{
bitmap |= 1 << transform->type;
vec_add2 (rv->transforms, new_t, 1);
- clib_memcpy (new_t, transform, sizeof (*new_t));
+ clib_memcpy_fast (new_t, transform, sizeof (*new_t));
new_t->attrs = vec_dup (transform->attrs);
}
}
/* SK_d */
sa->sk_d = vec_new (u8, tr_prf->key_trunc);
- clib_memcpy (sa->sk_d, keymat + pos, tr_prf->key_trunc);
+ clib_memcpy_fast (sa->sk_d, keymat + pos, tr_prf->key_trunc);
pos += tr_prf->key_trunc;
/* SK_ai */
sa->sk_ai = vec_new (u8, tr_integ->key_len);
- clib_memcpy (sa->sk_ai, keymat + pos, tr_integ->key_len);
+ clib_memcpy_fast (sa->sk_ai, keymat + pos, tr_integ->key_len);
pos += tr_integ->key_len;
/* SK_ar */
sa->sk_ar = vec_new (u8, tr_integ->key_len);
- clib_memcpy (sa->sk_ar, keymat + pos, tr_integ->key_len);
+ clib_memcpy_fast (sa->sk_ar, keymat + pos, tr_integ->key_len);
pos += tr_integ->key_len;
/* SK_ei */
sa->sk_ei = vec_new (u8, tr_encr->key_len);
- clib_memcpy (sa->sk_ei, keymat + pos, tr_encr->key_len);
+ clib_memcpy_fast (sa->sk_ei, keymat + pos, tr_encr->key_len);
pos += tr_encr->key_len;
/* SK_er */
sa->sk_er = vec_new (u8, tr_encr->key_len);
- clib_memcpy (sa->sk_er, keymat + pos, tr_encr->key_len);
+ clib_memcpy_fast (sa->sk_er, keymat + pos, tr_encr->key_len);
pos += tr_encr->key_len;
/* SK_pi */
sa->sk_pi = vec_new (u8, tr_prf->key_len);
- clib_memcpy (sa->sk_pi, keymat + pos, tr_prf->key_len);
+ clib_memcpy_fast (sa->sk_pi, keymat + pos, tr_prf->key_len);
pos += tr_prf->key_len;
/* SK_pr */
sa->sk_pr = vec_new (u8, tr_prf->key_len);
- clib_memcpy (sa->sk_pr, keymat + pos, tr_prf->key_len);
+ clib_memcpy_fast (sa->sk_pr, keymat + pos, tr_prf->key_len);
pos += tr_prf->key_len;
vec_free (keymat);
/* SK_ei */
child->sk_ei = vec_new (u8, ctr_encr->key_len);
- clib_memcpy (child->sk_ei, keymat + pos, ctr_encr->key_len);
+ clib_memcpy_fast (child->sk_ei, keymat + pos, ctr_encr->key_len);
pos += ctr_encr->key_len;
/* SK_ai */
child->sk_ai = vec_new (u8, ctr_integ->key_len);
- clib_memcpy (child->sk_ai, keymat + pos, ctr_integ->key_len);
+ clib_memcpy_fast (child->sk_ai, keymat + pos, ctr_integ->key_len);
pos += ctr_integ->key_len;
/* SK_er */
child->sk_er = vec_new (u8, ctr_encr->key_len);
- clib_memcpy (child->sk_er, keymat + pos, ctr_encr->key_len);
+ clib_memcpy_fast (child->sk_er, keymat + pos, ctr_encr->key_len);
pos += ctr_encr->key_len;
/* SK_ar */
child->sk_ar = vec_new (u8, ctr_integ->key_len);
- clib_memcpy (child->sk_ar, keymat + pos, ctr_integ->key_len);
+ clib_memcpy_fast (child->sk_ar, keymat + pos, ctr_integ->key_len);
pos += ctr_integ->key_len;
ASSERT (pos == len);
}
else if (payload == IKEV2_PAYLOAD_NONCE)
{
- clib_memcpy (nonce, ikep->payload, plen - sizeof (*ikep));
+ clib_memcpy_fast (nonce, ikep->payload, plen - sizeof (*ikep));
}
else if (payload == IKEV2_PAYLOAD_TSI)
{
ikev2_sa_transform_t *tr;
ikev2_sa_proposal_t *proposals;
u8 encr_type = 0;
+ u8 integ_type = 0;
if (!child->r_proposals)
{
return 1;
}
- memset (&a, 0, sizeof (a));
+ clib_memset (&a, 0, sizeof (a));
a.is_add = 1;
if (sa->is_initiator)
{
- a.local_ip.as_u32 = sa->iaddr.as_u32;
- a.remote_ip.as_u32 = sa->raddr.as_u32;
+ a.local_ip.ip4.as_u32 = sa->iaddr.as_u32;
+ a.remote_ip.ip4.as_u32 = sa->raddr.as_u32;
proposals = child->i_proposals;
a.local_spi = child->r_proposals[0].spi;
a.remote_spi = child->i_proposals[0].spi;
}
else
{
- a.local_ip.as_u32 = sa->raddr.as_u32;
- a.remote_ip.as_u32 = sa->iaddr.as_u32;
+ a.local_ip.ip4.as_u32 = sa->raddr.as_u32;
+ a.remote_ip.ip4.as_u32 = sa->iaddr.as_u32;
proposals = child->r_proposals;
a.local_spi = child->i_proposals[0].spi;
a.remote_spi = child->r_proposals[0].spi;
tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG);
if (tr)
{
- if (tr->integ_type != IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96)
- {
+ switch (tr->integ_type)
+ {
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
+ integ_type = IPSEC_INTEG_ALG_SHA_256_128;
+ break;
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
+ integ_type = IPSEC_INTEG_ALG_SHA_384_192;
+ break;
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
+ integ_type = IPSEC_INTEG_ALG_SHA_512_256;
+ break;
+ case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
+ integ_type = IPSEC_INTEG_ALG_SHA1_96;
+ break;
+ default:
ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
return 1;
}
rem_ckey = child->sk_ei;
}
- a.integ_alg = IPSEC_INTEG_ALG_SHA1_96;
+ a.integ_alg = integ_type;
a.local_integ_key_len = vec_len (loc_ikey);
- clib_memcpy (a.local_integ_key, loc_ikey, a.local_integ_key_len);
+ clib_memcpy_fast (a.local_integ_key, loc_ikey, a.local_integ_key_len);
a.remote_integ_key_len = vec_len (rem_ikey);
- clib_memcpy (a.remote_integ_key, rem_ikey, a.remote_integ_key_len);
+ clib_memcpy_fast (a.remote_integ_key, rem_ikey, a.remote_integ_key_len);
a.crypto_alg = encr_type;
a.local_crypto_key_len = vec_len (loc_ckey);
- clib_memcpy (a.local_crypto_key, loc_ckey, a.local_crypto_key_len);
+ clib_memcpy_fast (a.local_crypto_key, loc_ckey, a.local_crypto_key_len);
a.remote_crypto_key_len = vec_len (rem_ckey);
- clib_memcpy (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len);
+ clib_memcpy_fast (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len);
if (sa->profile && sa->profile->lifetime)
{
return 0;
a.is_add = 0;
- a.local_ip.as_u32 = sa->iaddr.as_u32;
- a.remote_ip.as_u32 = sa->raddr.as_u32;
+ a.local_ip.ip4.as_u32 = sa->iaddr.as_u32;
+ a.remote_ip.ip4.as_u32 = sa->raddr.as_u32;
a.local_spi = child->r_proposals[0].spi;
a.remote_spi = child->i_proposals[0].spi;
}
return 0;
a.is_add = 0;
- a.local_ip.as_u32 = sa->raddr.as_u32;
- a.remote_ip.as_u32 = sa->iaddr.as_u32;
+ a.local_ip.ip4.as_u32 = sa->raddr.as_u32;
+ a.remote_ip.ip4.as_u32 = sa->iaddr.as_u32;
a.local_spi = child->i_proposals[0].spi;
a.remote_spi = child->r_proposals[0].spi;
}
ikev2_sa_proposal_t *proposals = (ikev2_sa_proposal_t *) user;
ikev2_notify_t notify;
u8 *data = vec_new (u8, 4);
- memset (¬ify, 0, sizeof (notify));
+ clib_memset (¬ify, 0, sizeof (notify));
notify.protocol_id = IKEV2_PROTOCOL_ESP;
notify.spi = sa->childs[0].i_proposals->spi;
*(u32 *) data = clib_host_to_net_u32 (notify.spi);
tlen += vec_len (chain->data);
ike->nextpayload = chain->first_payload_type;
ike->length = clib_host_to_net_u32 (tlen);
- clib_memcpy (ike->payload, chain->data, vec_len (chain->data));
+ clib_memcpy_fast (ike->payload, chain->data, vec_len (chain->data));
/* store whole IKE payload - needed for PSK auth */
vec_free (sa->last_sa_init_res_packet_data);
ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ai : sa->sk_ar,
(u8 *) ike, tlen - tr_integ->key_trunc);
- clib_memcpy (ike->payload + tlen - tr_integ->key_trunc - sizeof (*ike),
- integ, tr_integ->key_trunc);
+ clib_memcpy_fast (ike->payload + tlen - tr_integ->key_trunc -
+ sizeof (*ike), integ, tr_integ->key_trunc);
/* store whole IKE payload - needed for retransmit */
vec_free (sa->last_res_packet_data);
ike->flags = tmp->flags;
ike->msgid = tmp->msgid;
ike->length = tmp->length;
- clib_memcpy(ike->payload, tmp->payload,
+ clib_memcpy_fast(ike->payload, tmp->payload,
clib_net_to_host_u32(tmp->length) - sizeof(*ike));
clib_warning("IKE_SA_INIT retransmit from %U to %U",
format_ip4_address, &raddr,
ike->flags = tmp->flags;
ike->msgid = tmp->msgid;
ike->length = tmp->length;
- clib_memcpy (ike->payload, tmp->payload,
- clib_net_to_host_u32 (tmp->length) - sizeof (*ike));
+ clib_memcpy_fast (ike->payload, tmp->payload,
+ clib_net_to_host_u32 (tmp->length) - sizeof (*ike));
clib_warning ("IKE msgid %u retransmit from %U to %U",
msg_id,
format_ip4_address, &sa->raddr,
}
}
+
static uword
ikev2_node_fn (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * frame)
if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
{
sa0 = &sa;
- memset (sa0, 0, sizeof (*sa0));
+ clib_memset (sa0, 0, sizeof (*sa0));
if (ike0->flags & IKEV2_HDR_FLAG_INITIATOR)
{
/* add SA to the pool */
pool_get (km->per_thread_data[thread_index].sas,
sa0);
- clib_memcpy (sa0, &sa, sizeof (*sa0));
+ clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
hash_set (km->
per_thread_data[thread_index].sa_by_rspi,
sa0->rspi,
}
}
}
- else
+ else //received sa_init without initiator flag
{
ikev2_process_sa_init_resp (vm, sa0, ike0);
{
/* add SA to the pool */
pool_get (km->per_thread_data[thread_index].sas, sa0);
- clib_memcpy (sa0, &sa, sizeof (*sa0));
+ clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
hash_set (km->per_thread_data[thread_index].sa_by_rspi,
sa0->rspi,
sa0 - km->per_thread_data[thread_index].sas);
};
/* *INDENT-ON* */
-
+// set ikev2 proposals when vpp is used as initiator
static clib_error_t *
ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
ikev2_transforms_set * ts,
vec_foreach (td, km->supported_transforms)
{
if (td->type == IKEV2_TRANSFORM_TYPE_ENCR
- && td->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC
+ && td->encr_type == ts->crypto_alg
&& td->key_len == ts->crypto_key_size / 8)
{
u16 attr[2];
vec_foreach (td, km->supported_transforms)
{
if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
- && td->integ_type == IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96)
+ && td->integ_type == ts->integ_alg)
{
vec_add1 (proposal->transforms, *td);
error = 0;
}
if (error)
{
+ clib_warning
+ ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
r = clib_error_return (0, "Unsupported algorithm");
return r;
}
vec_foreach (td, km->supported_transforms)
{
if (td->type == IKEV2_TRANSFORM_TYPE_PRF
- && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA1)
+ && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
{
vec_add1 (proposal->transforms, *td);
error = 0;
return clib_error_return (0, "policy %v already exists", name);
pool_get (km->profiles, p);
- memset (p, 0, sizeof (*p));
+ clib_memset (p, 0, sizeof (*p));
p->name = vec_dup (name);
p->responder.sw_if_index = ~0;
uword index = p - km->profiles;
/* Prepare the SA and the IKE payload */
ikev2_sa_t sa;
- memset (&sa, 0, sizeof (ikev2_sa_t));
+ clib_memset (&sa, 0, sizeof (ikev2_sa_t));
ikev2_payload_chain_t *chain = 0;
ikev2_payload_new_chain (chain);
u8 *nat_detection_sha1 = vec_new (u8, 20);
u64 tmpspi = clib_host_to_net_u64 (sa.ispi);
- clib_memcpy (&nat_detection_source[0], &tmpspi, sizeof (tmpspi));
+ clib_memcpy_fast (&nat_detection_source[0], &tmpspi, sizeof (tmpspi));
tmpspi = clib_host_to_net_u64 (sa.rspi);
- clib_memcpy (&nat_detection_source[8], &tmpspi, sizeof (tmpspi));
+ clib_memcpy_fast (&nat_detection_source[8], &tmpspi, sizeof (tmpspi));
u16 tmpport = clib_host_to_net_u16 (500);
- clib_memcpy (&nat_detection_source[8 + 8 + 4], &tmpport,
- sizeof (tmpport));
+ clib_memcpy_fast (&nat_detection_source[8 + 8 + 4], &tmpport,
+ sizeof (tmpport));
u32 tmpip = clib_host_to_net_u32 (if_ip->as_u32);
- clib_memcpy (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
+ clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
SHA1 (nat_detection_source, sizeof (nat_detection_source),
nat_detection_sha1);
ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
nat_detection_sha1);
tmpip = clib_host_to_net_u32 (p->responder.ip4.as_u32);
- clib_memcpy (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
+ clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
SHA1 (nat_detection_source, sizeof (nat_detection_source),
nat_detection_sha1);
ikev2_payload_add_notify (chain,
u8 *sig_hash_algo = vec_new (u8, 8);
u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
- clib_memcpy (sig_hash_algo, &tmpsig, sizeof (tmpsig));
+ clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig));
ikev2_payload_add_notify (chain,
IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
sig_hash_algo);
vec_free (sig_hash_algo);
- /* Buffer update and bolierplate */
+ /* Buffer update and boilerplate */
len += vec_len (chain->data);
ike0->nextpayload = chain->first_payload_type;
ike0->length = clib_host_to_net_u32 (len);
- clib_memcpy (ike0->payload, chain->data, vec_len (chain->data));
+ clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data));
ikev2_payload_destroy_chain (chain);
ike0->version = IKE_VERSION_2;
sa.i_auth.hex = p->auth.hex;
sa.i_auth.data = vec_dup (p->auth.data);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
+ clib_memcpy_fast (sa.i_auth.key, p->auth.key,
+ EVP_PKEY_size (p->auth.key));
#else
sa.i_auth.key = vec_dup (p->auth.key);
#endif
/* add SA to the pool */
ikev2_sa_t *sa0 = 0;
pool_get (km->sais, sa0);
- clib_memcpy (sa0, &sa, sizeof (*sa0));
+ clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len);
vlib_thread_main_t *tm = vlib_get_thread_main ();
int thread_id;
- memset (km, 0, sizeof (ikev2_main_t));
+ clib_memset (km, 0, sizeof (ikev2_main_t));
km->vnet_main = vnet_get_main ();
km->vlib_main = vm;
else if (csa->rekey_retries > 0)
{
csa->rekey_retries--;
- clib_warning ("Rekeing Child SA 0x%x, retries left %d",
+ clib_warning ("Rekeying Child SA 0x%x, retries left %d",
csa->i_proposals->spi, csa->rekey_retries);
if (csa->rekey_retries == 0)
{
ikev2_sa_t *fsa = 0;
ikev2_child_sa_t *fchild = 0;
f64 now = vlib_time_now (vm);
+ vlib_counter_t counts;
/* Search for the SA and child SA */
vec_foreach (tkm, km->per_thread_data)
}));
/* *INDENT-ON* */
}
+ vlib_get_combined_counter (&ipsec_sa_counters,
+ ipsec_sa->stat_index, &counts);
if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
{
if (!fchild->is_expired
- && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
+ && counts.bytes > fsa->profile->lifetime_maxdata)
{
fchild->time_to_expiration = now;
}