ikev2: make integ algo optional

Type: improvement

This patch makes configuring integration algorithm optional. This is
useful when using AEAD cipher (in fact when using such
cipher, integ algo is ignored anyway).

Change-Id: I5891db5c0433afb85ae2d9084d45b89ec1133178
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>

1 files changed, 19 insertions, 16 deletions

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index db68135db42..a9d7e5696a8 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -2754,24 +2754,27 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
       return r;
     }
 
-  /* Integrity */
-  error = 1;
-  vec_foreach (td, km->supported_transforms)
-  {
-    if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
-	&& td->integ_type == ts->integ_alg)
+  if (IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16 != ts->crypto_alg)
+    {
+      /* Integrity */
+      error = 1;
+      vec_foreach (td, km->supported_transforms)
       {
-	vec_add1 (proposal->transforms, *td);
-	error = 0;
-	break;
+	if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
+	    && td->integ_type == ts->integ_alg)
+	  {
+	    vec_add1 (proposal->transforms, *td);
+	    error = 0;
+	    break;
+	  }
       }
-  }
-  if (error)
-    {
-      ikev2_elog_error
-	("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
-      r = clib_error_return (0, "Unsupported algorithm");
-      return r;
+      if (error)
+	{
+	  ikev2_elog_error
+	    ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
+	  r = clib_error_return (0, "Unsupported algorithm");
+	  return r;
+	}
     }
 
   /* PRF */