ikev2: fix wrong usage of BN_bn2bin()

This patch fixes 2 different crashes:

1) BN_bn2bin() returns bytes written, not actual key length. Use
  BN_bn2binpad() instead which adds padding.
2) Initiator may receive multiple sa-init responses for the same ispi
  which may result in crash. Remember first response and ignore any
  subsequent ones.

Type: fix

Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>

1 files changed, 16 insertions, 4 deletions

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 92a8ff8fe10..f288d4fcbec 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -380,6 +380,7 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
   ikev2_sa_transform_t *t = 0, *t2;
   ikev2_main_t *km = &ikev2_main;
 
+  sai->init_response_received = 1;
 
   /*move some data to the new SA */
 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
@@ -2445,10 +2446,18 @@ ikev2_node_fn (vlib_main_t * vm,
 			  ikev2_sa_t *sai =
 			    pool_elt_at_index (km->sais, p[0]);
 
-			  ikev2_complete_sa_data (sa0, sai);
-			  ikev2_calc_keys (sa0);
-			  ikev2_sa_auth_init (sa0);
-			  len = ikev2_generate_message (sa0, ike0, 0);
+			  if (sai->init_response_received)
+			    {
+			      /* we've already processed sa-init response */
+			      sa0->state = IKEV2_STATE_UNKNOWN;
+			    }
+			  else
+			    {
+			      ikev2_complete_sa_data (sa0, sai);
+			      ikev2_calc_keys (sa0);
+			      ikev2_sa_auth_init (sa0);
+			      len = ikev2_generate_message (sa0, ike0, 0);
+			    }
 			}
 		    }
 
@@ -3889,6 +3898,9 @@ ikev2_process_pending_sa_init (ikev2_main_t * km)
   hash_foreach (ispi, sai, km->sa_by_ispi,
   ({
     sa = pool_elt_at_index (km->sais, sai);
+    if (sa->init_response_received)
+      continue;
+
     u32 bi0;
     if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
       return;