summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ikev2_crypto.c
diff options
context:
space:
mode:
authorMarco Varlese <marco.varlese@suse.com>2017-11-09 15:16:20 +0100
committerDamjan Marion <dmarion.lists@gmail.com>2017-11-10 20:24:00 +0000
commitf616d10d04d5c444e20e617841a54cfb2c58d07d (patch)
tree5af3062476065673d67009bbf5fd76ba28eb99ac /src/vnet/ipsec/ikev2_crypto.c
parent6a6f4f7fe777dc77f8496fae1fc1075372ad16b6 (diff)
Allow Openssl 1.1.0
This patch addresses all the code changes required to VPP to support openssl 1.1.0 API. All the changes have been done so that VPP can still be built against current openssl API whilst forward-looking to version 1.1.0. Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc Signed-off-by: Marco Varlese <marco.varlese@suse.com>
Diffstat (limited to 'src/vnet/ipsec/ikev2_crypto.c')
-rw-r--r--src/vnet/ipsec/ikev2_crypto.c135
1 files changed, 124 insertions, 11 deletions
diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c
index ca56158f898..32e687e37c0 100644
--- a/src/vnet/ipsec/ikev2_crypto.c
+++ b/src/vnet/ipsec/ikev2_crypto.c
@@ -25,6 +25,7 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
/* from RFC7296 */
static const char modp_dh_768_prime[] =
@@ -255,17 +256,27 @@ static const char modp_dh_2048_256_generator[] =
v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx;
+#else
HMAC_CTX ctx;
+#endif
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = HMAC_CTX_new ();
+ HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (ctx, data, vec_len (data));
+ HMAC_Final (ctx, prf, &len);
+#else
HMAC_CTX_init (&ctx);
HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&ctx, data, vec_len (data));
HMAC_Final (&ctx, prf, &len);
HMAC_CTX_cleanup (&ctx);
-
+#endif
ASSERT (len == tr->key_trunc);
return prf;
@@ -317,7 +328,11 @@ v8 *
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
v8 *r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hctx;
+#else
HMAC_CTX hctx;
+#endif
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
@@ -325,11 +340,18 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
r = vec_new (u8, tr->key_len);
/* verify integrity of data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ hctx = HMAC_CTX_new ();
+ HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (hctx, (const u8 *) data, len);
+ HMAC_Final (hctx, r, &l);
+#else
HMAC_CTX_init (&hctx);
- HMAC_Init (&hctx, key, vec_len (key), tr->md);
+ HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&hctx, (const u8 *) data, len);
HMAC_Final (&hctx, r, &l);
HMAC_CTX_cleanup (&hctx);
+#endif
ASSERT (l == tr->key_len);
@@ -339,7 +361,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
v8 *
ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
EVP_CIPHER_CTX ctx;
+#endif
v8 *r;
int out_len = 0, block_size;
ikev2_sa_transform_t *tr_encr;
@@ -356,23 +382,40 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&ctx);
+#endif
+
r = vec_new (u8, len - block_size);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
+ EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
+ EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
+#else
EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-
+#endif
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
return r;
}
int
ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
EVP_CIPHER_CTX ctx;
+#endif
int out_len;
int bs;
ikev2_sa_transform_t *tr_encr;
@@ -385,12 +428,16 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
/* generate IV */
RAND_bytes (dst, bs);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+ EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
+ EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
+#else
EVP_CIPHER_CTX_init (&ctx);
-
EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
-
EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
ASSERT (vec_len (src) == out_len);
@@ -401,30 +448,54 @@ void
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *pub_key = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
+#endif
DH_generate_key (dh);
if (sa->is_initiator)
{
sa->i_dh_data = vec_new (u8, t->key_len);
+ sa->dh_private_key = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ r = BN_bn2bin (priv_key, sa->dh_private_key);
+ DH_set0_key (dh, pub_key, priv_key);
+#else
r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
ASSERT (r == t->key_len);
-
- sa->dh_private_key = vec_new (u8, t->key_len);
r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
ASSERT (r == t->key_len);
-
+#endif
}
else
{
sa->r_dh_data = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ DH_set0_key (dh, pub_key, NULL);
+#else
r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
ASSERT (r == t->key_len);
+#endif
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
@@ -509,15 +580,31 @@ void
ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+
+ priv_key =
+ BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
+ DH_set0_key (dh, NULL, priv_key);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
+
dh->priv_key =
BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
-
+#endif
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
@@ -582,21 +669,47 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
int
ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
EVP_MD_CTX md_ctx;
+#endif
- EVP_VerifyInit (&md_ctx, EVP_sha1 ());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_VerifyInit (md_ctx, EVP_sha1 ());
+ EVP_VerifyUpdate (md_ctx, data, vec_len (data));
+#else
+ EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL);
EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#else
return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#endif
}
u8 *
ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
EVP_MD_CTX md_ctx;
+#endif
unsigned int sig_len = 0;
u8 *sign;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_SignInit (md_ctx, EVP_sha1 ());
+ EVP_SignUpdate (md_ctx, data, vec_len (data));
+ /* get sign len */
+ EVP_SignFinal (md_ctx, NULL, &sig_len, pkey);
+ sign = vec_new (u8, sig_len);
+ /* calc sign */
+ EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+#else
EVP_SignInit (&md_ctx, EVP_sha1 ());
EVP_SignUpdate (&md_ctx, data, vec_len (data));
/* get sign len */
@@ -604,7 +717,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
-
+#endif
return sign;
}