ikev2_sa_transform_t *t = 0, *t2;
ikev2_main_t *km = &ikev2_main;
+ sai->init_response_received = 1;
/*move some data to the new SA */
#define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
ikev2_sa_t *sai =
pool_elt_at_index (km->sais, p[0]);
- ikev2_complete_sa_data (sa0, sai);
- ikev2_calc_keys (sa0);
- ikev2_sa_auth_init (sa0);
- len = ikev2_generate_message (sa0, ike0, 0);
+ if (sai->init_response_received)
+ {
+ /* we've already processed sa-init response */
+ sa0->state = IKEV2_STATE_UNKNOWN;
+ }
+ else
+ {
+ ikev2_complete_sa_data (sa0, sai);
+ ikev2_calc_keys (sa0);
+ ikev2_sa_auth_init (sa0);
+ len = ikev2_generate_message (sa0, ike0, 0);
+ }
}
}
hash_foreach (ispi, sai, km->sa_by_ispi,
({
sa = pool_elt_at_index (km->sais, sai);
+ if (sa->init_response_received)
+ continue;
+
u32 bi0;
if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
return;
return out_len + bs;
}
+#ifndef BN_bn2binpad
+int
+BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen)
+{
+ int r = BN_bn2bin (a, to);
+ ASSERT (tolen >= r);
+ int pad = tolen - r;
+ if (pad)
+ {
+ vec_insert (to, pad, 0);
+ clib_memset (to, 0, pad);
+ _vec_len (to) -= pad;
+ }
+ return tolen;
+}
+#endif
+
void
ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
{
sa->dh_private_key = vec_new (u8, t->key_len);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
DH_get0_key (dh, &pub_key, &priv_key);
- r = BN_bn2bin (pub_key, sa->i_dh_data);
+ r = BN_bn2binpad (pub_key, sa->i_dh_data, t->key_len);
ASSERT (r == t->key_len);
- r = BN_bn2bin (priv_key, sa->dh_private_key);
+ r = BN_bn2binpad (priv_key, sa->dh_private_key, t->key_len);
#else
- r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
+ r = BN_bn2binpad (dh->pub_key, sa->i_dh_data, t->key_len);
ASSERT (r == t->key_len);
- r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
+ r = BN_bn2binpad (dh->priv_key, sa->dh_private_key, t->key_len);
#endif
ASSERT (r == t->key_len);
}
sa->r_dh_data = vec_new (u8, t->key_len);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
DH_get0_key (dh, &pub_key, &priv_key);
- r = BN_bn2bin (pub_key, sa->r_dh_data);
+ r = BN_bn2binpad (pub_key, sa->r_dh_data, t->key_len);
#else
- r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
+ r = BN_bn2binpad (dh->pub_key, sa->r_dh_data, t->key_len);
#endif
ASSERT (r == t->key_len);
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
r = DH_compute_key (sa->dh_shared_key, ex, dh);
- ASSERT (r == t->key_len);
+ ASSERT (t->key_len >= r);
+ int pad = t->key_len - r;
+ if (pad)
+ {
+ vec_insert (sa->dh_shared_key, pad, 0);
+ clib_memset (sa->dh_shared_key, 0, pad);
+ _vec_len (sa->dh_shared_key) -= pad;
+ }
BN_clear_free (ex);
}
DH_free (dh);
sa->dh_shared_key = vec_new (u8, t->key_len);
ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
r = DH_compute_key (sa->dh_shared_key, ex, dh);
- ASSERT (r == t->key_len);
+ ASSERT (t->key_len >= r);
+ int pad = t->key_len - r;
+ if (pad)
+ {
+ vec_insert (sa->dh_shared_key, pad, 0);
+ clib_memset (sa->dh_shared_key, 0, pad);
+ _vec_len (sa->dh_shared_key) -= pad;
+ }
BN_clear_free (ex);
DH_free (dh);
}