sa->iaddr.as_u32 = sai->iaddr.as_u32;
sa->raddr.as_u32 = sai->raddr.as_u32;
sa->is_initiator = sai->is_initiator;
- sa->profile = sai->profile;
sa->i_id.type = sai->i_id.type;
+ sa->profile_index = sai->profile_index;
+ sa->is_profile_index_set = sai->is_profile_index_set;
sa->i_id.data = _(sai->i_id.data);
sa->i_auth.method = sai->i_auth.method;
sa->i_auth.hex = sai->i_auth.hex;
ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
ikev2_child_sa_t * child)
{
+ ikev2_main_t *km = &ikev2_main;
+ ikev2_profile_t *p = 0;
ipsec_add_del_tunnel_args_t a;
ikev2_sa_transform_t *tr;
ikev2_sa_proposal_t *proposals;
break;
}
}
+ else if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM
+ && tr->key_len)
+ {
+ switch (tr->key_len)
+ {
+ case 16:
+ encr_type = IPSEC_CRYPTO_ALG_AES_GCM_128;
+ break;
+ case 24:
+ encr_type = IPSEC_CRYPTO_ALG_AES_GCM_192;
+ break;
+ case 32:
+ encr_type = IPSEC_CRYPTO_ALG_AES_GCM_256;
+ break;
+ default:
+ ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
+ return 1;
+ break;
+ }
+ }
else
{
ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
a.remote_crypto_key_len = vec_len (rem_ckey);
clib_memcpy_fast (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len);
- if (sa->profile && sa->profile->lifetime)
+ if (sa->is_profile_index_set)
+ p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+ if (p && p->lifetime)
{
- child->time_to_expiration = vlib_time_now (vnm->vlib_main)
- + sa->profile->lifetime;
- if (sa->profile->lifetime_jitter)
+ child->time_to_expiration =
+ vlib_time_now (vnm->vlib_main) + p->lifetime;
+ if (p->lifetime_jitter)
{
// This is not much better than rand(3), which Coverity warns
// is unsuitable for security applications; random_u32 is
u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
rnd = random_u32 (&rnd);
- child->time_to_expiration +=
- 1 + (rnd % sa->profile->lifetime_jitter);
+ child->time_to_expiration += 1 + (rnd % p->lifetime_jitter);
}
}
}
/* DH */
- error = 1;
- vec_foreach (td, km->supported_transforms)
- {
- if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
+ if (is_ike || ts->dh_type != IKEV2_TRANSFORM_DH_TYPE_NONE)
+ {
+ error = 1;
+ vec_foreach (td, km->supported_transforms)
{
- vec_add1 (proposal->transforms, *td);
- if (is_ike)
+ if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
{
- sa->dh_group = td->dh_type;
+ vec_add1 (proposal->transforms, *td);
+ if (is_ike)
+ {
+ sa->dh_group = td->dh_type;
+ }
+ error = 0;
+ break;
}
- error = 0;
- break;
}
- }
- if (error)
- {
- r = clib_error_return (0, "Unsupported algorithm");
- return r;
+ if (error)
+ {
+ r = clib_error_return (0, "Unsupported algorithm");
+ return r;
+ }
}
if (!is_ike)
ikev2_sa_free_proposal_vector (&proposals);
sa.is_initiator = 1;
- sa.profile = p;
+ sa.profile_index = km->profiles - p;
+ sa.is_profile_index_set = 1;
sa.state = IKEV2_STATE_SA_INIT;
ikev2_generate_sa_init_data (&sa);
ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
ike0->ispi = sa.ispi;
+ ike0->rspi = 0;
+ ike0->msgid = 0;
/* store whole IKE payload - needed for PSK auth */
vec_free (sa.last_sa_init_req_packet_data);
sa.i_auth.method = p->auth.method;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- clib_memcpy_fast (sa.i_auth.key, p->auth.key,
- EVP_PKEY_size (p->auth.key));
-#else
- sa.i_auth.key = vec_dup (p->auth.key);
-#endif
vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
{
ikev2_main_t *km = &ikev2_main;
+ ikev2_profile_t *p = 0;
vlib_main_t *vm = km->vlib_main;
f64 now = vlib_time_now (vm);
u8 res = 0;
- if (sa->is_initiator && sa->profile && csa->time_to_expiration
+ if (sa->is_profile_index_set)
+ p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+ if (sa->is_initiator && p && csa->time_to_expiration
&& now > csa->time_to_expiration)
{
if (!csa->is_expired || csa->rekey_retries > 0)
{
ikev2_rekey_child_sa_internal (vm, sa, csa);
- csa->time_to_expiration = now + sa->profile->handover;
+ csa->time_to_expiration = now + p->handover;
csa->is_expired = 1;
if (csa->rekey_retries == 0)
{
vlib_main_t *vm = km->vlib_main;
ikev2_main_per_thread_data_t *tkm;
ikev2_sa_t *fsa = 0;
+ ikev2_profile_t *p = 0;
ikev2_child_sa_t *fchild = 0;
f64 now = vlib_time_now (vm);
vlib_counter_t counts;
vlib_get_combined_counter (&ipsec_sa_counters,
ipsec_sa->stat_index, &counts);
- if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
+ if (fsa && fsa->is_profile_index_set)
+ p = pool_elt_at_index (km->profiles, fsa->profile_index);
+
+ if (fchild && p && p->lifetime_maxdata)
{
- if (!fchild->is_expired
- && counts.bytes > fsa->profile->lifetime_maxdata)
+ if (!fchild->is_expired && counts.bytes > p->lifetime_maxdata)
{
fchild->time_to_expiration = now;
}