Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
tests: python3 changes for span and aclplugin test
[vpp.git] / src / plugins / ikev2 / ikev2.c
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index e7b2f92..e90f5a3 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -389,8 +389,9 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
   sa->iaddr.as_u32 = sai->iaddr.as_u32;
   sa->raddr.as_u32 = sai->raddr.as_u32;
   sa->is_initiator = sai->is_initiator;
-  sa->profile = sai->profile;
   sa->i_id.type = sai->i_id.type;
+  sa->profile_index = sai->profile_index;
+  sa->is_profile_index_set = sai->is_profile_index_set;
   sa->i_id.data = _(sai->i_id.data);
   sa->i_auth.method = sai->i_auth.method;
   sa->i_auth.hex = sai->i_auth.hex;
@@ -1478,6 +1479,8 @@ static int
 ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
                               ikev2_child_sa_t * child)
 {
+  ikev2_main_t *km = &ikev2_main;
+  ikev2_profile_t *p = 0;
   ipsec_add_del_tunnel_args_t a;
   ikev2_sa_transform_t *tr;
   ikev2_sa_proposal_t *proposals;
@@ -1538,6 +1541,26 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
              break;
            }
        }
+      else if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM
+              && tr->key_len)
+       {
+         switch (tr->key_len)
+           {
+           case 16:
+             encr_type = IPSEC_CRYPTO_ALG_AES_GCM_128;
+             break;
+           case 24:
+             encr_type = IPSEC_CRYPTO_ALG_AES_GCM_192;
+             break;
+           case 32:
+             encr_type = IPSEC_CRYPTO_ALG_AES_GCM_256;
+             break;
+           default:
+             ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
+             return 1;
+             break;
+           }
+       }
       else
        {
          ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
@@ -1608,11 +1631,14 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
   a.remote_crypto_key_len = vec_len (rem_ckey);
   clib_memcpy_fast (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len);
 
-  if (sa->profile && sa->profile->lifetime)
+  if (sa->is_profile_index_set)
+    p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+  if (p && p->lifetime)
     {
-      child->time_to_expiration = vlib_time_now (vnm->vlib_main)
-       + sa->profile->lifetime;
-      if (sa->profile->lifetime_jitter)
+      child->time_to_expiration =
+       vlib_time_now (vnm->vlib_main) + p->lifetime;
+      if (p->lifetime_jitter)
        {
          // This is not much better than rand(3), which Coverity warns
          // is unsuitable for security applications; random_u32 is
@@ -1622,8 +1648,7 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
          u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
          rnd = random_u32 (&rnd);
 
-         child->time_to_expiration +=
-           1 + (rnd % sa->profile->lifetime_jitter);
+         child->time_to_expiration += 1 + (rnd % p->lifetime_jitter);
        }
     }
 
@@ -2555,24 +2580,27 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
     }
 
   /* DH */
-  error = 1;
-  vec_foreach (td, km->supported_transforms)
-  {
-    if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
+  if (is_ike || ts->dh_type != IKEV2_TRANSFORM_DH_TYPE_NONE)
+    {
+      error = 1;
+      vec_foreach (td, km->supported_transforms)
       {
-       vec_add1 (proposal->transforms, *td);
-       if (is_ike)
+       if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
          {
-           sa->dh_group = td->dh_type;
+           vec_add1 (proposal->transforms, *td);
+           if (is_ike)
+             {
+               sa->dh_group = td->dh_type;
+             }
+           error = 0;
+           break;
          }
-       error = 0;
-       break;
       }
-  }
-  if (error)
-    {
-      r = clib_error_return (0, "Unsupported algorithm");
-      return r;
+      if (error)
+       {
+         r = clib_error_return (0, "Unsupported algorithm");
+         return r;
+       }
     }
 
   if (!is_ike)
@@ -2973,7 +3001,8 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
     ikev2_sa_free_proposal_vector (&proposals);
 
     sa.is_initiator = 1;
-    sa.profile = p;
+    sa.profile_index = km->profiles - p;
+    sa.is_profile_index_set = 1;
     sa.state = IKEV2_STATE_SA_INIT;
     ikev2_generate_sa_init_data (&sa);
     ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
@@ -3036,6 +3065,8 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
     ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
     ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
     ike0->ispi = sa.ispi;
+    ike0->rspi = 0;
+    ike0->msgid = 0;
 
     /* store whole IKE payload - needed for PSK auth */
     vec_free (sa.last_sa_init_req_packet_data);
@@ -3049,12 +3080,6 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
     sa.i_auth.method = p->auth.method;
     sa.i_auth.hex = p->auth.hex;
     sa.i_auth.data = vec_dup (p->auth.data);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-    clib_memcpy_fast (sa.i_auth.key, p->auth.key,
-                     EVP_PKEY_size (p->auth.key));
-#else
-    sa.i_auth.key = vec_dup (p->auth.key);
-#endif
     vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
     vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
 
@@ -3334,17 +3359,21 @@ static u8
 ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
 {
   ikev2_main_t *km = &ikev2_main;
+  ikev2_profile_t *p = 0;
   vlib_main_t *vm = km->vlib_main;
   f64 now = vlib_time_now (vm);
   u8 res = 0;
 
-  if (sa->is_initiator && sa->profile && csa->time_to_expiration
+  if (sa->is_profile_index_set)
+    p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+  if (sa->is_initiator && p && csa->time_to_expiration
       && now > csa->time_to_expiration)
     {
       if (!csa->is_expired || csa->rekey_retries > 0)
        {
          ikev2_rekey_child_sa_internal (vm, sa, csa);
-         csa->time_to_expiration = now + sa->profile->handover;
+         csa->time_to_expiration = now + p->handover;
          csa->is_expired = 1;
          if (csa->rekey_retries == 0)
            {
@@ -3380,6 +3409,7 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
   vlib_main_t *vm = km->vlib_main;
   ikev2_main_per_thread_data_t *tkm;
   ikev2_sa_t *fsa = 0;
+  ikev2_profile_t *p = 0;
   ikev2_child_sa_t *fchild = 0;
   f64 now = vlib_time_now (vm);
   vlib_counter_t counts;
@@ -3404,10 +3434,12 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
   vlib_get_combined_counter (&ipsec_sa_counters,
                             ipsec_sa->stat_index, &counts);
 
-  if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
+  if (fsa && fsa->is_profile_index_set)
+    p = pool_elt_at_index (km->profiles, fsa->profile_index);
+
+  if (fchild && p && p->lifetime_maxdata)
     {
-      if (!fchild->is_expired
-         && counts.bytes > fsa->profile->lifetime_maxdata)
+      if (!fchild->is_expired && counts.bytes > p->lifetime_maxdata)
        {
          fchild->time_to_expiration = now;
        }
Vector Packet Processing