r = vec_new (u8, tr->key_len);
+ if (tr->md == EVP_sha1 ())
+ {
+ clib_warning ("integrity checking with sha1");
+ }
+ else if (tr->md == EVP_sha256 ())
+ {
+ clib_warning ("integrity checking with sha256");
+ }
+
/* verify integrity of data */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
hctx = HMAC_CTX_new ();
{
sa->i_dh_data = vec_new (u8, t->key_len);
x_off = len - BN_num_bytes (x);
- memset (sa->i_dh_data, 0, x_off);
+ clib_memset (sa->i_dh_data, 0, x_off);
BN_bn2bin (x, sa->i_dh_data + x_off);
y_off = t->key_len - BN_num_bytes (y);
- memset (sa->i_dh_data + len, 0, y_off - len);
+ clib_memset (sa->i_dh_data + len, 0, y_off - len);
BN_bn2bin (y, sa->i_dh_data + y_off);
const BIGNUM *prv = EC_KEY_get0_private_key (ec);
{
sa->r_dh_data = vec_new (u8, t->key_len);
x_off = len - BN_num_bytes (x);
- memset (sa->r_dh_data, 0, x_off);
+ clib_memset (sa->r_dh_data, 0, x_off);
BN_bn2bin (x, sa->r_dh_data + x_off);
y_off = t->key_len - BN_num_bytes (y);
- memset (sa->r_dh_data + len, 0, y_off - len);
+ clib_memset (sa->r_dh_data + len, 0, y_off - len);
BN_bn2bin (y, sa->r_dh_data + y_off);
x = BN_bin2bn (sa->i_dh_data, len, x);
EC_POINT_get_affine_coordinates_GFp (group, shared_point, x, y,
bn_ctx);
x_off = len - BN_num_bytes (x);
- memset (sa->dh_shared_key, 0, x_off);
+ clib_memset (sa->dh_shared_key, 0, x_off);
BN_bn2bin (x, sa->dh_shared_key + x_off);
y_off = t->key_len - BN_num_bytes (y);
- memset (sa->dh_shared_key + len, 0, y_off - len);
+ clib_memset (sa->dh_shared_key + len, 0, y_off - len);
BN_bn2bin (y, sa->dh_shared_key + y_off);
}
EC_POINT_get_affine_coordinates_GFp (group, shared_point, x, y, bn_ctx);
sa->dh_shared_key = vec_new (u8, t->key_len);
x_off = len - BN_num_bytes (x);
- memset (sa->dh_shared_key, 0, x_off);
+ clib_memset (sa->dh_shared_key, 0, x_off);
BN_bn2bin (x, sa->dh_shared_key + x_off);
y_off = t->key_len - BN_num_bytes (y);
- memset (sa->dh_shared_key + len, 0, y_off - len);
+ clib_memset (sa->dh_shared_key + len, 0, y_off - len);
BN_bn2bin (y, sa->dh_shared_key + y_off);
EC_KEY_free (ec);
ikev2_sa_transform_t *tr;
/* vector of supported transforms - in order of preference */
+
+ //Encryption
+
vec_add2 (km->supported_transforms, tr, 1);
tr->type = IKEV2_TRANSFORM_TYPE_ENCR;
tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC;
tr->block_size = 128 / 8;
tr->cipher = EVP_aes_128_cbc ();
+ //PRF
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_PRF;
+ tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256;
+ tr->key_len = 256 / 8;
+ tr->key_trunc = 256 / 8;
+ tr->md = EVP_sha256 ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_PRF;
+ tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_384;
+ tr->key_len = 384 / 8;
+ tr->key_trunc = 384 / 8;
+ tr->md = EVP_sha384 ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_PRF;
+ tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_512;
+ tr->key_len = 512 / 8;
+ tr->key_trunc = 512 / 8;
+ tr->md = EVP_sha512 ();
+
vec_add2 (km->supported_transforms, tr, 1);
tr->type = IKEV2_TRANSFORM_TYPE_PRF;
tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA1;
tr->key_trunc = 160 / 8;
tr->md = EVP_sha1 ();
+ //Integrity
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_INTEG;
+ tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128;
+ tr->key_len = 256 / 8;
+ tr->key_trunc = 128 / 8;
+ tr->md = EVP_sha256 ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_INTEG;
+ tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192;
+ tr->key_len = 384 / 8;
+ tr->key_trunc = 192 / 8;
+ tr->md = EVP_sha384 ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_INTEG;
+ tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256;
+ tr->key_len = 512 / 8;
+ tr->key_trunc = 256 / 8;
+ tr->md = EVP_sha512 ();
+
+ vec_add2 (km->supported_transforms, tr, 1);
+ tr->type = IKEV2_TRANSFORM_TYPE_INTEG;
+ tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_160;
+ tr->key_len = 160 / 8;
+ tr->key_trunc = 160 / 8;
+ tr->md = EVP_sha1 ();
+
vec_add2 (km->supported_transforms, tr, 1);
tr->type = IKEV2_TRANSFORM_TYPE_INTEG;
tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96;
tr->key_trunc = 96 / 8;
tr->md = EVP_sha1 ();
+
#if defined(OPENSSL_NO_CISCO_FECDH)
vec_add2 (km->supported_transforms, tr, 1);
tr->type = IKEV2_TRANSFORM_TYPE_DH;