lib: Changes to support hash algo in keychain.

Problem Statement: ================== Currently there is no support for configuring hash algorithm in keychain. RCA: ==== Not implemented yet. Fix: ==== Changes are done to configure hash algorithm as part of keychain. which will easy the configuration from modules using keychain. Risk: ===== Low risk Tests Executed: =============== Have tested the configuration and unconfiguration flow for newly implemented CLI. ! key chain abcd key 100 key-string password cryptographic-algorithm sha1 exit key 200 key-string password cryptographic-algorithm sha256 exit ! Signed-off-by: Abhinay Ramesh <rabhinay@vmware.com>
author: Abhinay Ramesh <rabhinay@vmware.com> 2021-05-11 10:00:38 +0000
committer: Abhinay Ramesh <rabhinay@vmware.com> 2022-02-09 01:49:14 +0000
commit: 72000880b02706f2375095e5ecad9f939840d62b (patch)
tree: 1494048325a9d7d19f54746d525c0410159a1b03 /lib/keychain.c
parent: 166f9103d3e97f84d32e0e176beac79daa0b1d33 (diff)
1 files changed, 137 insertions, 0 deletions
diff --git a/lib/keychain.c b/lib/keychain.c
index 1d678b949e..6b03fbd560 100644
--- a/lib/keychain.c
+++ b/lib/keychain.c
@@ -18,6 +18,7 @@
  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include "config.h"
 #include <zebra.h>
 
 #include "command.h"
@@ -207,6 +208,7 @@ static struct key *key_get(const struct keychain *keychain, uint32_t index)
 
 	key = key_new();
 	key->index = index;
+	key->hash_algo = KEYCHAIN_ALGO_NULL;
 	listnode_add_sort(keychain->key, key);
 
 	return key;
@@ -336,6 +338,133 @@ DEFUN (no_key_string,
 	return CMD_SUCCESS;
 }
 
+const struct keychain_algo_info algo_info[] = {
+	{KEYCHAIN_ALGO_NULL, "null", 0, 0, "NULL"},
+	{KEYCHAIN_ALGO_MD5, "md5", KEYCHAIN_MD5_HASH_SIZE,
+	 KEYCHAIN_ALGO_MD5_INTERNAL_BLK_SIZE, "MD5"},
+	{KEYCHAIN_ALGO_HMAC_SHA1, "hmac-sha-1", KEYCHAIN_HMAC_SHA1_HASH_SIZE,
+	 KEYCHAIN_ALGO_SHA1_INTERNAL_BLK_SIZE, "HMAC-SHA-1"},
+	{KEYCHAIN_ALGO_HMAC_SHA256, "hmac-sha-256",
+	 KEYCHAIN_HMAC_SHA256_HASH_SIZE, KEYCHAIN_ALGO_SHA256_INTERNAL_BLK_SIZE,
+	 "HMAC-SHA-256"},
+	{KEYCHAIN_ALGO_HMAC_SHA384, "hmac-sha-384",
+	 KEYCHAIN_HMAC_SHA384_HASH_SIZE, KEYCHAIN_ALGO_SHA384_INTERNAL_BLK_SIZE,
+	 "HMAC-SHA-384"},
+	{KEYCHAIN_ALGO_HMAC_SHA512, "hmac-sha-512",
+	 KEYCHAIN_HMAC_SHA512_HASH_SIZE, KEYCHAIN_ALGO_SHA512_INTERNAL_BLK_SIZE,
+	 "HMAC-SHA-512"},
+	{KEYCHAIN_ALGO_MAX, "max", KEYCHAIN_MAX_HASH_SIZE,
+	 KEYCHAIN_ALGO_MAX_INTERNAL_BLK_SIZE, "Not defined"}
+};
+
+uint32_t keychain_get_block_size(enum keychain_hash_algo key)
+{
+	return algo_info[key].block;
+}
+
+uint32_t keychain_get_hash_len(enum keychain_hash_algo key)
+{
+	return algo_info[key].length;
+}
+
+const char *keychain_get_description(enum keychain_hash_algo key)
+{
+	return algo_info[key].desc;
+}
+
+struct keychain_algo_info
+keychain_get_hash_algo_info(enum keychain_hash_algo key)
+{
+	return algo_info[key];
+}
+
+enum keychain_hash_algo keychain_get_algo_id_by_name(const char *name)
+{
+#ifdef CRYPTO_INTERNAL
+	if (!strncmp(name, "hmac-sha-2", 10))
+		return KEYCHAIN_ALGO_HMAC_SHA256;
+	else if (!strncmp(name, "m", 1))
+		return KEYCHAIN_ALGO_MD5;
+	else
+		return KEYCHAIN_ALGO_NULL;
+#else
+	if (!strncmp(name, "m", 1))
+		return KEYCHAIN_ALGO_MD5;
+	else if (!strncmp(name, "hmac-sha-1", 10))
+		return KEYCHAIN_ALGO_HMAC_SHA1;
+	else if (!strncmp(name, "hmac-sha-2", 10))
+		return KEYCHAIN_ALGO_HMAC_SHA256;
+	else if (!strncmp(name, "hmac-sha-3", 10))
+		return KEYCHAIN_ALGO_HMAC_SHA384;
+	else if (!strncmp(name, "hmac-sha-5", 10))
+		return KEYCHAIN_ALGO_HMAC_SHA512;
+	else
+		return KEYCHAIN_ALGO_NULL;
+#endif
+}
+
+const char *keychain_get_algo_name_by_id(enum keychain_hash_algo key)
+{
+	return algo_info[key].name;
+}
+
+DEFUN(cryptographic_algorithm, cryptographic_algorithm_cmd,
+      "cryptographic-algorithm "
+      "<md5|hmac-sha-1|hmac-sha-256|hmac-sha-384|hmac-sha-512>",
+      "Cryptographic-algorithm\n"
+      "Use MD5 algorithm\n"
+      "Use HMAC-SHA-1 algorithm\n"
+      "Use HMAC-SHA-256 algorithm\n"
+      "Use HMAC-SHA-384 algorithm\n"
+      "Use HMAC-SHA-512 algorithm\n")
+{
+	int algo_idx = 1;
+	uint8_t hash_algo = KEYCHAIN_ALGO_NULL;
+
+	VTY_DECLVAR_CONTEXT_SUB(key, key);
+	hash_algo = keychain_get_algo_id_by_name(argv[algo_idx]->arg);
+#ifndef CRYPTO_OPENSSL
+	if (hash_algo == KEYCHAIN_ALGO_NULL) {
+		vty_out(vty,
+			"Hash algorithm not supported, compile with --with-crypto=openssl\n");
+		return CMD_WARNING_CONFIG_FAILED;
+	}
+#endif /* CRYPTO_OPENSSL */
+	key->hash_algo = hash_algo;
+	return CMD_SUCCESS;
+}
+
+DEFUN(no_cryptographic_algorithm, no_cryptographic_algorithm_cmd,
+      "no cryptographic-algorithm "
+      "[<md5|hmac-sha-1|hmac-sha-256|hmac-sha-384|hmac-sha-512>]",
+      NO_STR
+      "Cryptographic-algorithm\n"
+      "Use MD5 algorithm\n"
+      "Use HMAC-SHA-1 algorithm\n"
+      "Use HMAC-SHA-256 algorithm\n"
+      "Use HMAC-SHA-384 algorithm\n"
+      "Use HMAC-SHA-512 algorithm\n")
+{
+	int algo_idx = 2;
+	uint8_t hash_algo = KEYCHAIN_ALGO_NULL;
+
+	VTY_DECLVAR_CONTEXT_SUB(key, key);
+	if (argc > algo_idx) {
+		hash_algo = keychain_get_algo_id_by_name(argv[algo_idx]->arg);
+		if (hash_algo == KEYCHAIN_ALGO_NULL) {
+			vty_out(vty,
+				"Hash algorithm not supported, try compiling with --with-crypto=openssl\n");
+			return CMD_WARNING_CONFIG_FAILED;
+		}
+	}
+
+	if ((hash_algo != KEYCHAIN_ALGO_NULL) && (hash_algo != key->hash_algo))
+		return CMD_SUCCESS;
+
+	key->hash_algo = KEYCHAIN_ALGO_NULL;
+	return CMD_SUCCESS;
+}
+
 /* Convert HH:MM:SS MON DAY YEAR to time_t value.  -1 is returned when
    given string is malformed. */
 static time_t key_str2time(const char *time_str, const char *day_str,
@@ -1004,6 +1133,11 @@ static int keychain_config_write(struct vty *vty)
 			if (key->string)
 				vty_out(vty, "  key-string %s\n", key->string);
 
+			if (key->hash_algo != KEYCHAIN_ALGO_NULL)
+				vty_out(vty, "  cryptographic-algorithm %s\n",
+					keychain_get_algo_name_by_id(
+						key->hash_algo));
+
 			if (key->accept.start) {
 				keychain_strftime(buf, BUFSIZ,
 						  &key->accept.start);
@@ -1051,6 +1185,7 @@ static int keychain_config_write(struct vty *vty)
 	return 0;
 }
 
+
 static void keychain_active_config(vector comps, struct cmd_token *token)
 {
 	struct keychain *keychain;
@@ -1131,4 +1266,6 @@ void keychain_init(void)
 	install_element(KEYCHAIN_KEY_NODE,
 			&send_lifetime_duration_month_day_cmd);
 	install_element(KEYCHAIN_KEY_NODE, &no_send_lifetime_cmd);
+	install_element(KEYCHAIN_KEY_NODE, &cryptographic_algorithm_cmd);
+	install_element(KEYCHAIN_KEY_NODE, &no_cryptographic_algorithm_cmd);
 }
author	Abhinay Ramesh <rabhinay@vmware.com>	2021-05-11 10:00:38 +0000
committer	Abhinay Ramesh <rabhinay@vmware.com>	2022-02-09 01:49:14 +0000
commit	72000880b02706f2375095e5ecad9f939840d62b (patch)
tree	1494048325a9d7d19f54746d525c0410159a1b03 /lib/keychain.c
parent	166f9103d3e97f84d32e0e176beac79daa0b1d33 (diff)