ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data (); + HMAC_CTX *ctx = ptd->hmac_ctx; v8 *r; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - HMAC_CTX *hctx; -#else - HMAC_CTX hctx; -#endif unsigned int l; ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG); @@ -342,122 +324,176 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) if (tr->md == EVP_sha1 ()) { - clib_warning ("integrity checking with sha1"); + ikev2_elog_debug ("integrity checking with sha1"); } else if (tr->md == EVP_sha256 ()) { - clib_warning ("integrity checking with sha256"); + ikev2_elog_debug ("integrity checking with sha256"); } /* verify integrity of data */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - hctx = HMAC_CTX_new (); - HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (hctx, (const u8 *) data, len); - HMAC_Final (hctx, r, &l); - HMAC_CTX_free (hctx); -#else - HMAC_CTX_init (&hctx); - HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (&hctx, (const u8 *) data, len); - HMAC_Final (&hctx, r, &l); - HMAC_CTX_cleanup (&hctx); -#endif - + HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL); + HMAC_Update (ctx, (const u8 *) data, len); + HMAC_Final (ctx, r, &l); ASSERT (l == tr->key_len); return r; } -v8 * -ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) +static_always_inline void +ikev2_init_gcm_nonce (u8 * nonce, u8 * salt, u8 * iv) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_CIPHER_CTX *ctx; -#else - EVP_CIPHER_CTX ctx; -#endif - v8 *r; - int out_len = 0, block_size; - ikev2_sa_transform_t *tr_encr; + clib_memcpy (nonce, salt, IKEV2_GCM_SALT_SIZE); + clib_memcpy (nonce + IKEV2_GCM_SALT_SIZE, iv, IKEV2_GCM_IV_SIZE); +} + +int +ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, u8 * data, + int data_len, u8 * aad, u32 aad_len, u8 * tag, + u32 * out_len) +{ + EVP_CIPHER_CTX *ctx = ptd->evp_ctx; + int len = 0; u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei; + u8 nonce[IKEV2_GCM_NONCE_SIZE]; + + if (data_len <= IKEV2_GCM_IV_SIZE) + /* runt data */ + return 0; + + /* extract salt from the end of the key */ + u8 *salt = key + vec_len (key) - IKEV2_GCM_SALT_SIZE; + ikev2_init_gcm_nonce (nonce, salt, data); + + data += IKEV2_GCM_IV_SIZE; + data_len -= IKEV2_GCM_IV_SIZE; + + EVP_DecryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0); + EVP_DecryptInit_ex (ctx, 0, 0, key, nonce); + EVP_DecryptUpdate (ctx, 0, &len, aad, aad_len); + EVP_DecryptUpdate (ctx, data, &len, data, data_len); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, IKEV2_GCM_ICV_SIZE, tag); - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); + if (EVP_DecryptFinal_ex (ctx, data + len, &len) > 0) + { + *out_len = data_len - data[data_len - 1] - 1; + return 1; + } + + return 0; +} + +int +ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, u8 * data, int len, + u32 * out_len) +{ + EVP_CIPHER_CTX *ctx = ptd->evp_ctx; + int tmp_len = 0, block_size; + u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei; block_size = tr_encr->block_size; + u8 *iv = data; /* check if data is multiplier of cipher block size */ if (len % block_size) { - clib_warning ("wrong data length"); + ikev2_elog_error ("wrong data length"); return 0; } + data += block_size; + len -= block_size; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ctx = EVP_CIPHER_CTX_new (); -#else - EVP_CIPHER_CTX_init (&ctx); -#endif + EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv); + EVP_CIPHER_CTX_set_padding (ctx, 0); + EVP_DecryptUpdate (ctx, data, &tmp_len, data, len); - r = vec_new (u8, len - block_size); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data); - EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size); - EVP_DecryptFinal_ex (ctx, r + out_len, &out_len); -#else - EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data); - EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size); - EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len); -#endif - /* remove padding */ - _vec_len (r) -= r[vec_len (r) - 1] + 1; + if (EVP_DecryptFinal_ex (ctx, data + tmp_len, &tmp_len) > 0) + { + *out_len = len - data[len - 1] - 1; + return 1; + } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_CIPHER_CTX_free (ctx); -#else - EVP_CIPHER_CTX_cleanup (&ctx); -#endif - return r; + return 0; } int -ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) +ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, + v8 * src, u8 * dst, u8 * aad, u32 aad_len, u8 * tag) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_CIPHER_CTX *ctx; -#else - EVP_CIPHER_CTX ctx; -#endif - int out_len; - int bs; - ikev2_sa_transform_t *tr_encr; + EVP_CIPHER_CTX *ctx = ptd->evp_ctx; + int out_len = 0, len = 0; + u8 nonce[IKEV2_GCM_NONCE_SIZE]; u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er; + if (!key) + return 0; + + /* generate IV; its length must be 8 octets for aes-gcm (rfc5282) */ + RAND_bytes (dst, IKEV2_GCM_IV_SIZE); + ikev2_init_gcm_nonce (nonce, key + vec_len (key) - IKEV2_GCM_SALT_SIZE, + dst); + dst += IKEV2_GCM_IV_SIZE; + + EVP_EncryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL); + EVP_EncryptInit_ex (ctx, 0, 0, key, nonce); + EVP_EncryptUpdate (ctx, NULL, &out_len, aad, aad_len); + EVP_EncryptUpdate (ctx, dst, &out_len, src, vec_len (src)); + EVP_EncryptFinal_ex (ctx, dst + out_len, &len); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); + out_len += len; + ASSERT (vec_len (src) == out_len); - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - bs = tr_encr->block_size; + return out_len + IKEV2_GCM_IV_SIZE; +} + +int +ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst) +{ + EVP_CIPHER_CTX *ctx = ptd->evp_ctx; + int out_len = 0, len = 0; + int bs = tr_encr->block_size; + u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er; + if (!key) + return 0; /* generate IV */ - RAND_bytes (dst, bs); + u8 *iv = dst; + RAND_bytes (iv, bs); + dst += bs; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ctx = EVP_CIPHER_CTX_new (); - EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); - EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src)); - EVP_CIPHER_CTX_free (ctx); -#else - EVP_CIPHER_CTX_init (&ctx); - EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); - EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src)); - EVP_CIPHER_CTX_cleanup (&ctx); -#endif + EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv); + /* disable padding as pad data were added before */ + EVP_CIPHER_CTX_set_padding (ctx, 0); + EVP_EncryptUpdate (ctx, dst, &out_len, src, vec_len (src)); + EVP_EncryptFinal_ex (ctx, dst + out_len, &len); + out_len += len; ASSERT (vec_len (src) == out_len); return out_len + bs; } +#ifndef BN_bn2binpad +int +BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen) +{ + int r = BN_bn2bin (a, to); + ASSERT (tolen >= r); + int pad = tolen - r; + if (pad) + { + vec_insert (to, pad, 0); + clib_memset (to, 0, pad); + vec_dec_len (to, pad); + } + return tolen; +} +#endif + void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) { @@ -486,13 +522,13 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->dh_private_key = vec_new (u8, t->key_len); #if OPENSSL_VERSION_NUMBER >= 0x10100000L DH_get0_key (dh, &pub_key, &priv_key); - r = BN_bn2bin (pub_key, sa->i_dh_data); + r = BN_bn2binpad (pub_key, sa->i_dh_data, t->key_len); ASSERT (r == t->key_len); - r = BN_bn2bin (priv_key, sa->dh_private_key); + r = BN_bn2binpad (priv_key, sa->dh_private_key, t->key_len); #else - r = BN_bn2bin (dh->pub_key, sa->i_dh_data); + r = BN_bn2binpad (dh->pub_key, sa->i_dh_data, t->key_len); ASSERT (r == t->key_len); - r = BN_bn2bin (dh->priv_key, sa->dh_private_key); + r = BN_bn2binpad (dh->priv_key, sa->dh_private_key, t->key_len); #endif ASSERT (r == t->key_len); } @@ -501,9 +537,9 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->r_dh_data = vec_new (u8, t->key_len); #if OPENSSL_VERSION_NUMBER >= 0x10100000L DH_get0_key (dh, &pub_key, &priv_key); - r = BN_bn2bin (pub_key, sa->r_dh_data); + r = BN_bn2binpad (pub_key, sa->r_dh_data, t->key_len); #else - r = BN_bn2bin (dh->pub_key, sa->r_dh_data); + r = BN_bn2binpad (dh->pub_key, sa->r_dh_data, t->key_len); #endif ASSERT (r == t->key_len); @@ -511,7 +547,14 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->dh_shared_key = vec_new (u8, t->key_len); ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL); r = DH_compute_key (sa->dh_shared_key, ex, dh); - ASSERT (r == t->key_len); + ASSERT (t->key_len >= r); + int pad = t->key_len - r; + if (pad) + { + vec_insert (sa->dh_shared_key, pad, 0); + clib_memset (sa->dh_shared_key, 0, pad); + vec_dec_len (sa->dh_shared_key, pad); + } BN_clear_free (ex); } DH_free (dh); @@ -630,7 +673,14 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->dh_shared_key = vec_new (u8, t->key_len); ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL); r = DH_compute_key (sa->dh_shared_key, ex, dh); - ASSERT (r == t->key_len); + ASSERT (t->key_len >= r); + int pad = t->key_len - r; + if (pad) + { + vec_insert (sa->dh_shared_key, pad, 0); + clib_memset (sa->dh_shared_key, 0, pad); + vec_dec_len (sa->dh_shared_key, pad); + } BN_clear_free (ex); DH_free (dh); } @@ -772,7 +822,7 @@ ikev2_load_cert_file (u8 * file) fp = fopen ((char *) file, "r"); if (!fp) { - clib_warning ("open %s failed", file); + ikev2_log_error ("open %s failed", file); goto end; } @@ -780,13 +830,14 @@ ikev2_load_cert_file (u8 * file) fclose (fp); if (x509 == NULL) { - clib_warning ("read cert %s failed", file); + ikev2_log_error ("read cert %s failed", file); goto end; } pkey = X509_get_pubkey (x509); + X509_free (x509); if (pkey == NULL) - clib_warning ("get pubkey %s failed", file); + ikev2_log_error ("get pubkey %s failed", file); end: return pkey; @@ -801,14 +852,14 @@ ikev2_load_key_file (u8 * file) fp = fopen ((char *) file, "r"); if (!fp) { - clib_warning ("open %s failed", file); + ikev2_log_error ("open %s failed", file); goto end; } pkey = PEM_read_PrivateKey (fp, NULL, NULL, NULL); fclose (fp); if (pkey == NULL) - clib_warning ("read %s failed", file); + ikev2_log_error ("read %s failed", file); end: return pkey;