aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorMarco Varlese <marco.varlese@suse.com>2017-11-09 15:16:20 +0100
committerDamjan Marion <dmarion.lists@gmail.com>2017-11-10 20:24:00 +0000
commitf616d10d04d5c444e20e617841a54cfb2c58d07d (patch)
tree5af3062476065673d67009bbf5fd76ba28eb99ac /src/vnet/ipsec
parent6a6f4f7fe777dc77f8496fae1fc1075372ad16b6 (diff)
Allow Openssl 1.1.0
This patch addresses all the code changes required to VPP to support openssl 1.1.0 API. All the changes have been done so that VPP can still be built against current openssl API whilst forward-looking to version 1.1.0. Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc Signed-off-by: Marco Varlese <marco.varlese@suse.com>
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/esp.h24
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/esp_encrypt.c4
-rw-r--r--src/vnet/ipsec/ikev2.c4
-rw-r--r--src/vnet/ipsec/ikev2_crypto.c135
5 files changed, 159 insertions, 12 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index bc67f9d0783..d9ab1d855a8 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -63,11 +63,23 @@ typedef struct
typedef struct
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *encrypt_ctx;
+#else
EVP_CIPHER_CTX encrypt_ctx;
+#endif
CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *decrypt_ctx;
+#else
EVP_CIPHER_CTX decrypt_ctx;
+#endif
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hmac_ctx;
+#else
HMAC_CTX hmac_ctx;
+#endif
ipsec_crypto_alg_t last_encrypt_alg;
ipsec_crypto_alg_t last_decrypt_alg;
ipsec_integ_alg_t last_integ_alg;
@@ -273,9 +285,15 @@ esp_init ()
for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ em->per_thread_data[thread_id].encrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].decrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].hmac_ctx = HMAC_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
+#endif
}
}
@@ -287,7 +305,11 @@ hmac_calc (ipsec_integ_alg_t alg,
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx = em->per_thread_data[thread_index].hmac_ctx;
+#else
HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx);
+#endif
const EVP_MD *md = NULL;
unsigned int len;
@@ -302,7 +324,7 @@ hmac_calc (ipsec_integ_alg_t alg,
em->per_thread_data[thread_index].last_integ_alg = alg;
}
- HMAC_Init (ctx, key, key_len, md);
+ HMAC_Init_ex (ctx, key, key_len, md, NULL);
HMAC_Update (ctx, data, data_len);
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index de4cc6dd4dd..81ebbe55301 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -86,7 +86,11 @@ esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg,
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].decrypt_ctx;
+#else
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx);
+#endif
const EVP_CIPHER *cipher = NULL;
int out_len;
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index b6ee25808b6..7bf1256acca 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -90,7 +90,11 @@ esp_encrypt_aes_cbc (ipsec_crypto_alg_t alg,
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].encrypt_ctx;
+#else
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].encrypt_ctx);
+#endif
const EVP_CIPHER *cipher = NULL;
int out_len;
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 49bae17f730..34ab87c3e56 100644
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -3030,7 +3030,11 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
sa.i_auth.method = p->auth.method;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
+#else
sa.i_auth.key = vec_dup (p->auth.key);
+#endif
vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c
index ca56158f898..32e687e37c0 100644
--- a/src/vnet/ipsec/ikev2_crypto.c
+++ b/src/vnet/ipsec/ikev2_crypto.c
@@ -25,6 +25,7 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
/* from RFC7296 */
static const char modp_dh_768_prime[] =
@@ -255,17 +256,27 @@ static const char modp_dh_2048_256_generator[] =
v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx;
+#else
HMAC_CTX ctx;
+#endif
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = HMAC_CTX_new ();
+ HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (ctx, data, vec_len (data));
+ HMAC_Final (ctx, prf, &len);
+#else
HMAC_CTX_init (&ctx);
HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&ctx, data, vec_len (data));
HMAC_Final (&ctx, prf, &len);
HMAC_CTX_cleanup (&ctx);
-
+#endif
ASSERT (len == tr->key_trunc);
return prf;
@@ -317,7 +328,11 @@ v8 *
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
v8 *r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hctx;
+#else
HMAC_CTX hctx;
+#endif
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
@@ -325,11 +340,18 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
r = vec_new (u8, tr->key_len);
/* verify integrity of data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ hctx = HMAC_CTX_new ();
+ HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (hctx, (const u8 *) data, len);
+ HMAC_Final (hctx, r, &l);
+#else
HMAC_CTX_init (&hctx);
- HMAC_Init (&hctx, key, vec_len (key), tr->md);
+ HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&hctx, (const u8 *) data, len);
HMAC_Final (&hctx, r, &l);
HMAC_CTX_cleanup (&hctx);
+#endif
ASSERT (l == tr->key_len);
@@ -339,7 +361,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
v8 *
ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
EVP_CIPHER_CTX ctx;
+#endif
v8 *r;
int out_len = 0, block_size;
ikev2_sa_transform_t *tr_encr;
@@ -356,23 +382,40 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&ctx);
+#endif
+
r = vec_new (u8, len - block_size);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
+ EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
+ EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
+#else
EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-
+#endif
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
return r;
}
int
ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
EVP_CIPHER_CTX ctx;
+#endif
int out_len;
int bs;
ikev2_sa_transform_t *tr_encr;
@@ -385,12 +428,16 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
/* generate IV */
RAND_bytes (dst, bs);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+ EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
+ EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
+#else
EVP_CIPHER_CTX_init (&ctx);
-
EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
-
EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
ASSERT (vec_len (src) == out_len);
@@ -401,30 +448,54 @@ void
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *pub_key = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
+#endif
DH_generate_key (dh);
if (sa->is_initiator)
{
sa->i_dh_data = vec_new (u8, t->key_len);
+ sa->dh_private_key = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ r = BN_bn2bin (priv_key, sa->dh_private_key);
+ DH_set0_key (dh, pub_key, priv_key);
+#else
r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
ASSERT (r == t->key_len);
-
- sa->dh_private_key = vec_new (u8, t->key_len);
r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
ASSERT (r == t->key_len);
-
+#endif
}
else
{
sa->r_dh_data = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ DH_set0_key (dh, pub_key, NULL);
+#else
r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
ASSERT (r == t->key_len);
+#endif
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
@@ -509,15 +580,31 @@ void
ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+
+ priv_key =
+ BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
+ DH_set0_key (dh, NULL, priv_key);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
+
dh->priv_key =
BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
-
+#endif
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
@@ -582,21 +669,47 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
int
ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
EVP_MD_CTX md_ctx;
+#endif
- EVP_VerifyInit (&md_ctx, EVP_sha1 ());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_VerifyInit (md_ctx, EVP_sha1 ());
+ EVP_VerifyUpdate (md_ctx, data, vec_len (data));
+#else
+ EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL);
EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#else
return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#endif
}
u8 *
ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
EVP_MD_CTX md_ctx;
+#endif
unsigned int sig_len = 0;
u8 *sign;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_SignInit (md_ctx, EVP_sha1 ());
+ EVP_SignUpdate (md_ctx, data, vec_len (data));
+ /* get sign len */
+ EVP_SignFinal (md_ctx, NULL, &sig_len, pkey);
+ sign = vec_new (u8, sig_len);
+ /* calc sign */
+ EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+#else
EVP_SignInit (&md_ctx, EVP_sha1 ());
EVP_SignUpdate (&md_ctx, data, vec_len (data));
/* get sign len */
@@ -604,7 +717,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
-
+#endif
return sign;
}