summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/esp.h24
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/esp_encrypt.c4
-rw-r--r--src/vnet/ipsec/ikev2.c4
-rw-r--r--src/vnet/ipsec/ikev2_crypto.c135
5 files changed, 159 insertions, 12 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index bc67f9d0783..d9ab1d855a8 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -63,11 +63,23 @@ typedef struct
typedef struct
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *encrypt_ctx;
+#else
EVP_CIPHER_CTX encrypt_ctx;
+#endif
CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *decrypt_ctx;
+#else
EVP_CIPHER_CTX decrypt_ctx;
+#endif
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hmac_ctx;
+#else
HMAC_CTX hmac_ctx;
+#endif
ipsec_crypto_alg_t last_encrypt_alg;
ipsec_crypto_alg_t last_decrypt_alg;
ipsec_integ_alg_t last_integ_alg;
@@ -273,9 +285,15 @@ esp_init ()
for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ em->per_thread_data[thread_id].encrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].decrypt_ctx = EVP_CIPHER_CTX_new ();
+ em->per_thread_data[thread_id].hmac_ctx = HMAC_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
+#endif
}
}
@@ -287,7 +305,11 @@ hmac_calc (ipsec_integ_alg_t alg,
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx = em->per_thread_data[thread_index].hmac_ctx;
+#else
HMAC_CTX *ctx = &(em->per_thread_data[thread_index].hmac_ctx);
+#endif
const EVP_MD *md = NULL;
unsigned int len;
@@ -302,7 +324,7 @@ hmac_calc (ipsec_integ_alg_t alg,
em->per_thread_data[thread_index].last_integ_alg = alg;
}
- HMAC_Init (ctx, key, key_len, md);
+ HMAC_Init_ex (ctx, key, key_len, md, NULL);
HMAC_Update (ctx, data, data_len);
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index de4cc6dd4dd..81ebbe55301 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -86,7 +86,11 @@ esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg,
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].decrypt_ctx;
+#else
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx);
+#endif
const EVP_CIPHER *cipher = NULL;
int out_len;
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index b6ee25808b6..7bf1256acca 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -90,7 +90,11 @@ esp_encrypt_aes_cbc (ipsec_crypto_alg_t alg,
{
esp_main_t *em = &esp_main;
u32 thread_index = vlib_get_thread_index ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].encrypt_ctx;
+#else
EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].encrypt_ctx);
+#endif
const EVP_CIPHER *cipher = NULL;
int out_len;
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 49bae17f730..34ab87c3e56 100644
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -3030,7 +3030,11 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
sa.i_auth.method = p->auth.method;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
+#else
sa.i_auth.key = vec_dup (p->auth.key);
+#endif
vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c
index ca56158f898..32e687e37c0 100644
--- a/src/vnet/ipsec/ikev2_crypto.c
+++ b/src/vnet/ipsec/ikev2_crypto.c
@@ -25,6 +25,7 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
/* from RFC7296 */
static const char modp_dh_768_prime[] =
@@ -255,17 +256,27 @@ static const char modp_dh_2048_256_generator[] =
v8 *
ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx;
+#else
HMAC_CTX ctx;
+#endif
v8 *prf;
unsigned int len = 0;
prf = vec_new (u8, tr->key_trunc);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = HMAC_CTX_new ();
+ HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (ctx, data, vec_len (data));
+ HMAC_Final (ctx, prf, &len);
+#else
HMAC_CTX_init (&ctx);
HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&ctx, data, vec_len (data));
HMAC_Final (&ctx, prf, &len);
HMAC_CTX_cleanup (&ctx);
-
+#endif
ASSERT (len == tr->key_trunc);
return prf;
@@ -317,7 +328,11 @@ v8 *
ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
{
v8 *r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *hctx;
+#else
HMAC_CTX hctx;
+#endif
unsigned int l;
ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG);
@@ -325,11 +340,18 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
r = vec_new (u8, tr->key_len);
/* verify integrity of data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ hctx = HMAC_CTX_new ();
+ HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL);
+ HMAC_Update (hctx, (const u8 *) data, len);
+ HMAC_Final (hctx, r, &l);
+#else
HMAC_CTX_init (&hctx);
- HMAC_Init (&hctx, key, vec_len (key), tr->md);
+ HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL);
HMAC_Update (&hctx, (const u8 *) data, len);
HMAC_Final (&hctx, r, &l);
HMAC_CTX_cleanup (&hctx);
+#endif
ASSERT (l == tr->key_len);
@@ -339,7 +361,11 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len)
v8 *
ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
EVP_CIPHER_CTX ctx;
+#endif
v8 *r;
int out_len = 0, block_size;
ikev2_sa_transform_t *tr_encr;
@@ -356,23 +382,40 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len)
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+#else
EVP_CIPHER_CTX_init (&ctx);
+#endif
+
r = vec_new (u8, len - block_size);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
+ EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
+ EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
+#else
EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len);
-
+#endif
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
return r;
}
int
ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *ctx;
+#else
EVP_CIPHER_CTX ctx;
+#endif
int out_len;
int bs;
ikev2_sa_transform_t *tr_encr;
@@ -385,12 +428,16 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
/* generate IV */
RAND_bytes (dst, bs);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ctx = EVP_CIPHER_CTX_new ();
+ EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
+ EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src));
+#else
EVP_CIPHER_CTX_init (&ctx);
-
EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ );
EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src));
-
EVP_CIPHER_CTX_cleanup (&ctx);
+#endif
ASSERT (vec_len (src) == out_len);
@@ -401,30 +448,54 @@ void
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *pub_key = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
+#endif
DH_generate_key (dh);
if (sa->is_initiator)
{
sa->i_dh_data = vec_new (u8, t->key_len);
+ sa->dh_private_key = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ r = BN_bn2bin (priv_key, sa->dh_private_key);
+ DH_set0_key (dh, pub_key, priv_key);
+#else
r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
ASSERT (r == t->key_len);
-
- sa->dh_private_key = vec_new (u8, t->key_len);
r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
ASSERT (r == t->key_len);
-
+#endif
}
else
{
sa->r_dh_data = vec_new (u8, t->key_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ r = BN_bn2bin (pub_key, sa->i_dh_data);
+ ASSERT (r == t->key_len);
+ DH_set0_key (dh, pub_key, NULL);
+#else
r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
ASSERT (r == t->key_len);
+#endif
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
@@ -509,15 +580,31 @@ void
ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
int r;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *p = BN_new ();
+ BIGNUM *q = BN_new ();
+ BIGNUM *g = BN_new ();
+ BIGNUM *priv_key = BN_new ();
+#endif
if (t->dh_group == IKEV2_DH_GROUP_MODP)
{
DH *dh = DH_new ();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_hex2bn (&p, t->dh_p);
+ BN_hex2bn (&g, t->dh_g);
+ DH_set0_pqg (dh, p, q, g);
+
+ priv_key =
+ BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
+ DH_set0_key (dh, NULL, priv_key);
+#else
BN_hex2bn (&dh->p, t->dh_p);
BN_hex2bn (&dh->g, t->dh_g);
+
dh->priv_key =
BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL);
-
+#endif
BIGNUM *ex;
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
@@ -582,21 +669,47 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
int
ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
EVP_MD_CTX md_ctx;
+#endif
- EVP_VerifyInit (&md_ctx, EVP_sha1 ());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_VerifyInit (md_ctx, EVP_sha1 ());
+ EVP_VerifyUpdate (md_ctx, data, vec_len (data));
+#else
+ EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL);
EVP_VerifyUpdate (&md_ctx, data, vec_len (data));
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#else
return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey);
+#endif
}
u8 *
ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+#else
EVP_MD_CTX md_ctx;
+#endif
unsigned int sig_len = 0;
u8 *sign;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_SignInit (md_ctx, EVP_sha1 ());
+ EVP_SignUpdate (md_ctx, data, vec_len (data));
+ /* get sign len */
+ EVP_SignFinal (md_ctx, NULL, &sig_len, pkey);
+ sign = vec_new (u8, sig_len);
+ /* calc sign */
+ EVP_SignFinal (md_ctx, sign, &sig_len, pkey);
+#else
EVP_SignInit (&md_ctx, EVP_sha1 ());
EVP_SignUpdate (&md_ctx, data, vec_len (data));
/* get sign len */
@@ -604,7 +717,7 @@ ikev2_calc_sign (EVP_PKEY * pkey, u8 * data)
sign = vec_new (u8, sig_len);
/* calc sign */
EVP_SignFinal (&md_ctx, sign, &sig_len, pkey);
-
+#endif
return sign;
}