#include <vnet/ipsec/ikev2_priv.h>
#include <openssl/sha.h>
+ikev2_main_t ikev2_main;
+
static int ikev2_delete_tunnel_interface (vnet_main_t * vnm,
ikev2_sa_t * sa,
ikev2_child_sa_t * child);
ikev2_sa_transform_t *tr;
ikev2_sa_proposal_t *proposals;
u8 encr_type = 0;
+ u8 integ_type = 0;
if (!child->r_proposals)
{
tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG);
if (tr)
{
- if (tr->integ_type != IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96)
- {
+ switch (tr->integ_type)
+ {
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
+ integ_type = IPSEC_INTEG_ALG_SHA_256_128;
+ break;
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
+ integ_type = IPSEC_INTEG_ALG_SHA_384_192;
+ break;
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
+ integ_type = IPSEC_INTEG_ALG_SHA_512_256;
+ break;
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
+ integ_type = IPSEC_INTEG_ALG_SHA1_96;
+ break;
+ default:
ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
return 1;
}
rem_ckey = child->sk_ei;
}
- a.integ_alg = IPSEC_INTEG_ALG_SHA1_96;
+ a.integ_alg = integ_type;
a.local_integ_key_len = vec_len (loc_ikey);
clib_memcpy (a.local_integ_key, loc_ikey, a.local_integ_key_len);
a.remote_integ_key_len = vec_len (rem_ikey);
}
}
+
static uword
ikev2_node_fn (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * frame)
}
}
}
- else
+ else //received sa_init without initiator flag
{
ikev2_process_sa_init_resp (vm, sa0, ike0);
};
/* *INDENT-ON* */
-
+// set ikev2 proposals when vpp is used as initiator
static clib_error_t *
ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
ikev2_transforms_set * ts,
vec_foreach (td, km->supported_transforms)
{
if (td->type == IKEV2_TRANSFORM_TYPE_ENCR
- && td->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC
+ && td->encr_type == ts->crypto_alg
&& td->key_len == ts->crypto_key_size / 8)
{
u16 attr[2];
vec_foreach (td, km->supported_transforms)
{
if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
- && td->integ_type == IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96)
+ && td->integ_type == ts->integ_alg)
{
vec_add1 (proposal->transforms, *td);
error = 0;
}
if (error)
{
+ clib_warning
+ ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
r = clib_error_return (0, "Unsupported algorithm");
return r;
}
vec_foreach (td, km->supported_transforms)
{
if (td->type == IKEV2_TRANSFORM_TYPE_PRF
- && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA1)
+ && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
{
vec_add1 (proposal->transforms, *td);
error = 0;
vec_free (sig_hash_algo);
- /* Buffer update and bolierplate */
+ /* Buffer update and boilerplate */
len += vec_len (chain->data);
ike0->nextpayload = chain->first_payload_type;
ike0->length = clib_host_to_net_u32 (len);
sa.i_auth.method = p->auth.method;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
+#else
sa.i_auth.key = vec_dup (p->auth.key);
+#endif
vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
else if (csa->rekey_retries > 0)
{
csa->rekey_retries--;
- clib_warning ("Rekeing Child SA 0x%x, retries left %d",
+ clib_warning ("Rekeying Child SA 0x%x, retries left %d",
csa->i_proposals->spi, csa->rekey_retries);
if (csa->rekey_retries == 0)
{