From a7b963df2758d7c25de366db1999ca1024e12d30 Mon Sep 17 00:00:00 2001 From: Filip Tehlar Date: Wed, 8 Jul 2020 13:25:34 +0000 Subject: ikev2: add support for AES-GCM cipher in IKE Type: feature Ticket: VPP-1920 Change-Id: I6e30f3594cb30553f3ca5a35e0a4f679325aacec Signed-off-by: Filip Tehlar --- src/plugins/ikev2/ikev2_crypto.c | 123 +++++++++++++++++++++++++++++---------- 1 file changed, 92 insertions(+), 31 deletions(-) (limited to 'src/plugins/ikev2/ikev2_crypto.c') diff --git a/src/plugins/ikev2/ikev2_crypto.c b/src/plugins/ikev2/ikev2_crypto.c index 5a07bde9b0a..b1fdf890e08 100644 --- a/src/plugins/ikev2/ikev2_crypto.c +++ b/src/plugins/ikev2/ikev2_crypto.c @@ -256,10 +256,7 @@ static const char modp_dh_2048_256_generator[] = v8 * ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data) { - ikev2_main_t *km = &ikev2_main; - u32 thread_index = vlib_get_thread_index (); - ikev2_main_per_thread_data_t *ptd = - vec_elt_at_index (km->per_thread_data, thread_index); + ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data (); HMAC_CTX *ctx = ptd->hmac_ctx; v8 *prf; unsigned int len = 0; @@ -318,10 +315,7 @@ ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed, int len) v8 * ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) { - ikev2_main_t *km = &ikev2_main; - u32 thread_index = vlib_get_thread_index (); - ikev2_main_per_thread_data_t *ptd = - vec_elt_at_index (km->per_thread_data, thread_index); + ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data (); HMAC_CTX *ctx = ptd->hmac_ctx; v8 *r; unsigned int l; @@ -348,20 +342,60 @@ ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) return r; } +static_always_inline void +ikev2_init_gcm_nonce (u8 * nonce, u8 * salt, u8 * iv) +{ + clib_memcpy (nonce, salt, IKEV2_GCM_SALT_SIZE); + clib_memcpy (nonce + IKEV2_GCM_SALT_SIZE, iv, IKEV2_GCM_IV_SIZE); +} + +u8 * +ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, u8 * data, + int data_len, u8 * aad, u32 aad_len, u8 * tag) +{ + EVP_CIPHER_CTX *ctx = ptd->evp_ctx; + int len = 0; + u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei; + u8 nonce[IKEV2_GCM_NONCE_SIZE]; + + if (data_len <= IKEV2_GCM_IV_SIZE) + /* runt data */ + return 0; + + /* extract salt from the end of the key */ + u8 *salt = key + vec_len (key) - IKEV2_GCM_SALT_SIZE; + ikev2_init_gcm_nonce (nonce, salt, data); + + data += IKEV2_GCM_IV_SIZE; + data_len -= IKEV2_GCM_IV_SIZE; + v8 *r = vec_new (u8, data_len); + + EVP_DecryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0); + EVP_DecryptInit_ex (ctx, 0, 0, key, nonce); + EVP_DecryptUpdate (ctx, 0, &len, aad, aad_len); + EVP_DecryptUpdate (ctx, r, &len, data, data_len); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, IKEV2_GCM_ICV_SIZE, tag); + + if (EVP_DecryptFinal_ex (ctx, r + len, &len) > 0) + { + /* remove padding */ + _vec_len (r) -= r[vec_len (r) - 1] + 1; + return r; + } + + vec_free (r); + return 0; +} + v8 * -ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) +ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, u8 * data, int len) { - ikev2_main_t *km = &ikev2_main; - u32 thread_index = vlib_get_thread_index (); - ikev2_main_per_thread_data_t *ptd = - vec_elt_at_index (km->per_thread_data, thread_index); EVP_CIPHER_CTX *ctx = ptd->evp_ctx; int out_len = 0, block_size; - ikev2_sa_transform_t *tr_encr; u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei; - - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); block_size = tr_encr->block_size; /* check if data is multiplier of cipher block size */ @@ -382,28 +416,55 @@ ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) } int -ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) +ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, + v8 * src, u8 * dst, u8 * aad, u32 aad_len, u8 * tag) { - ikev2_main_t *km = &ikev2_main; - u32 thread_index = vlib_get_thread_index (); - ikev2_main_per_thread_data_t *ptd = - vec_elt_at_index (km->per_thread_data, thread_index); EVP_CIPHER_CTX *ctx = ptd->evp_ctx; - int out_len; - int bs; - ikev2_sa_transform_t *tr_encr; + int out_len = 0, len = 0; + u8 nonce[IKEV2_GCM_NONCE_SIZE]; u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er; - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - bs = tr_encr->block_size; + /* generate IV; its length must be 8 octets for aes-gcm (rfc5282) */ + RAND_bytes (dst, IKEV2_GCM_IV_SIZE); + ikev2_init_gcm_nonce (nonce, key + vec_len (key) - IKEV2_GCM_SALT_SIZE, + dst); + dst += IKEV2_GCM_IV_SIZE; + + EVP_EncryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL); + EVP_EncryptInit_ex (ctx, 0, 0, key, nonce); + EVP_EncryptUpdate (ctx, NULL, &out_len, aad, aad_len); + EVP_EncryptUpdate (ctx, dst, &out_len, src, vec_len (src)); + EVP_EncryptFinal_ex (ctx, dst + out_len, &len); + EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); + out_len += len; + ASSERT (vec_len (src) == out_len); + + return out_len + IKEV2_GCM_IV_SIZE; +} + +int +ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa, + ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst) +{ + EVP_CIPHER_CTX *ctx = ptd->evp_ctx; + int out_len = 0, len = 0; + int bs = tr_encr->block_size; + u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er; /* generate IV */ - RAND_bytes (dst, bs); + u8 *iv = dst; + RAND_bytes (iv, bs); + dst += bs; - EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); - EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src)); + EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv); + /* disable padding as pad data were added before */ + EVP_CIPHER_CTX_set_padding (ctx, 0); + EVP_EncryptUpdate (ctx, dst, &out_len, src, vec_len (src)); + EVP_EncryptFinal_ex (ctx, dst + out_len, &len); + out_len += len; ASSERT (vec_len (src) == out_len); return out_len + bs; -- cgit 1.2.3-korg