FD.io VPP  v18.10-34-gcce845e
Vector Packet Processing
ikev2.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vppinfra/error.h>
20 #include <vppinfra/random.h>
21 #include <vnet/udp/udp.h>
22 #include <vnet/ipsec/ipsec.h>
23 #include <vnet/ipsec/ikev2.h>
24 #include <vnet/ipsec/ikev2_priv.h>
25 #include <openssl/sha.h>
26 
28 
30  ikev2_sa_t * sa,
31  ikev2_child_sa_t * child);
32 
33 #define ikev2_set_state(sa, v) do { \
34  (sa)->state = v; \
35  clib_warning("sa state changed to " #v); \
36  } while(0);
37 
38 typedef struct
39 {
43 
44 static u8 *
45 format_ikev2_trace (u8 * s, va_list * args)
46 {
47  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
48  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
49  ikev2_trace_t *t = va_arg (*args, ikev2_trace_t *);
50 
51  s = format (s, "ikev2: sw_if_index %d, next index %d",
52  t->sw_if_index, t->next_index);
53  return s;
54 }
55 
57 
58 #define foreach_ikev2_error \
59 _(PROCESSED, "IKEv2 packets processed") \
60 _(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \
61 _(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \
62 _(IKE_REQ_RETRANSMIT, "IKE request retransmit") \
63 _(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \
64 _(NOT_IKEV2, "Non IKEv2 packets received")
65 
66 typedef enum
67 {
68 #define _(sym,str) IKEV2_ERROR_##sym,
70 #undef _
73 
74 static char *ikev2_error_strings[] = {
75 #define _(sym,string) string,
77 #undef _
78 };
79 
80 typedef enum
81 {
85 } ikev2_next_t;
86 
87 static ikev2_sa_transform_t *
89 {
90  ikev2_main_t *km = &ikev2_main;
92 
94  {
95  if (td->type != t->type)
96  continue;
97 
98  if (td->transform_id != t->transform_id)
99  continue;
100 
101  if (td->type == IKEV2_TRANSFORM_TYPE_ENCR)
102  {
103  if (vec_len (t->attrs) != 4 || t->attrs[0] != 0x80
104  || t->attrs[1] != 14)
105  continue;
106 
107  if (((t->attrs[2] << 8 | t->attrs[3]) / 8) != td->key_len)
108  continue;
109  }
110  return td;
111  }
112  return 0;
113 }
114 
115 static ikev2_sa_proposal_t *
117  ikev2_protocol_id_t prot_id)
118 {
119  ikev2_sa_proposal_t *rv = 0;
120  ikev2_sa_proposal_t *proposal;
121  ikev2_sa_transform_t *transform, *new_t;
122  u8 mandatory_bitmap, optional_bitmap;
123 
124  if (prot_id == IKEV2_PROTOCOL_IKE)
125  {
126  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
127  (1 << IKEV2_TRANSFORM_TYPE_PRF) |
128  (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
129  optional_bitmap = mandatory_bitmap;
130  }
131  else if (prot_id == IKEV2_PROTOCOL_ESP)
132  {
133  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
134  (1 << IKEV2_TRANSFORM_TYPE_ESN);
135  optional_bitmap = mandatory_bitmap |
136  (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
137  }
138  else if (prot_id == IKEV2_PROTOCOL_AH)
139  {
140  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) |
141  (1 << IKEV2_TRANSFORM_TYPE_ESN);
142  optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH);
143  }
144  else
145  return 0;
146 
147  vec_add2 (rv, proposal, 1);
148 
149  vec_foreach (proposal, proposals)
150  {
151  u8 bitmap = 0;
152  if (proposal->protocol_id != prot_id)
153  continue;
154 
155  vec_foreach (transform, proposal->transforms)
156  {
157  if ((1 << transform->type) & bitmap)
158  continue;
159 
160  if (ikev2_find_transform_data (transform))
161  {
162  bitmap |= 1 << transform->type;
163  vec_add2 (rv->transforms, new_t, 1);
164  clib_memcpy (new_t, transform, sizeof (*new_t));
165  new_t->attrs = vec_dup (transform->attrs);
166  }
167  }
168 
169  clib_warning ("bitmap is %x mandatory is %x optional is %x",
170  bitmap, mandatory_bitmap, optional_bitmap);
171 
172  if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
173  (bitmap & ~optional_bitmap) == 0)
174  {
175  rv->proposal_num = proposal->proposal_num;
176  rv->protocol_id = proposal->protocol_id;
177  RAND_bytes ((u8 *) & rv->spi, sizeof (rv->spi));
178  goto done;
179  }
180  else
181  {
182  vec_free (rv->transforms);
183  }
184  }
185 
186  vec_free (rv);
187 done:
188  return rv;
189 }
190 
194 {
196 
197  if (!p)
198  return 0;
199 
200  vec_foreach (t, p->transforms)
201  {
202  if (t->type == type)
203  return ikev2_find_transform_data (t);
204  }
205  return 0;
206 }
207 
210  int by_initiator)
211 {
213  vec_foreach (c, sa->childs)
214  {
215  ikev2_sa_proposal_t *proposal =
216  by_initiator ? &c->i_proposals[0] : &c->r_proposals[0];
217  if (proposal && proposal->spi == spi && proposal->protocol_id == prot_id)
218  return c;
219  }
220 
221  return 0;
222 }
223 
224 void
226 {
229 
230  if (!*v)
231  return;
232 
233  vec_foreach (p, *v)
234  {
235  vec_foreach (t, p->transforms)
236  {
237  vec_free (t->attrs);
238  }
239  vec_free (p->transforms);
240  }
241  vec_free (*v);
242 };
243 
244 static void
246 {
248  vec_foreach (c, *childs)
249  {
252  vec_free (c->sk_ai);
253  vec_free (c->sk_ar);
254  vec_free (c->sk_ei);
255  vec_free (c->sk_er);
256  }
257 
258  vec_free (*childs);
259 }
260 
261 static void
263 {
266  vec_free (child->sk_ai);
267  vec_free (child->sk_ar);
268  vec_free (child->sk_ei);
269  vec_free (child->sk_er);
270 
271  vec_del1 (sa->childs, child - sa->childs);
272 }
273 
274 static void
276 {
277  vec_free (sa->i_nonce);
278  vec_free (sa->i_dh_data);
279  vec_free (sa->dh_shared_key);
280  vec_free (sa->dh_private_key);
281 
284 
285  vec_free (sa->sk_d);
286  vec_free (sa->sk_ai);
287  vec_free (sa->sk_ar);
288  vec_free (sa->sk_ei);
289  vec_free (sa->sk_er);
290  vec_free (sa->sk_pi);
291  vec_free (sa->sk_pr);
292 
293  vec_free (sa->i_id.data);
294  vec_free (sa->i_auth.data);
295  vec_free (sa->r_id.data);
296  vec_free (sa->r_auth.data);
297  if (sa->r_auth.key)
298  EVP_PKEY_free (sa->r_auth.key);
299 
300  vec_free (sa->del);
301 
303 }
304 
305 static void
307 {
308  ikev2_main_t *km = &ikev2_main;
309  u32 thread_index = vlib_get_thread_index ();
310  uword *p;
311 
313 
314  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
315  if (p)
316  {
317  hash_unset (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
318  pool_put (km->per_thread_data[thread_index].sas, sa);
319  }
320 }
321 
322 static void
324 {
325  ikev2_sa_transform_t *t = 0, *t2;
326  ikev2_main_t *km = &ikev2_main;
327 
328  if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
329  {
330  return;
331  }
332 
333  /* check if received DH group is on our list of supported groups */
335  {
336  if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
337  {
338  t = t2;
339  break;
340  }
341  }
342 
343  if (!t)
344  {
345  clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
346  vec_len (sa->i_dh_data));
347  sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
348  return;
349  }
350 
351  if (sa->is_initiator)
352  {
353  /* generate rspi */
354  RAND_bytes ((u8 *) & sa->ispi, 8);
355 
356  /* generate nonce */
358  RAND_bytes ((u8 *) sa->i_nonce, IKEV2_NONCE_SIZE);
359  }
360  else
361  {
362  /* generate rspi */
363  RAND_bytes ((u8 *) & sa->rspi, 8);
364 
365  /* generate nonce */
367  RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
368  }
369 
370  /* generate dh keys */
371  ikev2_generate_dh (sa, t);
372 
373 }
374 
375 static void
377 {
378  ikev2_sa_transform_t *t = 0, *t2;
379  ikev2_main_t *km = &ikev2_main;
380 
381 
382  /*move some data to the new SA */
383 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
384  sa->i_nonce = _(sai->i_nonce);
385  sa->i_dh_data = _(sai->i_dh_data);
386  sa->dh_private_key = _(sai->dh_private_key);
387  sa->iaddr.as_u32 = sai->iaddr.as_u32;
388  sa->raddr.as_u32 = sai->raddr.as_u32;
389  sa->is_initiator = sai->is_initiator;
390  sa->profile = sai->profile;
391  sa->i_id.type = sai->i_id.type;
392  sa->i_id.data = _(sai->i_id.data);
393  sa->i_auth.method = sai->i_auth.method;
394  sa->i_auth.hex = sai->i_auth.hex;
395  sa->i_auth.data = _(sai->i_auth.data);
396  sa->i_auth.key = _(sai->i_auth.key);
398  sa->childs = _(sai->childs);
399 #undef _
400 
401 
402  if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
403  {
404  return;
405  }
406 
407  /* check if received DH group is on our list of supported groups */
409  {
410  if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
411  {
412  t = t2;
413  break;
414  }
415  }
416 
417  if (!t)
418  {
419  clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
420  vec_len (sa->i_dh_data));
421  sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
422  return;
423  }
424 
425 
426  /* generate dh keys */
427  ikev2_complete_dh (sa, t);
428 
429 }
430 
431 static void
433 {
434  u8 *tmp;
435  /* calculate SKEYSEED = prf(Ni | Nr, g^ir) */
436  u8 *skeyseed = 0;
437  u8 *s = 0;
438  ikev2_sa_transform_t *tr_encr, *tr_prf, *tr_integ;
439  tr_encr =
440  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
441  tr_prf =
442  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
443  tr_integ =
444  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
445 
446  vec_append (s, sa->i_nonce);
447  vec_append (s, sa->r_nonce);
448  skeyseed = ikev2_calc_prf (tr_prf, s, sa->dh_shared_key);
449 
450  /* Calculate S = Ni | Nr | SPIi | SPIr */
451  u64 *spi;
452  vec_add2 (s, tmp, 2 * sizeof (*spi));
453  spi = (u64 *) tmp;
454  spi[0] = clib_host_to_net_u64 (sa->ispi);
455  spi[1] = clib_host_to_net_u64 (sa->rspi);
456 
457  /* calculate PRFplus */
458  u8 *keymat;
459  int len = tr_prf->key_trunc + /* SK_d */
460  tr_integ->key_len * 2 + /* SK_ai, SK_ar */
461  tr_encr->key_len * 2 + /* SK_ei, SK_er */
462  tr_prf->key_len * 2; /* SK_pi, SK_pr */
463 
464  keymat = ikev2_calc_prfplus (tr_prf, skeyseed, s, len);
465  vec_free (skeyseed);
466  vec_free (s);
467 
468  int pos = 0;
469 
470  /* SK_d */
471  sa->sk_d = vec_new (u8, tr_prf->key_trunc);
472  clib_memcpy (sa->sk_d, keymat + pos, tr_prf->key_trunc);
473  pos += tr_prf->key_trunc;
474 
475  /* SK_ai */
476  sa->sk_ai = vec_new (u8, tr_integ->key_len);
477  clib_memcpy (sa->sk_ai, keymat + pos, tr_integ->key_len);
478  pos += tr_integ->key_len;
479 
480  /* SK_ar */
481  sa->sk_ar = vec_new (u8, tr_integ->key_len);
482  clib_memcpy (sa->sk_ar, keymat + pos, tr_integ->key_len);
483  pos += tr_integ->key_len;
484 
485  /* SK_ei */
486  sa->sk_ei = vec_new (u8, tr_encr->key_len);
487  clib_memcpy (sa->sk_ei, keymat + pos, tr_encr->key_len);
488  pos += tr_encr->key_len;
489 
490  /* SK_er */
491  sa->sk_er = vec_new (u8, tr_encr->key_len);
492  clib_memcpy (sa->sk_er, keymat + pos, tr_encr->key_len);
493  pos += tr_encr->key_len;
494 
495  /* SK_pi */
496  sa->sk_pi = vec_new (u8, tr_prf->key_len);
497  clib_memcpy (sa->sk_pi, keymat + pos, tr_prf->key_len);
498  pos += tr_prf->key_len;
499 
500  /* SK_pr */
501  sa->sk_pr = vec_new (u8, tr_prf->key_len);
502  clib_memcpy (sa->sk_pr, keymat + pos, tr_prf->key_len);
503  pos += tr_prf->key_len;
504 
505  vec_free (keymat);
506 }
507 
508 static void
510 {
511  u8 *s = 0;
512  ikev2_sa_transform_t *tr_prf, *ctr_encr, *ctr_integ;
513  tr_prf =
514  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
515  ctr_encr =
516  ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
517  ctr_integ =
518  ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
519 
520  vec_append (s, sa->i_nonce);
521  vec_append (s, sa->r_nonce);
522  /* calculate PRFplus */
523  u8 *keymat;
524  int len = ctr_encr->key_len * 2 + ctr_integ->key_len * 2;
525 
526  keymat = ikev2_calc_prfplus (tr_prf, sa->sk_d, s, len);
527 
528  int pos = 0;
529 
530  /* SK_ei */
531  child->sk_ei = vec_new (u8, ctr_encr->key_len);
532  clib_memcpy (child->sk_ei, keymat + pos, ctr_encr->key_len);
533  pos += ctr_encr->key_len;
534 
535  /* SK_ai */
536  child->sk_ai = vec_new (u8, ctr_integ->key_len);
537  clib_memcpy (child->sk_ai, keymat + pos, ctr_integ->key_len);
538  pos += ctr_integ->key_len;
539 
540  /* SK_er */
541  child->sk_er = vec_new (u8, ctr_encr->key_len);
542  clib_memcpy (child->sk_er, keymat + pos, ctr_encr->key_len);
543  pos += ctr_encr->key_len;
544 
545  /* SK_ar */
546  child->sk_ar = vec_new (u8, ctr_integ->key_len);
547  clib_memcpy (child->sk_ar, keymat + pos, ctr_integ->key_len);
548  pos += ctr_integ->key_len;
549 
550  ASSERT (pos == len);
551 
552  vec_free (keymat);
553 }
554 
555 static void
557  ike_header_t * ike)
558 {
559  int p = 0;
560  u32 len = clib_net_to_host_u32 (ike->length);
561  u8 payload = ike->nextpayload;
562 
563  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
564  "exchange %x flags %x msgid %x length %u",
565  clib_net_to_host_u64 (ike->ispi),
566  clib_net_to_host_u64 (ike->rspi),
567  payload, ike->version,
568  ike->exchange, ike->flags,
569  clib_net_to_host_u32 (ike->msgid), len);
570 
571  sa->ispi = clib_net_to_host_u64 (ike->ispi);
572 
573  /* store whole IKE payload - needed for PSK auth */
575  vec_add (sa->last_sa_init_req_packet_data, ike, len);
576 
577  while (p < len && payload != IKEV2_PAYLOAD_NONE)
578  {
579  ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
580  u32 plen = clib_net_to_host_u16 (ikep->length);
581 
582  if (plen < sizeof (ike_payload_header_t))
583  return;
584 
585  if (payload == IKEV2_PAYLOAD_SA)
586  {
588  sa->i_proposals = ikev2_parse_sa_payload (ikep);
589  }
590  else if (payload == IKEV2_PAYLOAD_KE)
591  {
592  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
593  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
594  vec_free (sa->i_dh_data);
595  vec_add (sa->i_dh_data, ke->payload, plen - sizeof (*ke));
596  }
597  else if (payload == IKEV2_PAYLOAD_NONCE)
598  {
599  vec_free (sa->i_nonce);
600  vec_add (sa->i_nonce, ikep->payload, plen - sizeof (*ikep));
601  }
602  else if (payload == IKEV2_PAYLOAD_NOTIFY)
603  {
605  vec_free (n);
606  }
607  else if (payload == IKEV2_PAYLOAD_VENDOR)
608  {
610  }
611  else
612  {
613  clib_warning ("unknown payload %u flags %x length %u", payload,
614  ikep->flags, plen);
615  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
616  {
618  sa->unsupported_cp = payload;
619  return;
620  }
621  }
622 
623  payload = ikep->nextpayload;
624  p += plen;
625  }
626 
628 }
629 
630 static void
632  ike_header_t * ike)
633 {
634  int p = 0;
635  u32 len = clib_net_to_host_u32 (ike->length);
636  u8 payload = ike->nextpayload;
637 
638  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
639  "exchange %x flags %x msgid %x length %u",
640  clib_net_to_host_u64 (ike->ispi),
641  clib_net_to_host_u64 (ike->rspi),
642  payload, ike->version,
643  ike->exchange, ike->flags,
644  clib_net_to_host_u32 (ike->msgid), len);
645 
646  sa->ispi = clib_net_to_host_u64 (ike->ispi);
647  sa->rspi = clib_net_to_host_u64 (ike->rspi);
648 
649  /* store whole IKE payload - needed for PSK auth */
651  vec_add (sa->last_sa_init_res_packet_data, ike, len);
652 
653  while (p < len && payload != IKEV2_PAYLOAD_NONE)
654  {
655  ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
656  u32 plen = clib_net_to_host_u16 (ikep->length);
657 
658  if (plen < sizeof (ike_payload_header_t))
659  return;
660 
661  if (payload == IKEV2_PAYLOAD_SA)
662  {
664  sa->r_proposals = ikev2_parse_sa_payload (ikep);
665  if (sa->r_proposals)
666  {
668  ike->msgid =
669  clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1);
670  }
671  }
672  else if (payload == IKEV2_PAYLOAD_KE)
673  {
674  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
675  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
676  vec_free (sa->r_dh_data);
677  vec_add (sa->r_dh_data, ke->payload, plen - sizeof (*ke));
678  }
679  else if (payload == IKEV2_PAYLOAD_NONCE)
680  {
681  vec_free (sa->r_nonce);
682  vec_add (sa->r_nonce, ikep->payload, plen - sizeof (*ikep));
683  }
684  else if (payload == IKEV2_PAYLOAD_NOTIFY)
685  {
687  vec_free (n);
688  }
689  else if (payload == IKEV2_PAYLOAD_VENDOR)
690  {
692  }
693  else
694  {
695  clib_warning ("unknown payload %u flags %x length %u", payload,
696  ikep->flags, plen);
697  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
698  {
700  sa->unsupported_cp = payload;
701  return;
702  }
703  }
704 
705  payload = ikep->nextpayload;
706  p += plen;
707  }
708 }
709 
710 static u8 *
711 ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload)
712 {
713  int p = 0;
714  u8 last_payload = 0;
715  u8 *hmac = 0;
716  u32 len = clib_net_to_host_u32 (ike->length);
717  ike_payload_header_t *ikep = 0;
718  u32 plen = 0;
719  ikev2_sa_transform_t *tr_integ;
720  tr_integ =
721  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
722 
723  while (p < len &&
724  *payload != IKEV2_PAYLOAD_NONE && last_payload != IKEV2_PAYLOAD_SK)
725  {
726  ikep = (ike_payload_header_t *) & ike->payload[p];
727  plen = clib_net_to_host_u16 (ikep->length);
728 
729  if (plen < sizeof (*ikep))
730  return 0;
731 
732  if (*payload == IKEV2_PAYLOAD_SK)
733  {
734  clib_warning ("received IKEv2 payload SK, len %u", plen - 4);
735  last_payload = *payload;
736  }
737  else
738  {
739  clib_warning ("unknown payload %u flags %x length %u", payload,
740  ikep->flags, plen);
741  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
742  {
743  sa->unsupported_cp = *payload;
744  return 0;
745  }
746  }
747 
748  *payload = ikep->nextpayload;
749  p += plen;
750  }
751 
752  if (last_payload != IKEV2_PAYLOAD_SK)
753  {
754  clib_warning ("Last payload must be SK");
755  return 0;
756  }
757 
758  hmac =
759  ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ar : sa->sk_ai,
760  (u8 *) ike, len - tr_integ->key_trunc);
761 
762  plen = plen - sizeof (*ikep) - tr_integ->key_trunc;
763 
764  if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
765  {
766  clib_warning ("message integrity check failed");
767  vec_free (hmac);
768  return 0;
769  }
770  vec_free (hmac);
771 
772  return ikev2_decrypt_data (sa, ikep->payload, plen);
773 }
774 
775 static void
777 {
778  ikev2_main_t *km = &ikev2_main;
779  ikev2_sa_t *tmp;
780  u32 i, *delete = 0;
782  u32 thread_index = vlib_get_thread_index ();
783 
784  if (!sa->initial_contact)
785  return;
786 
787  /* find old IKE SAs with the same authenticated identity */
788  /* *INDENT-OFF* */
789  pool_foreach (tmp, km->per_thread_data[thread_index].sas, ({
790  if (tmp->i_id.type != sa->i_id.type ||
791  vec_len(tmp->i_id.data) != vec_len(sa->i_id.data) ||
792  memcmp(sa->i_id.data, tmp->i_id.data, vec_len(sa->i_id.data)))
793  continue;
794 
795  if (sa->rspi != tmp->rspi)
796  vec_add1(delete, tmp - km->per_thread_data[thread_index].sas);
797  }));
798  /* *INDENT-ON* */
799 
800  for (i = 0; i < vec_len (delete); i++)
801  {
802  tmp =
803  pool_elt_at_index (km->per_thread_data[thread_index].sas, delete[i]);
804  vec_foreach (c,
806  tmp, c);
807  ikev2_delete_sa (tmp);
808  }
809 
810  vec_free (delete);
811  sa->initial_contact = 0;
812 }
813 
814 static void
815 ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
816 {
817  ikev2_child_sa_t *first_child_sa;
818  int p = 0;
819  u32 len = clib_net_to_host_u32 (ike->length);
820  u8 payload = ike->nextpayload;
821  u8 *plaintext = 0;
822 
823  ike_payload_header_t *ikep;
824  u32 plen;
825 
826  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
827  "exchange %x flags %x msgid %x length %u",
828  clib_net_to_host_u64 (ike->ispi),
829  clib_net_to_host_u64 (ike->rspi),
830  payload, ike->version,
831  ike->exchange, ike->flags,
832  clib_net_to_host_u32 (ike->msgid), len);
833 
834  ikev2_calc_keys (sa);
835 
836  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
837 
838  if (!plaintext)
839  {
840  if (sa->unsupported_cp)
842  goto cleanup_and_exit;
843  }
844 
845  /* select or create 1st child SA */
846  if (sa->is_initiator)
847  {
848  first_child_sa = &sa->childs[0];
849  }
850  else
851  {
853  vec_add2 (sa->childs, first_child_sa, 1);
854  }
855 
856 
857  /* process encrypted payload */
858  p = 0;
859  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
860  {
861  ikep = (ike_payload_header_t *) & plaintext[p];
862  plen = clib_net_to_host_u16 (ikep->length);
863 
864  if (plen < sizeof (ike_payload_header_t))
865  goto cleanup_and_exit;
866 
867  if (payload == IKEV2_PAYLOAD_SA) /* 33 */
868  {
869  clib_warning ("received payload SA, len %u", plen - sizeof (*ikep));
870  if (sa->is_initiator)
871  {
872  ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals);
873  first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep);
874  }
875  else
876  {
877  ikev2_sa_free_proposal_vector (&first_child_sa->i_proposals);
878  first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep);
879  }
880  }
881  else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */
882  {
883  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
884 
885  sa->i_id.type = id->id_type;
886  vec_free (sa->i_id.data);
887  vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
888 
889  clib_warning ("received payload IDi, len %u id_type %u",
890  plen - sizeof (*id), id->id_type);
891  }
892  else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */
893  {
894  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
895 
896  sa->r_id.type = id->id_type;
897  vec_free (sa->r_id.data);
898  vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
899 
900  clib_warning ("received payload IDr len %u id_type %u",
901  plen - sizeof (*id), id->id_type);
902  }
903  else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */
904  {
905  ike_auth_payload_header_t *a = (ike_auth_payload_header_t *) ikep;
906 
907  if (sa->is_initiator)
908  {
909  sa->r_auth.method = a->auth_method;
910  vec_free (sa->r_auth.data);
911  vec_add (sa->r_auth.data, a->payload, plen - sizeof (*a));
912  }
913  else
914  {
915  sa->i_auth.method = a->auth_method;
916  vec_free (sa->i_auth.data);
917  vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a));
918  }
919 
920  clib_warning ("received payload AUTH, len %u auth_type %u",
921  plen - sizeof (*a), a->auth_method);
922  }
923  else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
924  {
926  if (n->msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
927  {
928  sa->initial_contact = 1;
929  }
930  vec_free (n);
931  }
932  else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
933  {
935  }
936  else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */
937  {
938  clib_warning ("received payload TSi, len %u",
939  plen - sizeof (*ikep));
940 
941  vec_free (first_child_sa->tsi);
942  first_child_sa->tsi = ikev2_parse_ts_payload (ikep);
943  }
944  else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */
945  {
946  clib_warning ("received payload TSr, len %u",
947  plen - sizeof (*ikep));
948 
949  vec_free (first_child_sa->tsr);
950  first_child_sa->tsr = ikev2_parse_ts_payload (ikep);
951  }
952  else
953  {
954  clib_warning ("unknown payload %u flags %x length %u data %u",
955  payload, ikep->flags, plen - 4,
956  format_hex_bytes, ikep->payload, plen - 4);
957 
958  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
959  {
961  sa->unsupported_cp = payload;
962  return;
963  }
964  }
965 
966  payload = ikep->nextpayload;
967  p += plen;
968  }
969 
970 cleanup_and_exit:
971  vec_free (plaintext);
972 }
973 
974 static void
976  ike_header_t * ike)
977 {
978  int p = 0;
979  u32 len = clib_net_to_host_u32 (ike->length);
980  u8 payload = ike->nextpayload;
981  u8 *plaintext = 0;
982 
983  ike_payload_header_t *ikep;
984  u32 plen;
985 
986  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
987  "exchange %x flags %x msgid %x length %u",
988  clib_net_to_host_u64 (ike->ispi),
989  clib_net_to_host_u64 (ike->rspi),
990  payload, ike->version,
991  ike->exchange, ike->flags,
992  clib_net_to_host_u32 (ike->msgid), len);
993 
994  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
995 
996  if (!plaintext)
997  goto cleanup_and_exit;
998 
999  /* process encrypted payload */
1000  p = 0;
1001  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
1002  {
1003  ikep = (ike_payload_header_t *) & plaintext[p];
1004  plen = clib_net_to_host_u16 (ikep->length);
1005 
1006  if (plen < sizeof (ike_payload_header_t))
1007  goto cleanup_and_exit;
1008 
1009  if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
1010  {
1012  if (n->msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
1014  vec_free (n);
1015  }
1016  else if (payload == IKEV2_PAYLOAD_DELETE) /* 42 */
1017  {
1018  sa->del = ikev2_parse_delete_payload (ikep);
1019  }
1020  else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
1021  {
1023  }
1024  else
1025  {
1026  clib_warning ("unknown payload %u flags %x length %u data %u",
1027  payload, ikep->flags, plen - 4,
1028  format_hex_bytes, ikep->payload, plen - 4);
1029 
1030  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1031  {
1032  sa->unsupported_cp = payload;
1033  return;
1034  }
1035  }
1036 
1037  payload = ikep->nextpayload;
1038  p += plen;
1039  }
1040 
1041 cleanup_and_exit:
1042  vec_free (plaintext);
1043 }
1044 
1045 static void
1047  ike_header_t * ike)
1048 {
1049  int p = 0;
1050  u32 len = clib_net_to_host_u32 (ike->length);
1051  u8 payload = ike->nextpayload;
1052  u8 *plaintext = 0;
1053  u8 rekeying = 0;
1054  u8 nonce[IKEV2_NONCE_SIZE];
1055 
1056  ike_payload_header_t *ikep;
1057  u32 plen;
1058  ikev2_notify_t *n = 0;
1059  ikev2_ts_t *tsi = 0;
1060  ikev2_ts_t *tsr = 0;
1061  ikev2_sa_proposal_t *proposal = 0;
1062  ikev2_child_sa_t *child_sa;
1063 
1064  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
1065  "exchange %x flags %x msgid %x length %u",
1066  clib_net_to_host_u64 (ike->ispi),
1067  clib_net_to_host_u64 (ike->rspi),
1068  payload, ike->version,
1069  ike->exchange, ike->flags,
1070  clib_net_to_host_u32 (ike->msgid), len);
1071 
1072  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
1073 
1074  if (!plaintext)
1075  goto cleanup_and_exit;
1076 
1077  /* process encrypted payload */
1078  p = 0;
1079  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
1080  {
1081  ikep = (ike_payload_header_t *) & plaintext[p];
1082  plen = clib_net_to_host_u16 (ikep->length);
1083 
1084  if (plen < sizeof (ike_payload_header_t))
1085  goto cleanup_and_exit;
1086 
1087  else if (payload == IKEV2_PAYLOAD_SA)
1088  {
1089  proposal = ikev2_parse_sa_payload (ikep);
1090  }
1091  else if (payload == IKEV2_PAYLOAD_NOTIFY)
1092  {
1093  n = ikev2_parse_notify_payload (ikep);
1094  if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
1095  {
1096  rekeying = 1;
1097  }
1098  }
1099  else if (payload == IKEV2_PAYLOAD_DELETE)
1100  {
1101  sa->del = ikev2_parse_delete_payload (ikep);
1102  }
1103  else if (payload == IKEV2_PAYLOAD_VENDOR)
1104  {
1106  }
1107  else if (payload == IKEV2_PAYLOAD_NONCE)
1108  {
1109  clib_memcpy (nonce, ikep->payload, plen - sizeof (*ikep));
1110  }
1111  else if (payload == IKEV2_PAYLOAD_TSI)
1112  {
1113  tsi = ikev2_parse_ts_payload (ikep);
1114  }
1115  else if (payload == IKEV2_PAYLOAD_TSR)
1116  {
1117  tsr = ikev2_parse_ts_payload (ikep);
1118  }
1119  else
1120  {
1121  clib_warning ("unknown payload %u flags %x length %u data %u",
1122  payload, ikep->flags, plen - 4,
1123  format_hex_bytes, ikep->payload, plen - 4);
1124 
1125  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1126  {
1127  sa->unsupported_cp = payload;
1128  return;
1129  }
1130  }
1131 
1132  payload = ikep->nextpayload;
1133  p += plen;
1134  }
1135 
1136  if (sa->is_initiator && proposal->protocol_id == IKEV2_PROTOCOL_ESP)
1137  {
1138  ikev2_rekey_t *rekey = &sa->rekey[0];
1139  rekey->protocol_id = proposal->protocol_id;
1140  rekey->i_proposal =
1142  rekey->i_proposal->spi = rekey->spi;
1143  rekey->r_proposal = proposal;
1144  rekey->tsi = tsi;
1145  rekey->tsr = tsr;
1146  /* update Nr */
1147  vec_free (sa->r_nonce);
1148  vec_add (sa->r_nonce, nonce, IKEV2_NONCE_SIZE);
1149  child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1);
1150  if (child_sa)
1151  {
1152  child_sa->rekey_retries = 0;
1153  }
1154  }
1155  else if (rekeying)
1156  {
1157  ikev2_rekey_t *rekey;
1158  child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
1159  if (!child_sa)
1160  {
1161  clib_warning ("child SA spi %lx not found", n->spi);
1162  goto cleanup_and_exit;
1163  }
1164  vec_add2 (sa->rekey, rekey, 1);
1165  rekey->protocol_id = n->protocol_id;
1166  rekey->spi = n->spi;
1167  rekey->i_proposal = proposal;
1168  rekey->r_proposal =
1170  rekey->tsi = tsi;
1171  rekey->tsr = tsr;
1172  /* update Ni */
1173  vec_free (sa->i_nonce);
1174  vec_add (sa->i_nonce, nonce, IKEV2_NONCE_SIZE);
1175  /* generate new Nr */
1176  vec_free (sa->r_nonce);
1178  RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
1179  }
1180 
1181 cleanup_and_exit:
1182  vec_free (plaintext);
1183  vec_free (n);
1184 }
1185 
1186 static u8 *
1187 ikev2_sa_generate_authmsg (ikev2_sa_t * sa, int is_responder)
1188 {
1189  u8 *authmsg = 0;
1190  u8 *data;
1191  u8 *nonce;
1192  ikev2_id_t *id;
1193  u8 *key;
1194  u8 *packet_data;
1195  ikev2_sa_transform_t *tr_prf;
1196 
1197  tr_prf =
1198  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1199 
1200  if (is_responder)
1201  {
1202  id = &sa->r_id;
1203  key = sa->sk_pr;
1204  nonce = sa->i_nonce;
1205  packet_data = sa->last_sa_init_res_packet_data;
1206  }
1207  else
1208  {
1209  id = &sa->i_id;
1210  key = sa->sk_pi;
1211  nonce = sa->r_nonce;
1212  packet_data = sa->last_sa_init_req_packet_data;
1213  }
1214 
1215  data = vec_new (u8, 4);
1216  data[0] = id->type;
1217  vec_append (data, id->data);
1218 
1219  u8 *id_hash = ikev2_calc_prf (tr_prf, key, data);
1220  vec_append (authmsg, packet_data);
1221  vec_append (authmsg, nonce);
1222  vec_append (authmsg, id_hash);
1223  vec_free (id_hash);
1224  vec_free (data);
1225 
1226  return authmsg;
1227 }
1228 
1229 static int
1231 {
1232  if (ts1->ts_type == ts2->ts_type && ts1->protocol_id == ts2->protocol_id &&
1233  ts1->start_port == ts2->start_port && ts1->end_port == ts2->end_port &&
1234  ts1->start_addr.as_u32 == ts2->start_addr.as_u32 &&
1235  ts1->end_addr.as_u32 == ts2->end_addr.as_u32)
1236  return 1;
1237 
1238  return 0;
1239 }
1240 
1241 static void
1243 {
1244  ikev2_main_t *km = &ikev2_main;
1245  ikev2_profile_t *p;
1246  ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0;
1247  ikev2_id_t *id;
1248 
1249  /* *INDENT-OFF* */
1250  pool_foreach (p, km->profiles, ({
1251 
1252  if (sa->is_initiator)
1253  {
1254  p_tsi = &p->loc_ts;
1255  p_tsr = &p->rem_ts;
1256  id = &sa->r_id;
1257  }
1258  else
1259  {
1260  p_tsi = &p->rem_ts;
1261  p_tsr = &p->loc_ts;
1262  id = &sa->i_id;
1263  }
1264 
1265  /* check id */
1266  if (p->rem_id.type != id->type ||
1267  vec_len(p->rem_id.data) != vec_len(id->data) ||
1268  memcmp(p->rem_id.data, id->data, vec_len(p->rem_id.data)))
1269  continue;
1270 
1271  vec_foreach(ts, sa->childs[0].tsi)
1272  {
1273  if (ikev2_ts_cmp(p_tsi, ts))
1274  {
1275  tsi = vec_dup(ts);
1276  break;
1277  }
1278  }
1279 
1280  vec_foreach(ts, sa->childs[0].tsr)
1281  {
1282  if (ikev2_ts_cmp(p_tsr, ts))
1283  {
1284  tsr = vec_dup(ts);
1285  break;
1286  }
1287  }
1288 
1289  break;
1290  }));
1291  /* *INDENT-ON* */
1292 
1293  if (tsi && tsr)
1294  {
1295  vec_free (sa->childs[0].tsi);
1296  vec_free (sa->childs[0].tsr);
1297  sa->childs[0].tsi = tsi;
1298  sa->childs[0].tsr = tsr;
1299  }
1300  else
1301  {
1302  vec_free (tsi);
1303  vec_free (tsr);
1305  }
1306 }
1307 
1308 static void
1310 {
1311  ikev2_main_t *km = &ikev2_main;
1312  ikev2_profile_t *p, *sel_p = 0;
1313  u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1314  ikev2_sa_transform_t *tr_prf;
1315 
1316  tr_prf =
1317  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1318 
1319  /* only shared key and rsa signature */
1320  if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1321  sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1322  {
1323  clib_warning ("unsupported authentication method %u",
1324  sa->i_auth.method);
1326  return;
1327  }
1328 
1329  key_pad = format (0, "%s", IKEV2_KEY_PAD);
1330  authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator);
1331 
1332  ikev2_id_t *sa_id;
1333  ikev2_auth_t *sa_auth;
1334 
1335  if (sa->is_initiator)
1336  {
1337  sa_id = &sa->r_id;
1338  sa_auth = &sa->r_auth;
1339  }
1340  else
1341  {
1342  sa_id = &sa->i_id;
1343  sa_auth = &sa->i_auth;
1344  }
1345 
1346  /* *INDENT-OFF* */
1347  pool_foreach (p, km->profiles, ({
1348 
1349  /* check id */
1350  if (p->rem_id.type != sa_id->type ||
1351  vec_len(p->rem_id.data) != vec_len(sa_id->data) ||
1352  memcmp(p->rem_id.data, sa_id->data, vec_len(p->rem_id.data)))
1353  continue;
1354 
1355  if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1356  {
1357  if (!p->auth.data ||
1358  p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1359  continue;
1360 
1361  psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
1362  auth = ikev2_calc_prf(tr_prf, psk, authmsg);
1363 
1364  if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
1365  {
1366  ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1367  vec_free(auth);
1368  sel_p = p;
1369  break;
1370  }
1371 
1372  }
1373  else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG)
1374  {
1375  if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
1376  continue;
1377 
1378  if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1)
1379  {
1380  ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1381  sel_p = p;
1382  break;
1383  }
1384  }
1385 
1386  vec_free(auth);
1387  vec_free(psk);
1388  }));
1389  /* *INDENT-ON* */
1390 
1391  vec_free (authmsg);
1392 
1393  if (sa->state == IKEV2_STATE_AUTHENTICATED)
1394  {
1395  if (!sa->is_initiator)
1396  {
1397  vec_free (sa->r_id.data);
1398  sa->r_id.data = vec_dup (sel_p->loc_id.data);
1399  sa->r_id.type = sel_p->loc_id.type;
1400 
1401  /* generate our auth data */
1402  authmsg = ikev2_sa_generate_authmsg (sa, 1);
1403  if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1404  {
1405  sa->r_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
1406  sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1407  }
1408  else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1409  {
1410  sa->r_auth.data = ikev2_calc_sign (km->pkey, authmsg);
1411  sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1412  }
1413  vec_free (authmsg);
1414 
1415  /* select transforms for 1st child sa */
1416  ikev2_sa_free_proposal_vector (&sa->childs[0].r_proposals);
1417  sa->childs[0].r_proposals =
1418  ikev2_select_proposal (sa->childs[0].i_proposals,
1420  }
1421  }
1422  else
1423  {
1425  }
1426  vec_free (psk);
1427  vec_free (key_pad);
1428 }
1429 
1430 
1431 static void
1433 {
1434  ikev2_main_t *km = &ikev2_main;
1435  u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1436  ikev2_sa_transform_t *tr_prf;
1437 
1438  tr_prf =
1439  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1440 
1441  /* only shared key and rsa signature */
1442  if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1443  sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1444  {
1445  clib_warning ("unsupported authentication method %u",
1446  sa->i_auth.method);
1448  return;
1449  }
1450 
1451  key_pad = format (0, "%s", IKEV2_KEY_PAD);
1452  authmsg = ikev2_sa_generate_authmsg (sa, 0);
1453  psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad);
1454  auth = ikev2_calc_prf (tr_prf, psk, authmsg);
1455 
1456 
1457  if (sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1458  {
1459  sa->i_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
1460  sa->i_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1461  }
1462  else if (sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1463  {
1464  sa->i_auth.data = ikev2_calc_sign (km->pkey, authmsg);
1465  sa->i_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1466  }
1467 
1468  vec_free (psk);
1469  vec_free (key_pad);
1470  vec_free (auth);
1471  vec_free (authmsg);
1472 }
1473 
1474 
1475 static int
1477  ikev2_child_sa_t * child)
1478 {
1481  ikev2_sa_proposal_t *proposals;
1482  u8 encr_type = 0;
1483  u8 integ_type = 0;
1484 
1485  if (!child->r_proposals)
1486  {
1488  return 1;
1489  }
1490 
1491  memset (&a, 0, sizeof (a));
1492  a.is_add = 1;
1493  if (sa->is_initiator)
1494  {
1495  a.local_ip.as_u32 = sa->iaddr.as_u32;
1496  a.remote_ip.as_u32 = sa->raddr.as_u32;
1497  proposals = child->i_proposals;
1498  a.local_spi = child->r_proposals[0].spi;
1499  a.remote_spi = child->i_proposals[0].spi;
1500  }
1501  else
1502  {
1503  a.local_ip.as_u32 = sa->raddr.as_u32;
1504  a.remote_ip.as_u32 = sa->iaddr.as_u32;
1505  proposals = child->r_proposals;
1506  a.local_spi = child->i_proposals[0].spi;
1507  a.remote_spi = child->r_proposals[0].spi;
1508  }
1509  a.anti_replay = 1;
1510 
1511  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN);
1512  if (tr)
1513  a.esn = tr->esn_type;
1514  else
1515  a.esn = 0;
1516 
1517  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ENCR);
1518  if (tr)
1519  {
1520  if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC && tr->key_len)
1521  {
1522  switch (tr->key_len)
1523  {
1524  case 16:
1525  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128;
1526  break;
1527  case 24:
1528  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192;
1529  break;
1530  case 32:
1531  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256;
1532  break;
1533  default:
1535  return 1;
1536  break;
1537  }
1538  }
1539  else
1540  {
1542  return 1;
1543  }
1544  }
1545  else
1546  {
1548  return 1;
1549  }
1550 
1551  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG);
1552  if (tr)
1553  {
1554  switch (tr->integ_type)
1555  {
1556  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
1557  integ_type = IPSEC_INTEG_ALG_SHA_256_128;
1558  break;
1559  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
1560  integ_type = IPSEC_INTEG_ALG_SHA_384_192;
1561  break;
1562  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
1563  integ_type = IPSEC_INTEG_ALG_SHA_512_256;
1564  break;
1565  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
1566  integ_type = IPSEC_INTEG_ALG_SHA1_96;
1567  break;
1568  default:
1570  return 1;
1571  }
1572  }
1573  else
1574  {
1576  return 1;
1577  }
1578 
1579  ikev2_calc_child_keys (sa, child);
1580 
1581  u8 *loc_ckey, *rem_ckey, *loc_ikey, *rem_ikey;
1582  if (sa->is_initiator)
1583  {
1584  loc_ikey = child->sk_ai;
1585  rem_ikey = child->sk_ar;
1586  loc_ckey = child->sk_ei;
1587  rem_ckey = child->sk_er;
1588  }
1589  else
1590  {
1591  loc_ikey = child->sk_ar;
1592  rem_ikey = child->sk_ai;
1593  loc_ckey = child->sk_er;
1594  rem_ckey = child->sk_ei;
1595  }
1596 
1597  a.integ_alg = integ_type;
1598  a.local_integ_key_len = vec_len (loc_ikey);
1600  a.remote_integ_key_len = vec_len (rem_ikey);
1602 
1603  a.crypto_alg = encr_type;
1604  a.local_crypto_key_len = vec_len (loc_ckey);
1606  a.remote_crypto_key_len = vec_len (rem_ckey);
1608 
1609  if (sa->profile && sa->profile->lifetime)
1610  {
1612  + sa->profile->lifetime;
1613  if (sa->profile->lifetime_jitter)
1614  {
1615  // This is not much better than rand(3), which Coverity warns
1616  // is unsuitable for security applications; random_u32 is
1617  // however fast. If this perturbance to the expiration time
1618  // needs to use a better RNG then we may need to use something
1619  // like /dev/urandom which has significant overhead.
1620  u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
1621  rnd = random_u32 (&rnd);
1622 
1623  child->time_to_expiration +=
1624  1 + (rnd % sa->profile->lifetime_jitter);
1625  }
1626  }
1627 
1629 
1630  return 0;
1631 }
1632 
1633 static int
1635  ikev2_child_sa_t * child)
1636 {
1638 
1639  if (sa->is_initiator)
1640  {
1641  if (!vec_len (child->i_proposals))
1642  return 0;
1643 
1644  a.is_add = 0;
1645  a.local_ip.as_u32 = sa->iaddr.as_u32;
1646  a.remote_ip.as_u32 = sa->raddr.as_u32;
1647  a.local_spi = child->r_proposals[0].spi;
1648  a.remote_spi = child->i_proposals[0].spi;
1649  }
1650  else
1651  {
1652  if (!vec_len (child->r_proposals))
1653  return 0;
1654 
1655  a.is_add = 0;
1656  a.local_ip.as_u32 = sa->raddr.as_u32;
1657  a.remote_ip.as_u32 = sa->iaddr.as_u32;
1658  a.local_spi = child->i_proposals[0].spi;
1659  a.remote_spi = child->r_proposals[0].spi;
1660  }
1661 
1663  return 0;
1664 }
1665 
1666 static u32
1667 ikev2_generate_message (ikev2_sa_t * sa, ike_header_t * ike, void *user)
1668 {
1669  v8 *integ = 0;
1670  ike_payload_header_t *ph;
1671  u16 plen;
1672  u32 tlen = 0;
1673 
1674  ikev2_sa_transform_t *tr_encr, *tr_integ;
1675  tr_encr =
1676  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
1677  tr_integ =
1678  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
1679 
1680  ikev2_payload_chain_t *chain = 0;
1681  ikev2_payload_new_chain (chain);
1682 
1683  if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
1684  {
1685  if (sa->r_proposals == 0)
1686  {
1687  ikev2_payload_add_notify (chain,
1688  IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1690  }
1691  else if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
1692  {
1693  u8 *data = vec_new (u8, 2);
1694  ikev2_sa_transform_t *tr_dh;
1695  tr_dh =
1697  IKEV2_TRANSFORM_TYPE_DH);
1698  ASSERT (tr_dh && tr_dh->dh_type);
1699 
1700  data[0] = (tr_dh->dh_type >> 8) & 0xff;
1701  data[1] = (tr_dh->dh_type) & 0xff;
1702 
1703  ikev2_payload_add_notify (chain,
1704  IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD,
1705  data);
1706  vec_free (data);
1708  }
1709  else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
1710  {
1711  u8 *data = vec_new (u8, 1);
1712 
1713  data[0] = sa->unsupported_cp;
1714  ikev2_payload_add_notify (chain,
1715  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1716  data);
1717  vec_free (data);
1718  }
1719  else
1720  {
1721  ike->rspi = clib_host_to_net_u64 (sa->rspi);
1722  ikev2_payload_add_sa (chain, sa->r_proposals);
1723  ikev2_payload_add_ke (chain, sa->dh_group, sa->r_dh_data);
1724  ikev2_payload_add_nonce (chain, sa->r_nonce);
1725  }
1726  }
1727  else if (ike->exchange == IKEV2_EXCHANGE_IKE_AUTH)
1728  {
1729  if (sa->state == IKEV2_STATE_AUTHENTICATED)
1730  {
1732  ikev2_payload_add_auth (chain, &sa->r_auth);
1733  ikev2_payload_add_sa (chain, sa->childs[0].r_proposals);
1736  }
1737  else if (sa->state == IKEV2_STATE_AUTH_FAILED)
1738  {
1739  ikev2_payload_add_notify (chain,
1740  IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED,
1741  0);
1743  }
1744  else if (sa->state == IKEV2_STATE_TS_UNACCEPTABLE)
1745  {
1746  ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_TS_UNACCEPTABLE,
1747  0);
1749  ikev2_payload_add_auth (chain, &sa->r_auth);
1750  }
1751  else if (sa->state == IKEV2_STATE_NO_PROPOSAL_CHOSEN)
1752  {
1753  ikev2_payload_add_notify (chain,
1754  IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1756  ikev2_payload_add_auth (chain, &sa->r_auth);
1759  }
1760  else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
1761  {
1762  u8 *data = vec_new (u8, 1);
1763 
1764  data[0] = sa->unsupported_cp;
1765  ikev2_payload_add_notify (chain,
1766  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1767  data);
1768  vec_free (data);
1769  }
1770  else if (sa->state == IKEV2_STATE_SA_INIT)
1771  {
1773  ikev2_payload_add_auth (chain, &sa->i_auth);
1774  ikev2_payload_add_sa (chain, sa->childs[0].i_proposals);
1777  }
1778  else
1779  {
1781  goto done;
1782  }
1783  }
1784  else if (ike->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
1785  {
1786  /* if pending delete */
1787  if (sa->del)
1788  {
1789  if (sa->del[0].protocol_id == IKEV2_PROTOCOL_IKE)
1790  {
1791  if (sa->is_initiator)
1792  ikev2_payload_add_delete (chain, sa->del);
1793 
1794  /* The response to a request that deletes the IKE SA is an empty
1795  INFORMATIONAL response. */
1797  }
1798  /* The response to a request that deletes ESP or AH SAs will contain
1799  delete payloads for the paired SAs going in the other direction. */
1800  else
1801  {
1802  ikev2_payload_add_delete (chain, sa->del);
1803  }
1804  vec_free (sa->del);
1805  sa->del = 0;
1806  }
1807  /* received N(AUTHENTICATION_FAILED) */
1808  else if (sa->state == IKEV2_STATE_AUTH_FAILED)
1809  {
1811  goto done;
1812  }
1813  /* received unsupported critical payload */
1814  else if (sa->unsupported_cp)
1815  {
1816  u8 *data = vec_new (u8, 1);
1817 
1818  data[0] = sa->unsupported_cp;
1819  ikev2_payload_add_notify (chain,
1820  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1821  data);
1822  vec_free (data);
1823  sa->unsupported_cp = 0;
1824  }
1825  /* else send empty response */
1826  }
1827  else if (ike->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
1828  {
1829  if (sa->is_initiator)
1830  {
1831 
1832  ikev2_sa_proposal_t *proposals = (ikev2_sa_proposal_t *) user;
1833  ikev2_notify_t notify;
1834  u8 *data = vec_new (u8, 4);
1835  memset (&notify, 0, sizeof (notify));
1837  notify.spi = sa->childs[0].i_proposals->spi;
1838  *(u32 *) data = clib_host_to_net_u32 (notify.spi);
1839 
1840  ikev2_payload_add_sa (chain, proposals);
1841  ikev2_payload_add_nonce (chain, sa->i_nonce);
1844  ikev2_payload_add_notify_2 (chain, IKEV2_NOTIFY_MSG_REKEY_SA, data,
1845  &notify);
1846 
1847  vec_free (data);
1848  }
1849  else
1850  {
1851  if (sa->rekey)
1852  {
1853  ikev2_payload_add_sa (chain, sa->rekey[0].r_proposal);
1854  ikev2_payload_add_nonce (chain, sa->r_nonce);
1855  ikev2_payload_add_ts (chain, sa->rekey[0].tsi,
1857  ikev2_payload_add_ts (chain, sa->rekey[0].tsr,
1859  vec_del1 (sa->rekey, 0);
1860  }
1861  else if (sa->unsupported_cp)
1862  {
1863  u8 *data = vec_new (u8, 1);
1864 
1865  data[0] = sa->unsupported_cp;
1866  ikev2_payload_add_notify (chain,
1867  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1868  data);
1869  vec_free (data);
1870  sa->unsupported_cp = 0;
1871  }
1872  else
1873  {
1874  ikev2_payload_add_notify (chain,
1875  IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
1876  0);
1877  }
1878  }
1879  }
1880 
1881  /* IKEv2 header */
1882  ike->version = IKE_VERSION_2;
1883  ike->nextpayload = IKEV2_PAYLOAD_SK;
1884  tlen = sizeof (*ike);
1885  if (sa->is_initiator)
1886  {
1887  ike->flags = IKEV2_HDR_FLAG_INITIATOR;
1888  sa->last_init_msg_id = clib_net_to_host_u32 (ike->msgid);
1889  }
1890  else
1891  {
1892  ike->flags = IKEV2_HDR_FLAG_RESPONSE;
1893  }
1894 
1895 
1896  if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
1897  {
1898  tlen += vec_len (chain->data);
1899  ike->nextpayload = chain->first_payload_type;
1900  ike->length = clib_host_to_net_u32 (tlen);
1901  clib_memcpy (ike->payload, chain->data, vec_len (chain->data));
1902 
1903  /* store whole IKE payload - needed for PSK auth */
1905  vec_add (sa->last_sa_init_res_packet_data, ike, tlen);
1906  }
1907  else
1908  {
1909 
1910  ikev2_payload_chain_add_padding (chain, tr_encr->block_size);
1911 
1912  /* SK payload */
1913  plen = sizeof (*ph);
1914  ph = (ike_payload_header_t *) & ike->payload[0];
1915  ph->nextpayload = chain->first_payload_type;
1916  ph->flags = 0;
1917  int enc_len = ikev2_encrypt_data (sa, chain->data, ph->payload);
1918  plen += enc_len;
1919 
1920  /* add space for hmac */
1921  plen += tr_integ->key_trunc;
1922  tlen += plen;
1923 
1924  /* payload and total length */
1925  ph->length = clib_host_to_net_u16 (plen);
1926  ike->length = clib_host_to_net_u32 (tlen);
1927 
1928  /* calc integrity data for whole packet except hash itself */
1929  integ =
1930  ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ai : sa->sk_ar,
1931  (u8 *) ike, tlen - tr_integ->key_trunc);
1932 
1933  clib_memcpy (ike->payload + tlen - tr_integ->key_trunc - sizeof (*ike),
1934  integ, tr_integ->key_trunc);
1935 
1936  /* store whole IKE payload - needed for retransmit */
1938  vec_add (sa->last_res_packet_data, ike, tlen);
1939  }
1940 
1941 done:
1943  vec_free (integ);
1944  return tlen;
1945 }
1946 
1947 static int
1948 ikev2_retransmit_sa_init (ike_header_t * ike,
1949  ip4_address_t iaddr, ip4_address_t raddr)
1950 {
1951  ikev2_main_t *km = &ikev2_main;
1952  ikev2_sa_t *sa;
1953  u32 thread_index = vlib_get_thread_index ();
1954 
1955  /* *INDENT-OFF* */
1956  pool_foreach (sa, km->per_thread_data[thread_index].sas, ({
1957  if (sa->ispi == clib_net_to_host_u64(ike->ispi) &&
1958  sa->iaddr.as_u32 == iaddr.as_u32 &&
1959  sa->raddr.as_u32 == raddr.as_u32)
1960  {
1961  int p = 0;
1962  u32 len = clib_net_to_host_u32(ike->length);
1963  u8 payload = ike->nextpayload;
1964 
1965  while (p < len && payload!= IKEV2_PAYLOAD_NONE) {
1966  ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
1967  u32 plen = clib_net_to_host_u16(ikep->length);
1968 
1969  if (plen < sizeof(ike_payload_header_t))
1970  return -1;
1971 
1972  if (payload == IKEV2_PAYLOAD_NONCE)
1973  {
1974  if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep)))
1975  {
1976  /* req is retransmit */
1977  if (sa->state == IKEV2_STATE_SA_INIT)
1978  {
1979  ike_header_t * tmp;
1980  tmp = (ike_header_t*)sa->last_sa_init_res_packet_data;
1981  ike->ispi = tmp->ispi;
1982  ike->rspi = tmp->rspi;
1983  ike->nextpayload = tmp->nextpayload;
1984  ike->version = tmp->version;
1985  ike->exchange = tmp->exchange;
1986  ike->flags = tmp->flags;
1987  ike->msgid = tmp->msgid;
1988  ike->length = tmp->length;
1989  clib_memcpy(ike->payload, tmp->payload,
1990  clib_net_to_host_u32(tmp->length) - sizeof(*ike));
1991  clib_warning("IKE_SA_INIT retransmit from %U to %U",
1992  format_ip4_address, &raddr,
1993  format_ip4_address, &iaddr);
1994  return 1;
1995  }
1996  /* else ignore req */
1997  else
1998  {
1999  clib_warning("IKE_SA_INIT ignore from %U to %U",
2000  format_ip4_address, &raddr,
2001  format_ip4_address, &iaddr);
2002  return -1;
2003  }
2004  }
2005  }
2006  payload = ikep->nextpayload;
2007  p+=plen;
2008  }
2009  }
2010  }));
2011  /* *INDENT-ON* */
2012 
2013  /* req is not retransmit */
2014  return 0;
2015 }
2016 
2017 static int
2018 ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
2019 {
2020  u32 msg_id = clib_net_to_host_u32 (ike->msgid);
2021 
2022  /* new req */
2023  if (msg_id > sa->last_msg_id)
2024  {
2025  sa->last_msg_id = msg_id;
2026  return 0;
2027  }
2028  /* retransmitted req */
2029  else if (msg_id == sa->last_msg_id)
2030  {
2031  ike_header_t *tmp;
2032  tmp = (ike_header_t *) sa->last_res_packet_data;
2033  ike->ispi = tmp->ispi;
2034  ike->rspi = tmp->rspi;
2035  ike->nextpayload = tmp->nextpayload;
2036  ike->version = tmp->version;
2037  ike->exchange = tmp->exchange;
2038  ike->flags = tmp->flags;
2039  ike->msgid = tmp->msgid;
2040  ike->length = tmp->length;
2041  clib_memcpy (ike->payload, tmp->payload,
2042  clib_net_to_host_u32 (tmp->length) - sizeof (*ike));
2043  clib_warning ("IKE msgid %u retransmit from %U to %U",
2044  msg_id,
2045  format_ip4_address, &sa->raddr,
2046  format_ip4_address, &sa->iaddr);
2047  return 1;
2048  }
2049  /* old req ignore */
2050  else
2051  {
2052  clib_warning ("IKE msgid %u req ignore from %U to %U",
2053  msg_id,
2054  format_ip4_address, &sa->raddr,
2055  format_ip4_address, &sa->iaddr);
2056  return -1;
2057  }
2058 }
2059 
2060 
2061 static uword
2063  vlib_node_runtime_t * node, vlib_frame_t * frame)
2064 {
2065  u32 n_left_from, *from, *to_next;
2066  ikev2_next_t next_index;
2067  ikev2_main_t *km = &ikev2_main;
2068  u32 thread_index = vlib_get_thread_index ();
2069 
2070  from = vlib_frame_vector_args (frame);
2071  n_left_from = frame->n_vectors;
2072  next_index = node->cached_next_index;
2073 
2074  while (n_left_from > 0)
2075  {
2076  u32 n_left_to_next;
2077 
2078  vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2079 
2080  while (n_left_from > 0 && n_left_to_next > 0)
2081  {
2082  u32 bi0;
2083  vlib_buffer_t *b0;
2084  u32 next0 = IKEV2_NEXT_ERROR_DROP;
2085  u32 sw_if_index0;
2086  ip4_header_t *ip40;
2087  udp_header_t *udp0;
2088  ike_header_t *ike0;
2089  ikev2_sa_t *sa0 = 0;
2090  ikev2_sa_t sa; /* temporary store for SA */
2091  int len = 0;
2092  int r;
2093 
2094  /* speculatively enqueue b0 to the current next frame */
2095  bi0 = from[0];
2096  to_next[0] = bi0;
2097  from += 1;
2098  to_next += 1;
2099  n_left_from -= 1;
2100  n_left_to_next -= 1;
2101 
2102  b0 = vlib_get_buffer (vm, bi0);
2103  ike0 = vlib_buffer_get_current (b0);
2104  vlib_buffer_advance (b0, -sizeof (*udp0));
2105  udp0 = vlib_buffer_get_current (b0);
2106  vlib_buffer_advance (b0, -sizeof (*ip40));
2107  ip40 = vlib_buffer_get_current (b0);
2108 
2109  if (ike0->version != IKE_VERSION_2)
2110  {
2112  IKEV2_ERROR_NOT_IKEV2, 1);
2113  goto dispatch0;
2114  }
2115 
2116  if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
2117  {
2118  sa0 = &sa;
2119  memset (sa0, 0, sizeof (*sa0));
2120 
2121  if (ike0->flags & IKEV2_HDR_FLAG_INITIATOR)
2122  {
2123  if (ike0->rspi == 0)
2124  {
2125  sa0->raddr.as_u32 = ip40->dst_address.as_u32;
2126  sa0->iaddr.as_u32 = ip40->src_address.as_u32;
2127 
2128  r = ikev2_retransmit_sa_init (ike0, sa0->iaddr,
2129  sa0->raddr);
2130  if (r == 1)
2131  {
2133  IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT,
2134  1);
2135  len = clib_net_to_host_u32 (ike0->length);
2136  goto dispatch0;
2137  }
2138  else if (r == -1)
2139  {
2141  IKEV2_ERROR_IKE_SA_INIT_IGNORE,
2142  1);
2143  goto dispatch0;
2144  }
2145 
2146  ikev2_process_sa_init_req (vm, sa0, ike0);
2147 
2148  if (sa0->state == IKEV2_STATE_SA_INIT)
2149  {
2151  sa0->r_proposals =
2155  }
2156 
2157  if (sa0->state == IKEV2_STATE_SA_INIT
2159  {
2160  len = ikev2_generate_message (sa0, ike0, 0);
2161  }
2162 
2163  if (sa0->state == IKEV2_STATE_SA_INIT)
2164  {
2165  /* add SA to the pool */
2166  pool_get (km->per_thread_data[thread_index].sas,
2167  sa0);
2168  clib_memcpy (sa0, &sa, sizeof (*sa0));
2169  hash_set (km->
2170  per_thread_data[thread_index].sa_by_rspi,
2171  sa0->rspi,
2172  sa0 -
2173  km->per_thread_data[thread_index].sas);
2174  }
2175  else
2176  {
2177  ikev2_sa_free_all_vec (sa0);
2178  }
2179  }
2180  }
2181  else //received sa_init without initiator flag
2182  {
2183  ikev2_process_sa_init_resp (vm, sa0, ike0);
2184 
2185  if (sa0->state == IKEV2_STATE_SA_INIT)
2186  {
2187  ike0->exchange = IKEV2_EXCHANGE_IKE_AUTH;
2188  uword *p = hash_get (km->sa_by_ispi, ike0->ispi);
2189  if (p)
2190  {
2191  ikev2_sa_t *sai =
2192  pool_elt_at_index (km->sais, p[0]);
2193 
2194  ikev2_complete_sa_data (sa0, sai);
2195  ikev2_calc_keys (sa0);
2196  ikev2_sa_auth_init (sa0);
2197  len = ikev2_generate_message (sa0, ike0, 0);
2198  }
2199  }
2200 
2201  if (sa0->state == IKEV2_STATE_SA_INIT)
2202  {
2203  /* add SA to the pool */
2204  pool_get (km->per_thread_data[thread_index].sas, sa0);
2205  clib_memcpy (sa0, &sa, sizeof (*sa0));
2206  hash_set (km->per_thread_data[thread_index].sa_by_rspi,
2207  sa0->rspi,
2208  sa0 - km->per_thread_data[thread_index].sas);
2209  }
2210  else
2211  {
2212  ikev2_sa_free_all_vec (sa0);
2213  }
2214  }
2215  }
2216  else if (ike0->exchange == IKEV2_EXCHANGE_IKE_AUTH)
2217  {
2218  uword *p;
2219  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2220  clib_net_to_host_u64 (ike0->rspi));
2221  if (p)
2222  {
2223  sa0 =
2224  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2225  p[0]);
2226 
2227  r = ikev2_retransmit_resp (sa0, ike0);
2228  if (r == 1)
2229  {
2231  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2232  1);
2233  len = clib_net_to_host_u32 (ike0->length);
2234  goto dispatch0;
2235  }
2236  else if (r == -1)
2237  {
2239  IKEV2_ERROR_IKE_REQ_IGNORE,
2240  1);
2241  goto dispatch0;
2242  }
2243 
2244  ikev2_process_auth_req (vm, sa0, ike0);
2245  ikev2_sa_auth (sa0);
2246  if (sa0->state == IKEV2_STATE_AUTHENTICATED)
2247  {
2249  ikev2_sa_match_ts (sa0);
2250  if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE)
2252  &sa0->childs[0]);
2253  }
2254 
2255  if (sa0->is_initiator)
2256  {
2257  uword *p = hash_get (km->sa_by_ispi, ike0->ispi);
2258  if (p)
2259  {
2260  ikev2_sa_t *sai =
2261  pool_elt_at_index (km->sais, p[0]);
2262  hash_unset (km->sa_by_ispi, sai->ispi);
2263  ikev2_sa_free_all_vec (sai);
2264  pool_put (km->sais, sai);
2265  }
2266  }
2267  else
2268  {
2269  len = ikev2_generate_message (sa0, ike0, 0);
2270  }
2271  }
2272  }
2273  else if (ike0->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
2274  {
2275  uword *p;
2276  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2277  clib_net_to_host_u64 (ike0->rspi));
2278  if (p)
2279  {
2280  sa0 =
2281  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2282  p[0]);
2283 
2284  r = ikev2_retransmit_resp (sa0, ike0);
2285  if (r == 1)
2286  {
2288  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2289  1);
2290  len = clib_net_to_host_u32 (ike0->length);
2291  goto dispatch0;
2292  }
2293  else if (r == -1)
2294  {
2296  IKEV2_ERROR_IKE_REQ_IGNORE,
2297  1);
2298  goto dispatch0;
2299  }
2300 
2301  ikev2_process_informational_req (vm, sa0, ike0);
2302  if (sa0->del)
2303  {
2304  if (sa0->del[0].protocol_id != IKEV2_PROTOCOL_IKE)
2305  {
2306  ikev2_delete_t *d, *tmp, *resp = 0;
2307  vec_foreach (d, sa0->del)
2308  {
2309  ikev2_child_sa_t *ch_sa;
2310  ch_sa = ikev2_sa_get_child (sa0, d->spi,
2311  d->protocol_id,
2312  !sa0->is_initiator);
2313  if (ch_sa)
2314  {
2316  sa0, ch_sa);
2317  if (!sa0->is_initiator)
2318  {
2319  vec_add2 (resp, tmp, 1);
2320  tmp->protocol_id = d->protocol_id;
2321  tmp->spi = ch_sa->r_proposals[0].spi;
2322  }
2323  ikev2_sa_del_child_sa (sa0, ch_sa);
2324  }
2325  }
2326  if (!sa0->is_initiator)
2327  {
2328  vec_free (sa0->del);
2329  sa0->del = resp;
2330  }
2331  }
2332  }
2333  if (!sa0->is_initiator)
2334  {
2335  len = ikev2_generate_message (sa0, ike0, 0);
2336  }
2337  }
2338  }
2339  else if (ike0->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
2340  {
2341  uword *p;
2342  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2343  clib_net_to_host_u64 (ike0->rspi));
2344  if (p)
2345  {
2346  sa0 =
2347  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2348  p[0]);
2349 
2350  r = ikev2_retransmit_resp (sa0, ike0);
2351  if (r == 1)
2352  {
2354  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2355  1);
2356  len = clib_net_to_host_u32 (ike0->length);
2357  goto dispatch0;
2358  }
2359  else if (r == -1)
2360  {
2362  IKEV2_ERROR_IKE_REQ_IGNORE,
2363  1);
2364  goto dispatch0;
2365  }
2366 
2367  ikev2_process_create_child_sa_req (vm, sa0, ike0);
2368  if (sa0->rekey)
2369  {
2370  if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
2371  {
2372  ikev2_child_sa_t *child;
2373  vec_add2 (sa0->childs, child, 1);
2374  child->r_proposals = sa0->rekey[0].r_proposal;
2375  child->i_proposals = sa0->rekey[0].i_proposal;
2376  child->tsi = sa0->rekey[0].tsi;
2377  child->tsr = sa0->rekey[0].tsr;
2379  child);
2380  }
2381  if (sa0->is_initiator)
2382  {
2383  vec_del1 (sa0->rekey, 0);
2384  }
2385  else
2386  {
2387  len = ikev2_generate_message (sa0, ike0, 0);
2388  }
2389  }
2390  }
2391  }
2392  else
2393  {
2394  clib_warning ("IKEv2 exchange %u packet received from %U to %U",
2395  ike0->exchange,
2398  }
2399 
2400  dispatch0:
2401  /* if we are sending packet back, rewrite headers */
2402  if (len)
2403  {
2404  next0 = IKEV2_NEXT_IP4_LOOKUP;
2405  if (sa0->is_initiator)
2406  {
2407  ip40->dst_address.as_u32 = sa0->raddr.as_u32;
2408  ip40->src_address.as_u32 = sa0->iaddr.as_u32;
2409  }
2410  else
2411  {
2412  ip40->dst_address.as_u32 = sa0->iaddr.as_u32;
2413  ip40->src_address.as_u32 = sa0->raddr.as_u32;
2414  }
2415  udp0->length =
2416  clib_host_to_net_u16 (len + sizeof (udp_header_t));
2417  udp0->checksum = 0;
2418  b0->current_length =
2419  len + sizeof (ip4_header_t) + sizeof (udp_header_t);
2420  ip40->length = clib_host_to_net_u16 (b0->current_length);
2421  ip40->checksum = ip4_header_checksum (ip40);
2422  }
2423  /* delete sa */
2424  if (sa0 && (sa0->state == IKEV2_STATE_DELETED ||
2426  {
2428 
2429  vec_foreach (c, sa0->childs)
2431 
2432  ikev2_delete_sa (sa0);
2433  }
2434  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2435 
2437  && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2438  {
2439  ikev2_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
2440  t->sw_if_index = sw_if_index0;
2441  t->next_index = next0;
2442  }
2443 
2444  vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
2445  n_left_to_next, bi0, next0);
2446  }
2447 
2448  vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2449  }
2450 
2452  IKEV2_ERROR_PROCESSED, frame->n_vectors);
2453  return frame->n_vectors;
2454 }
2455 
2456 /* *INDENT-OFF* */
2457 VLIB_REGISTER_NODE (ikev2_node,static) = {
2458  .function = ikev2_node_fn,
2459  .name = "ikev2",
2460  .vector_size = sizeof (u32),
2461  .format_trace = format_ikev2_trace,
2462  .type = VLIB_NODE_TYPE_INTERNAL,
2463 
2464  .n_errors = ARRAY_LEN(ikev2_error_strings),
2465  .error_strings = ikev2_error_strings,
2466 
2467  .n_next_nodes = IKEV2_N_NEXT,
2468 
2469  .next_nodes = {
2470  [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
2471  [IKEV2_NEXT_ERROR_DROP] = "error-drop",
2472  },
2473 };
2474 /* *INDENT-ON* */
2475 
2476 // set ikev2 proposals when vpp is used as initiator
2477 static clib_error_t *
2479  ikev2_transforms_set * ts,
2480  ikev2_sa_proposal_t ** proposals, int is_ike)
2481 {
2482  clib_error_t *r;
2483  ikev2_main_t *km = &ikev2_main;
2484  ikev2_sa_proposal_t *proposal;
2485  vec_add2 (*proposals, proposal, 1);
2487  int error;
2488 
2489  /* Encryption */
2490  error = 1;
2492  {
2493  if (td->type == IKEV2_TRANSFORM_TYPE_ENCR
2494  && td->encr_type == ts->crypto_alg
2495  && td->key_len == ts->crypto_key_size / 8)
2496  {
2497  u16 attr[2];
2498  attr[0] = clib_host_to_net_u16 (14 | (1 << 15));
2499  attr[1] = clib_host_to_net_u16 (td->key_len << 3);
2500  vec_add (td->attrs, (u8 *) attr, 4);
2501  vec_add1 (proposal->transforms, *td);
2502  td->attrs = 0;
2503 
2504  error = 0;
2505  break;
2506  }
2507  }
2508  if (error)
2509  {
2510  r = clib_error_return (0, "Unsupported algorithm");
2511  return r;
2512  }
2513 
2514  /* Integrity */
2515  error = 1;
2517  {
2518  if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
2519  && td->integ_type == ts->integ_alg)
2520  {
2521  vec_add1 (proposal->transforms, *td);
2522  error = 0;
2523  break;
2524  }
2525  }
2526  if (error)
2527  {
2528  clib_warning
2529  ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
2530  r = clib_error_return (0, "Unsupported algorithm");
2531  return r;
2532  }
2533 
2534  /* PRF */
2535  if (is_ike)
2536  {
2537  error = 1;
2539  {
2540  if (td->type == IKEV2_TRANSFORM_TYPE_PRF
2541  && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
2542  {
2543  vec_add1 (proposal->transforms, *td);
2544  error = 0;
2545  break;
2546  }
2547  }
2548  if (error)
2549  {
2550  r = clib_error_return (0, "Unsupported algorithm");
2551  return r;
2552  }
2553  }
2554 
2555  /* DH */
2556  error = 1;
2558  {
2559  if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
2560  {
2561  vec_add1 (proposal->transforms, *td);
2562  if (is_ike)
2563  {
2564  sa->dh_group = td->dh_type;
2565  }
2566  error = 0;
2567  break;
2568  }
2569  }
2570  if (error)
2571  {
2572  r = clib_error_return (0, "Unsupported algorithm");
2573  return r;
2574  }
2575 
2576  if (!is_ike)
2577  {
2578  error = 1;
2580  {
2581  if (td->type == IKEV2_TRANSFORM_TYPE_ESN)
2582  {
2583  vec_add1 (proposal->transforms, *td);
2584  error = 0;
2585  break;
2586  }
2587  }
2588  if (error)
2589  {
2590  r = clib_error_return (0, "Unsupported algorithm");
2591  return r;
2592  }
2593  }
2594 
2595 
2596  return 0;
2597 }
2598 
2599 static ikev2_profile_t *
2601 {
2602  ikev2_main_t *km = &ikev2_main;
2603  uword *p;
2604 
2605  p = mhash_get (&km->profile_index_by_name, name);
2606  if (!p)
2607  return 0;
2608 
2609  return pool_elt_at_index (km->profiles, p[0]);
2610 }
2611 
2612 
2613 static void
2615  u32 bi0, u32 len)
2616 {
2617  ip4_header_t *ip40;
2618  udp_header_t *udp0;
2619  vlib_buffer_t *b0;
2620  vlib_frame_t *f;
2621  u32 *to_next;
2622 
2623  b0 = vlib_get_buffer (vm, bi0);
2624  vlib_buffer_advance (b0, -sizeof (udp_header_t));
2625  udp0 = vlib_buffer_get_current (b0);
2626  vlib_buffer_advance (b0, -sizeof (ip4_header_t));
2627  ip40 = vlib_buffer_get_current (b0);
2628 
2629 
2630  ip40->ip_version_and_header_length = 0x45;
2631  ip40->tos = 0;
2632  ip40->fragment_id = 0;
2633  ip40->flags_and_fragment_offset = 0;
2634  ip40->ttl = 0xff;
2635  ip40->protocol = IP_PROTOCOL_UDP;
2636  ip40->dst_address.as_u32 = dst->as_u32;
2637  ip40->src_address.as_u32 = src->as_u32;
2638  udp0->dst_port = clib_host_to_net_u16 (500);
2639  udp0->src_port = clib_host_to_net_u16 (500);
2640  udp0->length = clib_host_to_net_u16 (len + sizeof (udp_header_t));
2641  udp0->checksum = 0;
2642  b0->current_length = len + sizeof (ip4_header_t) + sizeof (udp_header_t);
2643  ip40->length = clib_host_to_net_u16 (b0->current_length);
2644  ip40->checksum = ip4_header_checksum (ip40);
2645 
2646 
2647  /* send the request */
2648  f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
2649  to_next = vlib_frame_vector_args (f);
2650  to_next[0] = bi0;
2651  f->n_vectors = 1;
2652  vlib_put_frame_to_node (vm, ip4_lookup_node.index, f);
2653 
2654 }
2655 
2656 static u32
2658 {
2659  u32 bi0;
2660  if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
2661  {
2662  *ike = 0;
2663  return 0;
2664  }
2665  vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
2666  *ike = vlib_buffer_get_current (b0);
2667  return bi0;
2668 }
2669 
2670 clib_error_t *
2672 {
2673  ikev2_main_t *km = &ikev2_main;
2674 
2675  km->pkey = ikev2_load_key_file (file);
2676  if (km->pkey == NULL)
2677  return clib_error_return (0, "load key '%s' failed", file);
2678 
2679  return 0;
2680 }
2681 
2682 clib_error_t *
2684 {
2685  ikev2_main_t *km = &ikev2_main;
2686  ikev2_profile_t *p;
2687 
2688  if (is_add)
2689  {
2690  if (ikev2_profile_index_by_name (name))
2691  return clib_error_return (0, "policy %v already exists", name);
2692 
2693  pool_get (km->profiles, p);
2694  memset (p, 0, sizeof (*p));
2695  p->name = vec_dup (name);
2696  p->responder.sw_if_index = ~0;
2697  uword index = p - km->profiles;
2698  mhash_set_mem (&km->profile_index_by_name, name, &index, 0);
2699  }
2700  else
2701  {
2702  p = ikev2_profile_index_by_name (name);
2703  if (!p)
2704  return clib_error_return (0, "policy %v does not exists", name);
2705 
2706  vec_free (p->name);
2707  pool_put (km->profiles, p);
2708  mhash_unset (&km->profile_index_by_name, name, 0);
2709  }
2710  return 0;
2711 }
2712 
2713 clib_error_t *
2715  u8 * auth_data, u8 data_hex_format)
2716 {
2717  ikev2_profile_t *p;
2718  clib_error_t *r;
2719 
2720  p = ikev2_profile_index_by_name (name);
2721 
2722  if (!p)
2723  {
2724  r = clib_error_return (0, "unknown profile %v", name);
2725  return r;
2726  }
2727  vec_free (p->auth.data);
2728  p->auth.method = auth_method;
2729  p->auth.data = vec_dup (auth_data);
2730  p->auth.hex = data_hex_format;
2731 
2732  if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG)
2733  {
2734  vec_add1 (p->auth.data, 0);
2735  if (p->auth.key)
2736  EVP_PKEY_free (p->auth.key);
2737  p->auth.key = ikev2_load_cert_file (auth_data);
2738  if (p->auth.key == NULL)
2739  return clib_error_return (0, "load cert '%s' failed", auth_data);
2740  }
2741 
2742  return 0;
2743 }
2744 
2745 clib_error_t *
2746 ikev2_set_profile_id (vlib_main_t * vm, u8 * name, u8 id_type, u8 * data,
2747  int is_local)
2748 {
2749  ikev2_profile_t *p;
2750  clib_error_t *r;
2751 
2752  if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR
2753  && id_type < IKEV2_ID_TYPE_ID_KEY_ID)
2754  {
2755  r = clib_error_return (0, "unsupported identity type %U",
2756  format_ikev2_id_type, id_type);
2757  return r;
2758  }
2759 
2760  p = ikev2_profile_index_by_name (name);
2761 
2762  if (!p)
2763  {
2764  r = clib_error_return (0, "unknown profile %v", name);
2765  return r;
2766  }
2767 
2768  if (is_local)
2769  {
2770  vec_free (p->loc_id.data);
2771  p->loc_id.type = id_type;
2772  p->loc_id.data = vec_dup (data);
2773  }
2774  else
2775  {
2776  vec_free (p->rem_id.data);
2777  p->rem_id.type = id_type;
2778  p->rem_id.data = vec_dup (data);
2779  }
2780 
2781  return 0;
2782 }
2783 
2784 clib_error_t *
2786  u16 start_port, u16 end_port, ip4_address_t start_addr,
2787  ip4_address_t end_addr, int is_local)
2788 {
2789  ikev2_profile_t *p;
2790  clib_error_t *r;
2791 
2792  p = ikev2_profile_index_by_name (name);
2793 
2794  if (!p)
2795  {
2796  r = clib_error_return (0, "unknown profile %v", name);
2797  return r;
2798  }
2799 
2800  if (is_local)
2801  {
2802  p->loc_ts.start_addr.as_u32 = start_addr.as_u32;
2803  p->loc_ts.end_addr.as_u32 = end_addr.as_u32;
2804  p->loc_ts.start_port = start_port;
2805  p->loc_ts.end_port = end_port;
2806  p->loc_ts.protocol_id = protocol_id;
2807  p->loc_ts.ts_type = 7;
2808  }
2809  else
2810  {
2811  p->rem_ts.start_addr.as_u32 = start_addr.as_u32;
2812  p->rem_ts.end_addr.as_u32 = end_addr.as_u32;
2813  p->rem_ts.start_port = start_port;
2814  p->rem_ts.end_port = end_port;
2815  p->rem_ts.protocol_id = protocol_id;
2816  p->rem_ts.ts_type = 7;
2817  }
2818 
2819  return 0;
2820 }
2821 
2822 
2823 clib_error_t *
2826 {
2827  ikev2_profile_t *p;
2828  clib_error_t *r;
2829 
2830  p = ikev2_profile_index_by_name (name);
2831 
2832  if (!p)
2833  {
2834  r = clib_error_return (0, "unknown profile %v", name);
2835  return r;
2836  }
2837 
2839  p->responder.ip4 = ip4;
2840 
2841  return 0;
2842 }
2843 
2844 clib_error_t *
2846  ikev2_transform_encr_type_t crypto_alg,
2847  ikev2_transform_integ_type_t integ_alg,
2848  ikev2_transform_dh_type_t dh_type,
2849  u32 crypto_key_size)
2850 {
2851  ikev2_profile_t *p;
2852  clib_error_t *r;
2853 
2854  p = ikev2_profile_index_by_name (name);
2855 
2856  if (!p)
2857  {
2858  r = clib_error_return (0, "unknown profile %v", name);
2859  return r;
2860  }
2861 
2862  p->ike_ts.crypto_alg = crypto_alg;
2863  p->ike_ts.integ_alg = integ_alg;
2864  p->ike_ts.dh_type = dh_type;
2865  p->ike_ts.crypto_key_size = crypto_key_size;
2866  return 0;
2867 }
2868 
2869 clib_error_t *
2871  ikev2_transform_encr_type_t crypto_alg,
2872  ikev2_transform_integ_type_t integ_alg,
2873  ikev2_transform_dh_type_t dh_type,
2874  u32 crypto_key_size)
2875 {
2876  ikev2_profile_t *p;
2877  clib_error_t *r;
2878 
2879  p = ikev2_profile_index_by_name (name);
2880 
2881  if (!p)
2882  {
2883  r = clib_error_return (0, "unknown profile %v", name);
2884  return r;
2885  }
2886 
2887  p->esp_ts.crypto_alg = crypto_alg;
2888  p->esp_ts.integ_alg = integ_alg;
2889  p->esp_ts.dh_type = dh_type;
2890  p->esp_ts.crypto_key_size = crypto_key_size;
2891  return 0;
2892 }
2893 
2894 clib_error_t *
2896  u64 lifetime, u32 jitter, u32 handover,
2897  u64 maxdata)
2898 {
2899  ikev2_profile_t *p;
2900  clib_error_t *r;
2901 
2902  p = ikev2_profile_index_by_name (name);
2903 
2904  if (!p)
2905  {
2906  r = clib_error_return (0, "unknown profile %v", name);
2907  return r;
2908  }
2909 
2910  p->lifetime = lifetime;
2911  p->lifetime_jitter = jitter;
2912  p->handover = handover;
2913  p->lifetime_maxdata = maxdata;
2914  return 0;
2915 }
2916 
2917 clib_error_t *
2919 {
2920  ikev2_profile_t *p;
2921  clib_error_t *r;
2922  ip4_main_t *im = &ip4_main;
2923  ikev2_main_t *km = &ikev2_main;
2924 
2925  p = ikev2_profile_index_by_name (name);
2926 
2927  if (!p)
2928  {
2929  r = clib_error_return (0, "unknown profile %v", name);
2930  return r;
2931  }
2932 
2933  if (p->responder.sw_if_index == ~0 || p->responder.ip4.data_u32 == 0)
2934  {
2935  r = clib_error_return (0, "responder not set for profile %v", name);
2936  return r;
2937  }
2938 
2939 
2940  /* Create the Initiator Request */
2941  {
2942  ike_header_t *ike0;
2943  u32 bi0 = 0;
2944  ip_lookup_main_t *lm = &im->lookup_main;
2945  u32 if_add_index0;
2946  int len = sizeof (ike_header_t);
2947 
2948  /* Get own iface IP */
2949  if_add_index0 =
2951  ip_interface_address_t *if_add =
2952  pool_elt_at_index (lm->if_address_pool, if_add_index0);
2953  ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add);
2954 
2955  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
2956 
2957  /* Prepare the SA and the IKE payload */
2958  ikev2_sa_t sa;
2959  memset (&sa, 0, sizeof (ikev2_sa_t));
2960  ikev2_payload_chain_t *chain = 0;
2961  ikev2_payload_new_chain (chain);
2962 
2963  /* Build the IKE proposal payload */
2964  ikev2_sa_proposal_t *proposals = 0;
2965  ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
2966  proposals[0].proposal_num = 1;
2967  proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
2968 
2969  /* Add and then cleanup proposal data */
2970  ikev2_payload_add_sa (chain, proposals);
2971  ikev2_sa_free_proposal_vector (&proposals);
2972 
2973  sa.is_initiator = 1;
2974  sa.profile = p;
2977  ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
2978  ikev2_payload_add_nonce (chain, sa.i_nonce);
2979 
2980  /* Build the child SA proposal */
2981  vec_resize (sa.childs, 1);
2982  ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
2983  &sa.childs[0].i_proposals, 0);
2984  sa.childs[0].i_proposals[0].proposal_num = 1;
2986  RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
2987  sizeof (sa.childs[0].i_proposals[0].spi));
2988 
2989 
2990 
2991  /* Add NAT detection notification messages (mandatory) */
2992  u8 nat_detection_source[8 + 8 + 4 + 2];
2993  u8 *nat_detection_sha1 = vec_new (u8, 20);
2994 
2995  u64 tmpspi = clib_host_to_net_u64 (sa.ispi);
2996  clib_memcpy (&nat_detection_source[0], &tmpspi, sizeof (tmpspi));
2997  tmpspi = clib_host_to_net_u64 (sa.rspi);
2998  clib_memcpy (&nat_detection_source[8], &tmpspi, sizeof (tmpspi));
2999  u16 tmpport = clib_host_to_net_u16 (500);
3000  clib_memcpy (&nat_detection_source[8 + 8 + 4], &tmpport,
3001  sizeof (tmpport));
3002  u32 tmpip = clib_host_to_net_u32 (if_ip->as_u32);
3003  clib_memcpy (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
3004  SHA1 (nat_detection_source, sizeof (nat_detection_source),
3005  nat_detection_sha1);
3006  ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
3007  nat_detection_sha1);
3008  tmpip = clib_host_to_net_u32 (p->responder.ip4.as_u32);
3009  clib_memcpy (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
3010  SHA1 (nat_detection_source, sizeof (nat_detection_source),
3011  nat_detection_sha1);
3012  ikev2_payload_add_notify (chain,
3013  IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
3014  nat_detection_sha1);
3015  vec_free (nat_detection_sha1);
3016 
3017  u8 *sig_hash_algo = vec_new (u8, 8);
3018  u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
3019  clib_memcpy (sig_hash_algo, &tmpsig, sizeof (tmpsig));
3020  ikev2_payload_add_notify (chain,
3021  IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
3022  sig_hash_algo);
3023  vec_free (sig_hash_algo);
3024 
3025 
3026  /* Buffer update and boilerplate */
3027  len += vec_len (chain->data);
3028  ike0->nextpayload = chain->first_payload_type;
3029  ike0->length = clib_host_to_net_u32 (len);
3030  clib_memcpy (ike0->payload, chain->data, vec_len (chain->data));
3032 
3033  ike0->version = IKE_VERSION_2;
3034  ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3035  ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
3036  ike0->ispi = sa.ispi;
3037 
3038  /* store whole IKE payload - needed for PSK auth */
3040  vec_add (sa.last_sa_init_req_packet_data, ike0, len);
3041 
3042  /* add data to the SA then add it to the pool */
3043  sa.iaddr.as_u32 = if_ip->as_u32;
3044  sa.raddr.as_u32 = p->responder.ip4.as_u32;
3045  sa.i_id.type = p->loc_id.type;
3046  sa.i_id.data = vec_dup (p->loc_id.data);
3047  sa.i_auth.method = p->auth.method;
3048  sa.i_auth.hex = p->auth.hex;
3049  sa.i_auth.data = vec_dup (p->auth.data);
3050 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
3051  clib_memcpy (sa.i_auth.key, p->auth.key, EVP_PKEY_size (p->auth.key));
3052 #else
3053  sa.i_auth.key = vec_dup (p->auth.key);
3054 #endif
3055  vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
3056  vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
3057 
3058  /* add SA to the pool */
3059  ikev2_sa_t *sa0 = 0;
3060  pool_get (km->sais, sa0);
3061  clib_memcpy (sa0, &sa, sizeof (*sa0));
3062  hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
3063 
3064  ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len);
3065 
3066  }
3067 
3068  return 0;
3069 }
3070 
3071 static void
3073  ikev2_child_sa_t * csa)
3074 {
3075  /* Create the Initiator notification for child SA removal */
3076  ikev2_main_t *km = &ikev2_main;
3077  ike_header_t *ike0;
3078  u32 bi0 = 0;
3079  int len;
3080 
3081  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3082 
3083 
3084  ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
3085  ike0->ispi = clib_host_to_net_u64 (sa->ispi);
3086  ike0->rspi = clib_host_to_net_u64 (sa->rspi);
3087  vec_resize (sa->del, 1);
3089  sa->del->spi = csa->i_proposals->spi;
3090  ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
3091  sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3092  len = ikev2_generate_message (sa, ike0, 0);
3093 
3094  ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
3095 
3096  /* delete local child SA */
3098  ikev2_sa_del_child_sa (sa, csa);
3099 }
3100 
3101 clib_error_t *
3103 {
3104  clib_error_t *r;
3105  ikev2_main_t *km = &ikev2_main;
3107  ikev2_sa_t *fsa = 0;
3108  ikev2_child_sa_t *fchild = 0;
3109 
3110  /* Search for the child SA */
3111  vec_foreach (tkm, km->per_thread_data)
3112  {
3113  ikev2_sa_t *sa;
3114  if (fchild)
3115  break;
3116  /* *INDENT-OFF* */
3117  pool_foreach (sa, tkm->sas, ({
3118  fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3119  if (fchild)
3120  {
3121  fsa = sa;
3122  break;
3123  }
3124  }));
3125  /* *INDENT-ON* */
3126  }
3127 
3128  if (!fchild || !fsa)
3129  {
3130  r = clib_error_return (0, "Child SA not found");
3131  return r;
3132  }
3133  else
3134  {
3135  ikev2_delete_child_sa_internal (vm, fsa, fchild);
3136  }
3137 
3138  return 0;
3139 }
3140 
3141 clib_error_t *
3143 {
3144  clib_error_t *r;
3145  ikev2_main_t *km = &ikev2_main;
3147  ikev2_sa_t *fsa = 0;
3148  ikev2_main_per_thread_data_t *ftkm = 0;
3149 
3150  /* Search for the IKE SA */
3151  vec_foreach (tkm, km->per_thread_data)
3152  {
3153  ikev2_sa_t *sa;
3154  if (fsa)
3155  break;
3156  /* *INDENT-OFF* */
3157  pool_foreach (sa, tkm->sas, ({
3158  if (sa->ispi == ispi)
3159  {
3160  fsa = sa;
3161  ftkm = tkm;
3162  break;
3163  }
3164  }));
3165  /* *INDENT-ON* */
3166  }
3167 
3168  if (!fsa)
3169  {
3170  r = clib_error_return (0, "IKE SA not found");
3171  return r;
3172  }
3173 
3174 
3175  /* Create the Initiator notification for IKE SA removal */
3176  {
3177  ike_header_t *ike0;
3178  u32 bi0 = 0;
3179  int len;
3180 
3181  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3182 
3183 
3184  ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
3185  ike0->ispi = clib_host_to_net_u64 (fsa->ispi);
3186  ike0->rspi = clib_host_to_net_u64 (fsa->rspi);
3187  vec_resize (fsa->del, 1);
3188  fsa->del->protocol_id = IKEV2_PROTOCOL_IKE;
3189  fsa->del->spi = ispi;
3190  ike0->msgid = clib_host_to_net_u32 (fsa->last_init_msg_id + 1);
3191  fsa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3192  len = ikev2_generate_message (fsa, ike0, 0);
3193 
3194  ikev2_send_ike (vm, &fsa->iaddr, &fsa->raddr, bi0, len);
3195  }
3196 
3197 
3198  /* delete local SA */
3200  vec_foreach (c, fsa->childs)
3201  {
3202  ikev2_delete_tunnel_interface (km->vnet_main, fsa, c);
3203  ikev2_sa_del_child_sa (fsa, c);
3204  }
3205  ikev2_sa_free_all_vec (fsa);
3206  uword *p = hash_get (ftkm->sa_by_rspi, fsa->rspi);
3207  if (p)
3208  {
3209  hash_unset (ftkm->sa_by_rspi, fsa->rspi);
3210  pool_put (ftkm->sas, fsa);
3211  }
3212 
3213 
3214  return 0;
3215 }
3216 
3217 static void
3219  ikev2_child_sa_t * csa)
3220 {
3221  /* Create the Initiator request for create child SA */
3222  ike_header_t *ike0;
3223  u32 bi0 = 0;
3224  int len;
3225 
3226 
3227  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3228 
3229 
3230  ike0->version = IKE_VERSION_2;
3231  ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3232  ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
3233  ike0->ispi = clib_host_to_net_u64 (sa->ispi);
3234  ike0->rspi = clib_host_to_net_u64 (sa->rspi);
3235  ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
3236  sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3237 
3238  ikev2_rekey_t *rekey;
3239  vec_add2 (sa->rekey, rekey, 1);
3240  ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals);
3241 
3242  /*need new ispi */
3243  RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
3244  rekey->spi = proposals[0].spi;
3245  rekey->ispi = csa->i_proposals->spi;
3246  len = ikev2_generate_message (sa, ike0, proposals);
3247  ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
3248  vec_free (proposals);
3249 }
3250 
3251 clib_error_t *
3253 {
3254  clib_error_t *r;
3255  ikev2_main_t *km = &ikev2_main;
3257  ikev2_sa_t *fsa = 0;
3258  ikev2_child_sa_t *fchild = 0;
3259 
3260  /* Search for the child SA */
3261  vec_foreach (tkm, km->per_thread_data)
3262  {
3263  ikev2_sa_t *sa;
3264  if (fchild)
3265  break;
3266  /* *INDENT-OFF* */
3267  pool_foreach (sa, tkm->sas, ({
3268  fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3269  if (fchild)
3270  {
3271  fsa = sa;
3272  break;
3273  }
3274  }));
3275  /* *INDENT-ON* */
3276  }
3277 
3278  if (!fchild || !fsa)
3279  {
3280  r = clib_error_return (0, "Child SA not found");
3281  return r;
3282  }
3283  else
3284  {
3285  ikev2_rekey_child_sa_internal (vm, fsa, fchild);
3286  }
3287 
3288  return 0;
3289 }
3290 
3291 clib_error_t *
3293 {
3294  ikev2_main_t *km = &ikev2_main;
3295  clib_error_t *error;
3297  int thread_id;
3298 
3299  memset (km, 0, sizeof (ikev2_main_t));
3300  km->vnet_main = vnet_get_main ();
3301  km->vlib_main = vm;
3302 
3303  ikev2_crypto_init (km);
3304 
3306 
3307  vec_validate (km->per_thread_data, tm->n_vlib_mains - 1);
3308  for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
3309  {
3310  km->per_thread_data[thread_id].sa_by_rspi =
3311  hash_create (0, sizeof (uword));
3312  }
3313 
3314  km->sa_by_ispi = hash_create (0, sizeof (uword));
3315 
3316 
3317  if ((error = vlib_call_init_function (vm, ikev2_cli_init)))
3318  return error;
3319 
3320  udp_register_dst_port (vm, 500, ikev2_node.index, 1);
3321 
3322  return 0;
3323 }
3324 
3325 
3326 static u8
3328 {
3329  ikev2_main_t *km = &ikev2_main;
3330  vlib_main_t *vm = km->vlib_main;
3331  f64 now = vlib_time_now (vm);
3332  u8 res = 0;
3333 
3334  if (sa->is_initiator && sa->profile && csa->time_to_expiration
3335  && now > csa->time_to_expiration)
3336  {
3337  if (!csa->is_expired || csa->rekey_retries > 0)
3338  {
3339  ikev2_rekey_child_sa_internal (vm, sa, csa);
3340  csa->time_to_expiration = now + sa->profile->handover;
3341  csa->is_expired = 1;
3342  if (csa->rekey_retries == 0)
3343  {
3344  csa->rekey_retries = 5;
3345  }
3346  else if (csa->rekey_retries > 0)
3347  {
3348  csa->rekey_retries--;
3349  clib_warning ("Rekeying Child SA 0x%x, retries left %d",
3350  csa->i_proposals->spi, csa->rekey_retries);
3351  if (csa->rekey_retries == 0)
3352  {
3353  csa->rekey_retries = -1;
3354  }
3355  }
3356  res |= 1;
3357  }
3358  else
3359  {
3360  csa->time_to_expiration = 0;
3361  ikev2_delete_child_sa_internal (vm, sa, csa);
3362  res |= 1;
3363  }
3364  }
3365 
3366  return res;
3367 }
3368 
3369 static void
3371 {
3372  ikev2_main_t *km = &ikev2_main;
3373  vlib_main_t *vm = km->vlib_main;
3375  ikev2_sa_t *fsa = 0;
3376  ikev2_child_sa_t *fchild = 0;
3377  f64 now = vlib_time_now (vm);
3378 
3379  /* Search for the SA and child SA */
3380  vec_foreach (tkm, km->per_thread_data)
3381  {
3382  ikev2_sa_t *sa;
3383  if (fchild)
3384  break;
3385  /* *INDENT-OFF* */
3386  pool_foreach (sa, tkm->sas, ({
3387  fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
3388  if (fchild)
3389  {
3390  fsa = sa;
3391  break;
3392  }
3393  }));
3394  /* *INDENT-ON* */
3395  }
3396 
3397  if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
3398  {
3399  if (!fchild->is_expired
3400  && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
3401  {
3402  fchild->time_to_expiration = now;
3403  }
3404  }
3405 }
3406 
3408 
3409 static uword
3411  vlib_frame_t * f)
3412 {
3413  ikev2_main_t *km = &ikev2_main;
3414  ipsec_main_t *im = &ipsec_main;
3415 
3416  while (1)
3417  {
3418  u8 req_sent = 0;
3421 
3422  /* process ike child sas */
3424  vec_foreach (tkm, km->per_thread_data)
3425  {
3426  ikev2_sa_t *sa;
3427  /* *INDENT-OFF* */
3428  pool_foreach (sa, tkm->sas, ({
3429  ikev2_child_sa_t *c;
3430  vec_foreach (c, sa->childs)
3431  {
3432  req_sent |= ikev2_mngr_process_child_sa(sa, c);
3433  }
3434  }));
3435  /* *INDENT-ON* */
3436  }
3437 
3438  /* process ipsec sas */
3439  ipsec_sa_t *sa;
3440  /* *INDENT-OFF* */
3441  pool_foreach (sa, im->sad, ({
3442  ikev2_mngr_process_ipsec_sa(sa);
3443  }));
3444  /* *INDENT-ON* */
3445 
3446  if (req_sent)
3447  {
3450  req_sent = 0;
3451  }
3452 
3453  }
3454  return 0;
3455 }
3456 
3457 /* *INDENT-OFF* */
3459  .function = ikev2_mngr_process_fn,
3460  .type = VLIB_NODE_TYPE_PROCESS,
3461  .name =
3462  "ikev2-manager-process",
3463 };
3464 
3465 /* *INDENT-ON* */
3466 
3467 /*
3468  * fd.io coding-style-patch-verification: ON
3469  *
3470  * Local Variables:
3471  * eval: (c-set-style "gnu")
3472  * End:
3473  */
ikev2_main_per_thread_data_t * per_thread_data
Definition: ikev2_priv.h:291
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:437
static int ikev2_retransmit_sa_init(ike_header_t *ike, ip4_address_t iaddr, ip4_address_t raddr)
Definition: ikev2.c:1948
u8 * dh_shared_key
Definition: ikev2_priv.h:211
ikev2_sa_t * sais
Definition: ikev2_priv.h:287
void ikev2_payload_add_nonce(ikev2_payload_chain_t *c, u8 *nonce)
static u8 * format_ikev2_trace(u8 *s, va_list *args)
Definition: ikev2.c:45
u8 * dh_private_key
Definition: ikev2_priv.h:212
ikev2_transform_type_t type
Definition: ikev2_priv.h:69
#define hash_set(h, key, value)
Definition: hash.h:255
vl_api_address_t src
Definition: vxlan_gbp.api:33
#define IKEV2_PAYLOAD_NONCE
Definition: ikev2.h:99
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2824
ikev2_id_t r_id
Definition: ikev2_priv.h:235
ikev2_id_type_t type
Definition: ikev2_priv.h:127
#define CLIB_UNUSED(x)
Definition: clib.h:81
void ikev2_payload_add_notify(ikev2_payload_chain_t *c, u16 msg_type, u8 *data)
ikev2_transforms_set ike_ts
Definition: ikev2_priv.h:189
static int ikev2_delete_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:1634
static f64 vlib_process_wait_for_event_or_clock(vlib_main_t *vm, f64 dt)
Suspend a cooperative multi-tasking thread Waits for an event, or for the indicated number of seconds...
Definition: node_funcs.h:699
ikev2_transform_integ_type_t
Definition: ikev2.h:267
#define hash_unset(h, key)
Definition: hash.h:261
a
Definition: bitmap.h:538
static void ikev2_send_ike(vlib_main_t *vm, ip4_address_t *src, ip4_address_t *dst, u32 bi0, u32 len)
Definition: ikev2.c:2614
ip4_address_t src_address
Definition: ip4_packet.h:169
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2683
EVP_PKEY * pkey
Definition: ikev2_priv.h:280
ip_interface_address_t * if_address_pool
Pool of addresses that are assigned to interfaces.
Definition: lookup.h:123
void ikev2_payload_add_sa(ikev2_payload_chain_t *c, ikev2_sa_proposal_t *proposals)
vnet_main_t * vnet_get_main(void)
Definition: misc.c:47
static void ikev2_calc_keys(ikev2_sa_t *sa)
Definition: ikev2.c:432
ikev2_sa_proposal_t * ikev2_parse_sa_payload(ike_payload_header_t *ikep)
u32 last_init_msg_id
Definition: ikev2_priv.h:252
static u32 ikev2_generate_message(ikev2_sa_t *sa, ike_header_t *ike, void *user)
Definition: ikev2.c:1667
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:120
#define IKEV2_PAYLOAD_NONE
Definition: ikev2.h:93
ikev2_profile_t * profiles
Definition: ikev2_priv.h:271
unsigned long u64
Definition: types.h:89
u8 v8
Definition: ikev2.h:27
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3142
ikev2_ts_t * ikev2_parse_ts_payload(ike_payload_header_t *ikep)
#define NULL
Definition: clib.h:57
uword mhash_unset(mhash_t *h, void *key, uword *old_value)
Definition: mhash.c:353
v8 * ikev2_calc_prf(ikev2_sa_transform_t *tr, v8 *key, v8 *data)
Definition: ikev2_crypto.c:257
static f64 vlib_time_now(vlib_main_t *vm)
Definition: main.h:227
static void ikev2_complete_sa_data(ikev2_sa_t *sa, ikev2_sa_t *sai)
Definition: ikev2.c:376
static vlib_node_registration_t ikev2_mngr_process_node
(constructor) VLIB_REGISTER_NODE (ikev2_mngr_process_node)
Definition: ikev2.c:3407
#define IKEV2_EXCHANGE_SA_INIT
Definition: ikev2.h:82
static void ikev2_delete_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3072
ikev2_transform_esn_type_t esn_type
Definition: ikev2_priv.h:77
#define IKEV2_PAYLOAD_VENDOR
Definition: ikev2.h:102
ikev2_state_t state
Definition: ikev2_priv.h:199
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:523
ikev2_transform_encr_type_t crypto_alg
Definition: ikev2_priv.h:118
#define vec_add2(V, P, N)
Add N elements to end of vector V, return pointer to new elements in P.
Definition: vec.h:562
int i
u8 * sk_pi
Definition: ikev2_priv.h:226
static void mhash_init_vec_string(mhash_t *h, uword n_value_bytes)
Definition: mhash.h:84
ip_lookup_main_t lookup_main
Definition: ip4.h:98
ip4_address_t ip4
Definition: ikev2_priv.h:113
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2895
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:419
u16 flags_and_fragment_offset
Definition: ip4_packet.h:150
void ikev2_payload_add_ke(ikev2_payload_chain_t *c, u16 dh_group, u8 *dh_data)
ikev2_next_t
Definition: ikev2.c:80
static void ikev2_generate_sa_init_data(ikev2_sa_t *sa)
Definition: ikev2.c:323
#define IKEV2_NONCE_SIZE
Definition: ikev2.h:23
u8 initial_contact
Definition: ikev2_priv.h:201
ikev2_ts_t * tsi
Definition: ikev2_priv.h:166
#define IKEV2_PAYLOAD_TSR
Definition: ikev2.h:104
ikev2_auth_t r_auth
Definition: ikev2_priv.h:231
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:228
static void ikev2_delete_sa(ikev2_sa_t *sa)
Definition: ikev2.c:306
u8 * last_sa_init_res_packet_data
Definition: ikev2_priv.h:245
unsigned char u8
Definition: types.h:56
ikev2_notify_t * ikev2_parse_notify_payload(ike_payload_header_t *ikep)
ikev2_profile_t * profile
Definition: ikev2_priv.h:253
ikev2_sa_transform_t * ikev2_sa_get_td_for_type(ikev2_sa_proposal_t *p, ikev2_transform_type_t type)
Definition: ikev2.c:192
ikev2_auth_t auth
Definition: ikev2_priv.h:183
double f64
Definition: types.h:142
ikev2_ts_t * tsr
Definition: ikev2_priv.h:167
vlib_node_registration_t ip4_lookup_node
(constructor) VLIB_REGISTER_NODE (ip4_lookup_node)
Definition: ip4_forward.c:103
static void ikev2_mngr_process_ipsec_sa(ipsec_sa_t *ipsec_sa)
Definition: ikev2.c:3370
ikev2_id_t rem_id
Definition: ikev2_priv.h:185
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
Definition: vec.h:600
ikev2_transform_dh_type_t
Definition: ikev2.h:317
int ikev2_encrypt_data(ikev2_sa_t *sa, v8 *src, u8 *dst)
Definition: ikev2_crypto.c:421
ikev2_child_sa_t * ikev2_sa_get_child(ikev2_sa_t *sa, u32 spi, ikev2_protocol_id_t prot_id, int by_initiator)
Definition: ikev2.c:209
format_function_t format_ip4_address
Definition: format.h:75
u32 next_index
Definition: ikev2.c:40
memset(h->entries, 0, sizeof(h->entries[0])*entries)
u32 last_msg_id
Definition: ikev2_priv.h:248
#define IKEV2_PAYLOAD_DELETE
Definition: ikev2.h:101
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:443
ikev2_sa_proposal_t * r_proposals
Definition: ikev2_priv.h:135
void ikev2_generate_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
Definition: ikev2_crypto.c:457
static uword vlib_process_get_events(vlib_main_t *vm, uword **data_vector)
Return the first event type which has occurred and a vector of per-event data of that type...
Definition: node_funcs.h:542
ipsec_main_t ipsec_main
Definition: ipsec.c:30
EVP_PKEY * ikev2_load_cert_file(u8 *file)
Definition: ikev2_crypto.c:735
u32 sw_if_index
Definition: vxlan_gbp.api:39
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2918
static ikev2_sa_transform_t * ikev2_find_transform_data(ikev2_sa_transform_t *t)
Definition: ikev2.c:88
ip4_address_t dst_address
Definition: ip4_packet.h:169
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:309
EVP_PKEY * ikev2_load_key_file(u8 *file)
Definition: ikev2_crypto.c:765
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:2714
void ikev2_parse_vendor_payload(ike_payload_header_t *ikep)
ip4_address_t start_addr
Definition: ikev2_priv.h:106
ip4_address_t remote_ip
Definition: ipsec.h:162
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84
vlib_frame_t * vlib_get_frame_to_node(vlib_main_t *vm, u32 to_node_index)
Definition: main.c:182
#define clib_error_return(e, args...)
Definition: error.h:99
static u32 ikev2_get_new_ike_header_buff(vlib_main_t *vm, ike_header_t **ike)
Definition: ikev2.c:2657
void ikev2_payload_add_id(ikev2_payload_chain_t *c, ikev2_id_t *id, u8 type)
#define IKEV2_PAYLOAD_NOTIFY
Definition: ikev2.h:100
static void ikev2_sa_match_ts(ikev2_sa_t *sa)
Definition: ikev2.c:1242
ikev2_sa_proposal_t * i_proposals
Definition: ikev2_priv.h:217
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2870
static void ikev2_sa_auth(ikev2_sa_t *sa)
Definition: ikev2.c:1309
#define vec_resize(V, N)
Resize a vector (no header, unspecified alignment) Add N elements to end of given vector V...
Definition: vec.h:240
ikev2_transform_integ_type_t integ_alg
Definition: ikev2_priv.h:119
unsigned int u32
Definition: types.h:88
ikev2_auth_t i_auth
Definition: ikev2_priv.h:230
#define vlib_call_init_function(vm, x)
Definition: init.h:260
#define ikev2_set_state(sa, v)
Definition: ikev2.c:33
#define ikev2_payload_destroy_chain(V)
Definition: ikev2_priv.h:326
ikev2_id_t loc_id
Definition: ikev2_priv.h:184
ikev2_sa_transform_t * transforms
Definition: ikev2_priv.h:96
#define IKEV2_EXCHANGE_CREATE_CHILD_SA
Definition: ikev2.h:84
u8 * sk_ar
Definition: ikev2_priv.h:223
u8 * r_dh_data
Definition: ikev2_priv.h:214
static void ikev2_initial_contact_cleanup(ikev2_sa_t *sa)
Definition: ikev2.c:776
ikev2_responder_t responder
Definition: ikev2_priv.h:188
static ikev2_profile_t * ikev2_profile_index_by_name(u8 *name)
Definition: ikev2.c:2600
#define hash_get(h, key)
Definition: hash.h:249
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2746
u8 * ikev2_calc_prfplus(ikev2_sa_transform_t *tr, u8 *key, u8 *seed, int len)
Definition: ikev2_crypto.c:286
static clib_error_t * ikev2_set_initiator_proposals(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_transforms_set *ts, ikev2_sa_proposal_t **proposals, int is_ike)
Definition: ikev2.c:2478
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:464
ikev2_main_t ikev2_main
Definition: ikev2.c:27
vlib_main_t * vlib_main
Definition: vnet.h:80
u8 * last_sa_init_req_packet_data
Definition: ikev2_priv.h:244
u16 current_length
Nbytes between current data and the end of this buffer.
Definition: buffer.h:113
#define IKEV2_PAYLOAD_IDR
Definition: ikev2.h:97
static int ikev2_create_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:1476
#define IKEV2_PAYLOAD_SA
Definition: ikev2.h:94
ikev2_ts_t rem_ts
Definition: ikev2_priv.h:187
u8 * i_dh_data
Definition: ikev2_priv.h:213
uword mhash_set_mem(mhash_t *h, void *key, uword *new_value, uword *old_value)
Definition: mhash.c:271
#define v
Definition: acl.c:496
unsigned short u16
Definition: types.h:57
ikev2_sa_proposal_t * i_proposals
Definition: ikev2_priv.h:134
void vlib_put_frame_to_node(vlib_main_t *vm, u32 to_node_index, vlib_frame_t *f)
Definition: main.c:191
u8 * r_nonce
Definition: ikev2_priv.h:207
#define IKEV2_HDR_FLAG_RESPONSE
Definition: ikev2.h:89
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
Definition: buffer.h:205
mhash_t profile_index_by_name
Definition: ikev2_priv.h:277
u16 end_port
Definition: ikev2_priv.h:105
ikev2_sa_transform_t * supported_transforms
Definition: ikev2_priv.h:274
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:274
ikev2_rekey_t * rekey
Definition: ikev2_priv.h:241
#define vec_dup(V)
Return copy of vector (no header, no alignment)
Definition: vec.h:373
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3102
static void ikev2_rekey_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3218
#define PREDICT_FALSE(x)
Definition: clib.h:107
#define vec_del1(v, i)
Delete the element at index I.
Definition: vec.h:806
#define IKEV2_PAYLOAD_FLAG_CRITICAL
Definition: ikev2.h:91
static void ikev2_sa_auth_init(ikev2_sa_t *sa)
Definition: ikev2.c:1432
ikev2_protocol_id_t
Definition: ikev2.h:107
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
Definition: buffer_node.h:218
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
Definition: node_funcs.h:364
ip4_address_t end_addr
Definition: ikev2_priv.h:107
u8 name[64]
Definition: memclnt.api:151
ip4_address_t iaddr
Definition: ikev2_priv.h:202
u8 * i_nonce
Definition: ikev2_priv.h:206
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2671
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1176
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2785
u8 * sk_ei
Definition: ikev2_priv.h:224
#define IKEV2_EXCHANGE_INFORMATIONAL
Definition: ikev2.h:85
void ikev2_payload_add_delete(ikev2_payload_chain_t *c, ikev2_delete_t *d)
#define IKEV2_HDR_FLAG_INITIATOR
Definition: ikev2.h:87
#define IKEV2_KEY_PAD
Definition: ikev2.h:25
static uword ikev2_mngr_process_fn(vlib_main_t *vm, vlib_node_runtime_t *rt, vlib_frame_t *f)
Definition: ikev2.c:3410
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3252
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:165
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:155
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:76
svmdb_client_t * c
u16 n_vectors
Definition: node.h:401
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:211
vlib_main_t * vm
Definition: buffer.c:294
static u8 * ikev2_decrypt_sk_payload(ikev2_sa_t *sa, ike_header_t *ike, u8 *payload)
Definition: ikev2.c:711
vl_api_address_t dst
Definition: vxlan_gbp.api:34
static void ikev2_sa_del_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:262
ikev2_auth_method_t method
Definition: ikev2_priv.h:55
ikev2_transform_encr_type_t
Definition: ikev2.h:226
ikev2_delete_t * del
Definition: ikev2_priv.h:238
ikev2_ts_t * tsi
Definition: ikev2_priv.h:138
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:339
static void ikev2_process_auth_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:815
static uword ikev2_node_fn(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
Definition: ikev2.c:2062
ip4_address_t raddr
Definition: ikev2_priv.h:203
#define clib_warning(format, args...)
Definition: error.h:59
#define clib_memcpy(a, b, c)
Definition: string.h:75
u8 * sk_er
Definition: ikev2_priv.h:225
static void ikev2_process_sa_init_resp(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:631
u8 is_initiator
Definition: ikev2_priv.h:251
#define ARRAY_LEN(x)
Definition: clib.h:61
#define IKEV2_PAYLOAD_KE
Definition: ikev2.h:95
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
Definition: main.c:455
ikev2_ts_t loc_ts
Definition: ikev2_priv.h:186
ikev2_sa_proposal_t * r_proposals
Definition: ikev2_priv.h:218
static u8 * ikev2_sa_generate_authmsg(ikev2_sa_t *sa, int is_responder)
Definition: ikev2.c:1187
static void ikev2_calc_child_keys(ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:509
u32 * if_address_pool_index_by_sw_if_index
Head of doubly linked list of interface addresses for each software interface.
Definition: lookup.h:130
#define hash_create(elts, value_bytes)
Definition: hash.h:696
void ikev2_payload_add_auth(ikev2_payload_chain_t *c, ikev2_auth_t *auth)
ikev2_protocol_id_t protocol_id
Definition: ikev2_priv.h:94
u8 protocol_id
Definition: ikev2_priv.h:102
u16 cached_next_index
Next frame index that vector arguments were last enqueued to last time this node ran.
Definition: node.h:513
#define ASSERT(truth)
static uword * mhash_get(mhash_t *h, const void *key)
Definition: mhash.h:110
vnet_main_t * vnet_main
Definition: ikev2_priv.h:284
static void ikev2_process_informational_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:975
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:170
ip4_address_t local_ip
Definition: ipsec.h:162
void ikev2_sa_free_proposal_vector(ikev2_sa_proposal_t **v)
Definition: ikev2.c:225
ipsec_sa_t * sad
Definition: ipsec.h:265
#define IKEV2_PAYLOAD_AUTH
Definition: ikev2.h:98
IPv4 main type.
Definition: ip4.h:96
#define ikev2_payload_new_chain(V)
Definition: ikev2_priv.h:325
#define IKEV2_PAYLOAD_SK
Definition: ikev2.h:105
ikev2_sa_proposal_t * r_proposal
Definition: ikev2_priv.h:165
u8 * sk_ai
Definition: ikev2_priv.h:222
#define IKE_VERSION_2
Definition: ikev2.h:80
void ikev2_complete_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
Definition: ikev2_crypto.c:589
#define vec_append(v1, v2)
Append v2 after v1.
Definition: vec.h:820
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
Definition: buffer.h:218
static vlib_node_registration_t ikev2_node
(constructor) VLIB_REGISTER_NODE (ikev2_node)
Definition: ikev2.c:56
u16 dh_group
Definition: ikev2_priv.h:210
ikev2_sa_proposal_t * i_proposal
Definition: ikev2_priv.h:164
#define IKEV2_PAYLOAD_TSI
Definition: ikev2.h:103
EVP_PKEY * key
Definition: ikev2_priv.h:58
static int ikev2_retransmit_resp(ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:2018
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace_funcs.h:57
ikev2_transform_encr_type_t encr_type
Definition: ikev2_priv.h:73
struct _vlib_node_registration vlib_node_registration_t
u8 * last_res_packet_data
Definition: ikev2_priv.h:249
ikev2_transform_integ_type_t integ_type
Definition: ikev2_priv.h:75
static char * ikev2_error_strings[]
Definition: ikev2.c:74
static void ikev2_process_sa_init_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:556
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
u16 start_port
Definition: ikev2_priv.h:104
void ikev2_payload_chain_add_padding(ikev2_payload_chain_t *c, int bs)
u8 * sk_pr
Definition: ikev2_priv.h:227
u64 uword
Definition: types.h:112
#define IKEV2_PAYLOAD_IDI
Definition: ikev2.h:96
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2845
ikev2_id_t i_id
Definition: ikev2_priv.h:234
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:267
static void ikev2_process_create_child_sa_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:1046
ikev2_ts_t * tsr
Definition: ikev2_priv.h:139
ikev2_child_sa_t * childs
Definition: ikev2_priv.h:255
ikev2_transform_prf_type_t prf_type
Definition: ikev2_priv.h:74
Linear Congruential Random Number Generator.
#define IKEV2_EXCHANGE_IKE_AUTH
Definition: ikev2.h:83
static int ikev2_ts_cmp(ikev2_ts_t *ts1, ikev2_ts_t *ts2)
Definition: ikev2.c:1230
#define vnet_buffer(b)
Definition: buffer.h:344
clib_error_t * ikev2_init(vlib_main_t *vm)
Definition: ikev2.c:3292
static u32 random_u32(u32 *seed)
32-bit random number generator
Definition: random.h:69
ikev2_error_t
Definition: ikev2.c:66
ip4_main_t ip4_main
Global ip4 main structure.
Definition: ip4_forward.c:900
clib_error_t * ikev2_cli_init(vlib_main_t *vm)
Definition: ikev2_cli.c:589
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:32
static u8 ikev2_mngr_process_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3327
uword * sa_by_ispi
Definition: ikev2_priv.h:289
#define vec_foreach(var, vec)
Vector iterator.
u8 unsupported_cp
Definition: ikev2_priv.h:200
static void ikev2_sa_free_all_child_sa(ikev2_child_sa_t **childs)
Definition: ikev2.c:245
u16 flags
Copy of main node flags.
Definition: node.h:507
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:263
static ikev2_sa_proposal_t * ikev2_select_proposal(ikev2_sa_proposal_t *proposals, ikev2_protocol_id_t prot_id)
Definition: ikev2.c:116
u32 id
Definition: udp.api:45
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
Definition: udp_local.c:492
u8 ip_version_and_header_length
Definition: ip4_packet.h:137
static void * ip_interface_address_get_address(ip_lookup_main_t *lm, ip_interface_address_t *a)
Definition: lookup.h:173
ikev2_transform_type_t
Definition: ikev2.h:203
ikev2_transforms_set esp_ts
Definition: ikev2_priv.h:190
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:310
void ikev2_crypto_init(ikev2_main_t *km)
Definition: ikev2_crypto.c:787
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index, VLIB_BUFFER_IS_TRACED: trace this buffer.
Definition: buffer.h:116
void ikev2_payload_add_ts(ikev2_payload_chain_t *c, ikev2_ts_t *ts, u8 type)
static u32 vlib_buffer_alloc(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Allocate buffers into supplied array.
Definition: buffer_funcs.h:503
vlib_main_t * vlib_main
Definition: ikev2_priv.h:283
v8 * ikev2_decrypt_data(ikev2_sa_t *sa, u8 *data, int len)
Definition: ikev2_crypto.c:371
static void ikev2_sa_free_all_vec(ikev2_sa_t *sa)
Definition: ikev2.c:275
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
Definition: buffer_funcs.h:58
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:246
u8 * ikev2_calc_sign(EVP_PKEY *pkey, u8 *data)
Definition: ikev2_crypto.c:704
v8 * ikev2_calc_integr(ikev2_sa_transform_t *tr, v8 *key, u8 *data, int len)
Definition: ikev2_crypto.c:328
u8 * format_ikev2_id_type(u8 *s, va_list *args)
Definition: defs.h:46
#define foreach_ikev2_error
Definition: ikev2.c:58
u32 sw_if_index
Definition: ikev2.c:41
void ikev2_payload_add_notify_2(ikev2_payload_chain_t *c, u16 msg_type, u8 *data, ikev2_notify_t *notify)
ikev2_delete_t * ikev2_parse_delete_payload(ike_payload_header_t *ikep)