25 #include <openssl/sha.h> 33 #define ikev2_set_state(sa, v) do { \ 35 clib_warning("sa state changed to " #v); \ 51 s =
format (s,
"ikev2: sw_if_index %d, next index %d",
58 #define foreach_ikev2_error \ 59 _(PROCESSED, "IKEv2 packets processed") \ 60 _(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \ 61 _(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \ 62 _(IKE_REQ_RETRANSMIT, "IKE request retransmit") \ 63 _(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \ 64 _(NOT_IKEV2, "Non IKEv2 packets received") 68 #define _(sym,str) IKEV2_ERROR_##sym, 75 #define _(sym,string) string, 101 if (td->
type == IKEV2_TRANSFORM_TYPE_ENCR)
104 || t->
attrs[1] != 14)
122 u8 mandatory_bitmap, optional_bitmap;
126 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
127 (1 << IKEV2_TRANSFORM_TYPE_PRF) |
128 (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
129 optional_bitmap = mandatory_bitmap;
133 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
134 (1 << IKEV2_TRANSFORM_TYPE_ESN);
135 optional_bitmap = mandatory_bitmap |
136 (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
140 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) |
141 (1 << IKEV2_TRANSFORM_TYPE_ESN);
142 optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH);
157 if ((1 << transform->
type) & bitmap)
162 bitmap |= 1 << transform->
type;
169 clib_warning (
"bitmap is %x mandatory is %x optional is %x",
170 bitmap, mandatory_bitmap, optional_bitmap);
172 if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
173 (bitmap & ~optional_bitmap) == 0)
177 RAND_bytes ((
u8 *) & rv->
spi, sizeof (rv->
spi));
217 if (proposal && proposal->
spi == spi && proposal->
protocol_id == prot_id)
328 if (sa->
dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
336 if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->
dh_group == t2->dh_type)
347 sa->
dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
354 RAND_bytes ((
u8 *) & sa->
ispi, 8);
363 RAND_bytes ((
u8 *) & sa->
rspi, 8);
383 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;}) 402 if (sa->
dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
410 if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->
dh_group == t2->dh_type)
421 sa->
dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
452 vec_add2 (s, tmp, 2 *
sizeof (*spi));
454 spi[0] = clib_host_to_net_u64 (sa->
ispi);
455 spi[1] = clib_host_to_net_u64 (sa->
rspi);
560 u32 len = clib_net_to_host_u32 (ike->length);
561 u8 payload = ike->nextpayload;
563 clib_warning (
"ispi %lx rspi %lx nextpayload %x version %x " 564 "exchange %x flags %x msgid %x length %u",
565 clib_net_to_host_u64 (ike->ispi),
566 clib_net_to_host_u64 (ike->rspi),
567 payload, ike->version,
568 ike->exchange, ike->flags,
569 clib_net_to_host_u32 (ike->msgid), len);
571 sa->
ispi = clib_net_to_host_u64 (ike->ispi);
579 ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
580 u32 plen = clib_net_to_host_u16 (ikep->length);
582 if (plen <
sizeof (ike_payload_header_t))
592 ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
593 sa->
dh_group = clib_net_to_host_u16 (ke->dh_group);
613 clib_warning (
"unknown payload %u flags %x length %u", payload,
623 payload = ikep->nextpayload;
635 u32 len = clib_net_to_host_u32 (ike->length);
636 u8 payload = ike->nextpayload;
638 clib_warning (
"ispi %lx rspi %lx nextpayload %x version %x " 639 "exchange %x flags %x msgid %x length %u",
640 clib_net_to_host_u64 (ike->ispi),
641 clib_net_to_host_u64 (ike->rspi),
642 payload, ike->version,
643 ike->exchange, ike->flags,
644 clib_net_to_host_u32 (ike->msgid), len);
646 sa->
ispi = clib_net_to_host_u64 (ike->ispi);
647 sa->
rspi = clib_net_to_host_u64 (ike->rspi);
655 ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
656 u32 plen = clib_net_to_host_u16 (ikep->length);
658 if (plen <
sizeof (ike_payload_header_t))
669 clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1);
674 ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
675 sa->
dh_group = clib_net_to_host_u16 (ke->dh_group);
695 clib_warning (
"unknown payload %u flags %x length %u", payload,
705 payload = ikep->nextpayload;
716 u32 len = clib_net_to_host_u32 (ike->length);
717 ike_payload_header_t *ikep = 0;
726 ikep = (ike_payload_header_t *) & ike->payload[p];
727 plen = clib_net_to_host_u16 (ikep->length);
729 if (plen <
sizeof (*ikep))
734 clib_warning (
"received IKEv2 payload SK, len %u", plen - 4);
735 last_payload = *payload;
739 clib_warning (
"unknown payload %u flags %x length %u", payload,
748 *payload = ikep->nextpayload;
762 plen = plen -
sizeof (*ikep) - tr_integ->
key_trunc;
764 if (memcmp (hmac, &ikep->payload[plen], tr_integ->
key_trunc))
790 if (tmp->i_id.type != sa->i_id.type ||
791 vec_len(tmp->i_id.data) != vec_len(sa->i_id.data) ||
792 memcmp(sa->i_id.data, tmp->i_id.data, vec_len(sa->i_id.data)))
795 if (sa->rspi != tmp->rspi)
796 vec_add1(delete, tmp - km->per_thread_data[thread_index].sas);
800 for (i = 0; i <
vec_len (
delete); i++)
819 u32 len = clib_net_to_host_u32 (ike->length);
820 u8 payload = ike->nextpayload;
823 ike_payload_header_t *ikep;
826 clib_warning (
"ispi %lx rspi %lx nextpayload %x version %x " 827 "exchange %x flags %x msgid %x length %u",
828 clib_net_to_host_u64 (ike->ispi),
829 clib_net_to_host_u64 (ike->rspi),
830 payload, ike->version,
831 ike->exchange, ike->flags,
832 clib_net_to_host_u32 (ike->msgid), len);
842 goto cleanup_and_exit;
848 first_child_sa = &sa->
childs[0];
861 ikep = (ike_payload_header_t *) & plaintext[p];
862 plen = clib_net_to_host_u16 (ikep->length);
864 if (plen <
sizeof (ike_payload_header_t))
865 goto cleanup_and_exit;
869 clib_warning (
"received payload SA, len %u", plen -
sizeof (*ikep));
883 ike_id_payload_header_t *
id = (ike_id_payload_header_t *) ikep;
889 clib_warning (
"received payload IDi, len %u id_type %u",
890 plen -
sizeof (*
id), id->id_type);
894 ike_id_payload_header_t *
id = (ike_id_payload_header_t *) ikep;
901 plen -
sizeof (*
id), id->id_type);
905 ike_auth_payload_header_t *
a = (ike_auth_payload_header_t *) ikep;
920 clib_warning (
"received payload AUTH, len %u auth_type %u",
921 plen -
sizeof (*a), a->auth_method);
926 if (n->
msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
939 plen -
sizeof (*ikep));
947 plen -
sizeof (*ikep));
954 clib_warning (
"unknown payload %u flags %x length %u data %u",
955 payload, ikep->flags, plen - 4,
966 payload = ikep->nextpayload;
979 u32 len = clib_net_to_host_u32 (ike->length);
980 u8 payload = ike->nextpayload;
983 ike_payload_header_t *ikep;
986 clib_warning (
"ispi %lx rspi %lx nextpayload %x version %x " 987 "exchange %x flags %x msgid %x length %u",
988 clib_net_to_host_u64 (ike->ispi),
989 clib_net_to_host_u64 (ike->rspi),
990 payload, ike->version,
991 ike->exchange, ike->flags,
992 clib_net_to_host_u32 (ike->msgid), len);
997 goto cleanup_and_exit;
1003 ikep = (ike_payload_header_t *) & plaintext[p];
1004 plen = clib_net_to_host_u16 (ikep->length);
1006 if (plen <
sizeof (ike_payload_header_t))
1007 goto cleanup_and_exit;
1012 if (n->
msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
1026 clib_warning (
"unknown payload %u flags %x length %u data %u",
1027 payload, ikep->flags, plen - 4,
1037 payload = ikep->nextpayload;
1050 u32 len = clib_net_to_host_u32 (ike->length);
1051 u8 payload = ike->nextpayload;
1056 ike_payload_header_t *ikep;
1064 clib_warning (
"ispi %lx rspi %lx nextpayload %x version %x " 1065 "exchange %x flags %x msgid %x length %u",
1066 clib_net_to_host_u64 (ike->ispi),
1067 clib_net_to_host_u64 (ike->rspi),
1068 payload, ike->version,
1069 ike->exchange, ike->flags,
1070 clib_net_to_host_u32 (ike->msgid), len);
1075 goto cleanup_and_exit;
1081 ikep = (ike_payload_header_t *) & plaintext[p];
1082 plen = clib_net_to_host_u16 (ikep->length);
1084 if (plen <
sizeof (ike_payload_header_t))
1085 goto cleanup_and_exit;
1094 if (n->
msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
1109 clib_memcpy (nonce, ikep->payload, plen - sizeof (*ikep));
1121 clib_warning (
"unknown payload %u flags %x length %u data %u",
1122 payload, ikep->flags, plen - 4,
1132 payload = ikep->nextpayload;
1162 goto cleanup_and_exit;
1246 ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0;
1252 if (sa->is_initiator)
1273 if (ikev2_ts_cmp(p_tsi, ts))
1297 sa->childs[0].tsi = tsi;
1298 sa->childs[0].tsr = tsr;
1313 u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1320 if (!(sa->
i_auth.
method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1350 if (p->rem_id.type != sa_id->type ||
1351 vec_len(p->rem_id.data) != vec_len(sa_id->data) ||
1352 memcmp(p->rem_id.data, sa_id->data, vec_len(p->rem_id.data)))
1355 if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1357 if (!p->auth.data ||
1358 p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1361 psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
1362 auth = ikev2_calc_prf(tr_prf, psk, authmsg);
1364 if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
1366 ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1373 else if (sa_auth->
method == IKEV2_AUTH_METHOD_RSA_SIG)
1375 if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
1378 if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1)
1380 ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1395 if (!sa->is_initiator)
1398 sa->r_id.data =
vec_dup (sel_p->loc_id.data);
1399 sa->r_id.type = sel_p->loc_id.type;
1403 if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1406 sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1408 else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1411 sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1417 sa->childs[0].r_proposals =
1435 u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1442 if (!(sa->
i_auth.
method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1457 if (sa->
i_auth.
method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1462 else if (sa->
i_auth.
method == IKEV2_AUTH_METHOD_RSA_SIG)
1491 memset (&a, 0,
sizeof (a));
1525 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128;
1528 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192;
1531 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256;
1556 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
1557 integ_type = IPSEC_INTEG_ALG_SHA_256_128;
1559 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
1560 integ_type = IPSEC_INTEG_ALG_SHA_384_192;
1562 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
1563 integ_type = IPSEC_INTEG_ALG_SHA_512_256;
1565 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
1566 integ_type = IPSEC_INTEG_ALG_SHA1_96;
1581 u8 *loc_ckey, *rem_ckey, *loc_ikey, *rem_ikey;
1584 loc_ikey = child->
sk_ai;
1585 rem_ikey = child->
sk_ar;
1586 loc_ckey = child->
sk_ei;
1587 rem_ckey = child->
sk_er;
1591 loc_ikey = child->
sk_ar;
1592 rem_ikey = child->
sk_ai;
1593 loc_ckey = child->
sk_er;
1594 rem_ckey = child->
sk_ei;
1670 ike_payload_header_t *ph;
1688 IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1691 else if (sa->
dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
1697 IKEV2_TRANSFORM_TYPE_DH);
1700 data[0] = (tr_dh->
dh_type >> 8) & 0xff;
1701 data[1] = (tr_dh->
dh_type) & 0xff;
1704 IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD,
1715 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1721 ike->rspi = clib_host_to_net_u64 (sa->
rspi);
1740 IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED,
1754 IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1766 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1820 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1835 memset (¬ify, 0,
sizeof (notify));
1838 *(
u32 *) data = clib_host_to_net_u32 (notify.
spi);
1867 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1875 IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
1884 tlen =
sizeof (*ike);
1900 ike->length = clib_host_to_net_u32 (tlen);
1913 plen =
sizeof (*ph);
1914 ph = (ike_payload_header_t *) & ike->payload[0];
1925 ph->length = clib_host_to_net_u16 (plen);
1926 ike->length = clib_host_to_net_u32 (tlen);
1957 if (sa->ispi == clib_net_to_host_u64(ike->ispi) &&
1958 sa->iaddr.as_u32 == iaddr.as_u32 &&
1959 sa->raddr.as_u32 == raddr.as_u32)
1962 u32 len = clib_net_to_host_u32(ike->length);
1963 u8 payload = ike->nextpayload;
1965 while (p < len && payload!= IKEV2_PAYLOAD_NONE) {
1966 ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
1967 u32 plen = clib_net_to_host_u16(ikep->length);
1969 if (plen < sizeof(ike_payload_header_t))
1972 if (payload == IKEV2_PAYLOAD_NONCE)
1974 if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep)))
1977 if (sa->state == IKEV2_STATE_SA_INIT)
1980 tmp = (ike_header_t*)sa->last_sa_init_res_packet_data;
1981 ike->ispi = tmp->ispi;
1982 ike->rspi = tmp->rspi;
1983 ike->nextpayload = tmp->nextpayload;
1984 ike->version = tmp->version;
1985 ike->exchange = tmp->exchange;
1986 ike->flags = tmp->flags;
1987 ike->msgid = tmp->msgid;
1988 ike->length = tmp->length;
1989 clib_memcpy(ike->payload, tmp->payload,
1990 clib_net_to_host_u32(tmp->length) - sizeof(*ike));
1991 clib_warning(
"IKE_SA_INIT retransmit from %U to %U",
1992 format_ip4_address, &raddr,
1993 format_ip4_address, &iaddr);
1999 clib_warning(
"IKE_SA_INIT ignore from %U to %U",
2000 format_ip4_address, &raddr,
2001 format_ip4_address, &iaddr);
2006 payload = ikep->nextpayload;
2020 u32 msg_id = clib_net_to_host_u32 (ike->msgid);
2033 ike->ispi = tmp->ispi;
2034 ike->rspi = tmp->rspi;
2035 ike->nextpayload = tmp->nextpayload;
2036 ike->version = tmp->version;
2037 ike->exchange = tmp->exchange;
2038 ike->flags = tmp->flags;
2039 ike->msgid = tmp->msgid;
2040 ike->length = tmp->length;
2042 clib_net_to_host_u32 (tmp->length) -
sizeof (*ike));
2065 u32 n_left_from, *from, *to_next;
2074 while (n_left_from > 0)
2080 while (n_left_from > 0 && n_left_to_next > 0)
2100 n_left_to_next -= 1;
2112 IKEV2_ERROR_NOT_IKEV2, 1);
2119 memset (sa0, 0,
sizeof (*sa0));
2123 if (ike0->rspi == 0)
2133 IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT,
2135 len = clib_net_to_host_u32 (ike0->length);
2141 IKEV2_ERROR_IKE_SA_INIT_IGNORE,
2170 per_thread_data[thread_index].sa_by_rspi,
2220 clib_net_to_host_u64 (ike0->rspi));
2231 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2233 len = clib_net_to_host_u32 (ike0->length);
2239 IKEV2_ERROR_IKE_REQ_IGNORE,
2277 clib_net_to_host_u64 (ike0->rspi));
2288 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2290 len = clib_net_to_host_u32 (ike0->length);
2296 IKEV2_ERROR_IKE_REQ_IGNORE,
2343 clib_net_to_host_u64 (ike0->rspi));
2354 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2356 len = clib_net_to_host_u32 (ike0->length);
2362 IKEV2_ERROR_IKE_REQ_IGNORE,
2394 clib_warning (
"IKEv2 exchange %u packet received from %U to %U",
2437 && (b0->
flags & VLIB_BUFFER_IS_TRACED)))
2445 n_left_to_next, bi0, next0);
2452 IKEV2_ERROR_PROCESSED, frame->
n_vectors);
2460 .vector_size =
sizeof (
u32),
2485 vec_add2 (*proposals, proposal, 1);
2493 if (td->
type == IKEV2_TRANSFORM_TYPE_ENCR
2498 attr[0] = clib_host_to_net_u16 (14 | (1 << 15));
2499 attr[1] = clib_host_to_net_u16 (td->
key_len << 3);
2518 if (td->
type == IKEV2_TRANSFORM_TYPE_INTEG
2529 (
"Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
2540 if (td->
type == IKEV2_TRANSFORM_TYPE_PRF
2541 && td->
prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
2581 if (td->
type == IKEV2_TRANSFORM_TYPE_ESN)
2638 udp0->
dst_port = clib_host_to_net_u16 (500);
2639 udp0->
src_port = clib_host_to_net_u16 (500);
2694 memset (p, 0,
sizeof (*p));
2715 u8 * auth_data,
u8 data_hex_format)
2730 p->
auth.
hex = data_hex_format;
2732 if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG)
2752 if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR
2753 && id_type < IKEV2_ID_TYPE_ID_KEY_ID)
2849 u32 crypto_key_size)
2874 u32 crypto_key_size)
2946 int len =
sizeof (ike_header_t);
2992 u8 nat_detection_source[8 + 8 + 4 + 2];
2995 u64 tmpspi = clib_host_to_net_u64 (sa.
ispi);
2996 clib_memcpy (&nat_detection_source[0], &tmpspi,
sizeof (tmpspi));
2997 tmpspi = clib_host_to_net_u64 (sa.
rspi);
2998 clib_memcpy (&nat_detection_source[8], &tmpspi,
sizeof (tmpspi));
2999 u16 tmpport = clib_host_to_net_u16 (500);
3000 clib_memcpy (&nat_detection_source[8 + 8 + 4], &tmpport,
3002 u32 tmpip = clib_host_to_net_u32 (if_ip->
as_u32);
3003 clib_memcpy (&nat_detection_source[8 + 8], &tmpip,
sizeof (tmpip));
3004 SHA1 (nat_detection_source,
sizeof (nat_detection_source),
3005 nat_detection_sha1);
3007 nat_detection_sha1);
3009 clib_memcpy (&nat_detection_source[8 + 8], &tmpip,
sizeof (tmpip));
3010 SHA1 (nat_detection_source,
sizeof (nat_detection_source),
3011 nat_detection_sha1);
3013 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
3014 nat_detection_sha1);
3018 u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
3019 clib_memcpy (sig_hash_algo, &tmpsig,
sizeof (tmpsig));
3021 IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
3029 ike0->length = clib_host_to_net_u32 (len);
3036 ike0->ispi = sa.
ispi;
3050 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 3085 ike0->ispi = clib_host_to_net_u64 (sa->
ispi);
3086 ike0->rspi = clib_host_to_net_u64 (sa->
rspi);
3118 fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3128 if (!fchild || !fsa)
3158 if (sa->ispi == ispi)
3185 ike0->ispi = clib_host_to_net_u64 (fsa->ispi);
3186 ike0->rspi = clib_host_to_net_u64 (fsa->rspi);
3189 fsa->del->spi = ispi;
3190 ike0->msgid = clib_host_to_net_u32 (fsa->last_init_msg_id + 1);
3191 fsa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3233 ike0->ispi = clib_host_to_net_u64 (sa->
ispi);
3234 ike0->rspi = clib_host_to_net_u64 (sa->
rspi);
3243 RAND_bytes ((
u8 *) & proposals[0].spi,
sizeof (proposals[0].spi));
3244 rekey->
spi = proposals[0].
spi;
3268 fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3278 if (!fchild || !fsa)
3308 for (thread_id = 0; thread_id < tm->
n_vlib_mains - 1; thread_id++)
3349 clib_warning (
"Rekeying Child SA 0x%x, retries left %d",
3387 fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
3397 if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
3399 if (!fchild->is_expired
3400 && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
3402 fchild->time_to_expiration = now;
3429 ikev2_child_sa_t *c;
3430 vec_foreach (c, sa->childs)
3432 req_sent |= ikev2_mngr_process_child_sa(sa, c);
3442 ikev2_mngr_process_ipsec_sa(sa);
3462 "ikev2-manager-process",
ikev2_main_per_thread_data_t * per_thread_data
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
static int ikev2_retransmit_sa_init(ike_header_t *ike, ip4_address_t iaddr, ip4_address_t raddr)
void ikev2_payload_add_nonce(ikev2_payload_chain_t *c, u8 *nonce)
static u8 * format_ikev2_trace(u8 *s, va_list *args)
#define hash_set(h, key, value)
#define IKEV2_PAYLOAD_NONCE
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
void ikev2_payload_add_notify(ikev2_payload_chain_t *c, u16 msg_type, u8 *data)
ikev2_transforms_set ike_ts
static int ikev2_delete_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
static f64 vlib_process_wait_for_event_or_clock(vlib_main_t *vm, f64 dt)
Suspend a cooperative multi-tasking thread Waits for an event, or for the indicated number of seconds...
ikev2_transform_integ_type_t
#define hash_unset(h, key)
static void ikev2_send_ike(vlib_main_t *vm, ip4_address_t *src, ip4_address_t *dst, u32 bi0, u32 len)
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
ip_interface_address_t * if_address_pool
Pool of addresses that are assigned to interfaces.
void ikev2_payload_add_sa(ikev2_payload_chain_t *c, ikev2_sa_proposal_t *proposals)
vnet_main_t * vnet_get_main(void)
static void ikev2_calc_keys(ikev2_sa_t *sa)
ikev2_sa_proposal_t * ikev2_parse_sa_payload(ike_payload_header_t *ikep)
static u32 ikev2_generate_message(ikev2_sa_t *sa, ike_header_t *ike, void *user)
#define IKEV2_PAYLOAD_NONE
ikev2_profile_t * profiles
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
ikev2_ts_t * ikev2_parse_ts_payload(ike_payload_header_t *ikep)
uword mhash_unset(mhash_t *h, void *key, uword *old_value)
v8 * ikev2_calc_prf(ikev2_sa_transform_t *tr, v8 *key, v8 *data)
static f64 vlib_time_now(vlib_main_t *vm)
static void ikev2_complete_sa_data(ikev2_sa_t *sa, ikev2_sa_t *sai)
static vlib_node_registration_t ikev2_mngr_process_node
(constructor) VLIB_REGISTER_NODE (ikev2_mngr_process_node)
#define IKEV2_EXCHANGE_SA_INIT
static void ikev2_delete_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
#define IKEV2_PAYLOAD_VENDOR
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
u8 remote_crypto_key[128]
#define vec_add2(V, P, N)
Add N elements to end of vector V, return pointer to new elements in P.
static void mhash_init_vec_string(mhash_t *h, uword n_value_bytes)
ip_lookup_main_t lookup_main
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
void ikev2_payload_add_ke(ikev2_payload_chain_t *c, u16 dh_group, u8 *dh_data)
static void ikev2_generate_sa_init_data(ikev2_sa_t *sa)
#define IKEV2_PAYLOAD_TSR
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static void ikev2_delete_sa(ikev2_sa_t *sa)
u8 * last_sa_init_res_packet_data
ikev2_notify_t * ikev2_parse_notify_payload(ike_payload_header_t *ikep)
ikev2_profile_t * profile
ikev2_sa_transform_t * ikev2_sa_get_td_for_type(ikev2_sa_proposal_t *p, ikev2_transform_type_t type)
vlib_node_registration_t ip4_lookup_node
(constructor) VLIB_REGISTER_NODE (ip4_lookup_node)
static void ikev2_mngr_process_ipsec_sa(ipsec_sa_t *ipsec_sa)
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
ikev2_transform_dh_type_t
int ikev2_encrypt_data(ikev2_sa_t *sa, v8 *src, u8 *dst)
ikev2_child_sa_t * ikev2_sa_get_child(ikev2_sa_t *sa, u32 spi, ikev2_protocol_id_t prot_id, int by_initiator)
memset(h->entries, 0, sizeof(h->entries[0])*entries)
#define IKEV2_PAYLOAD_DELETE
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
ikev2_sa_proposal_t * r_proposals
void ikev2_generate_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
static uword vlib_process_get_events(vlib_main_t *vm, uword **data_vector)
Return the first event type which has occurred and a vector of per-event data of that type...
EVP_PKEY * ikev2_load_cert_file(u8 *file)
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
static ikev2_sa_transform_t * ikev2_find_transform_data(ikev2_sa_transform_t *t)
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
EVP_PKEY * ikev2_load_key_file(u8 *file)
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
void ikev2_parse_vendor_payload(ike_payload_header_t *ikep)
vlib_frame_t * vlib_get_frame_to_node(vlib_main_t *vm, u32 to_node_index)
#define clib_error_return(e, args...)
static u32 ikev2_get_new_ike_header_buff(vlib_main_t *vm, ike_header_t **ike)
void ikev2_payload_add_id(ikev2_payload_chain_t *c, ikev2_id_t *id, u8 type)
#define IKEV2_PAYLOAD_NOTIFY
static void ikev2_sa_match_ts(ikev2_sa_t *sa)
ikev2_sa_proposal_t * i_proposals
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
static void ikev2_sa_auth(ikev2_sa_t *sa)
#define vec_resize(V, N)
Resize a vector (no header, unspecified alignment) Add N elements to end of given vector V...
#define vlib_call_init_function(vm, x)
#define ikev2_set_state(sa, v)
#define ikev2_payload_destroy_chain(V)
ikev2_sa_transform_t * transforms
#define IKEV2_EXCHANGE_CREATE_CHILD_SA
static void ikev2_initial_contact_cleanup(ikev2_sa_t *sa)
ikev2_responder_t responder
static ikev2_profile_t * ikev2_profile_index_by_name(u8 *name)
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
u8 * ikev2_calc_prfplus(ikev2_sa_transform_t *tr, u8 *key, u8 *seed, int len)
static clib_error_t * ikev2_set_initiator_proposals(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_transforms_set *ts, ikev2_sa_proposal_t **proposals, int is_ike)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
u8 * last_sa_init_req_packet_data
u16 current_length
Nbytes between current data and the end of this buffer.
#define IKEV2_PAYLOAD_IDR
static int ikev2_create_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
uword mhash_set_mem(mhash_t *h, void *key, uword *new_value, uword *old_value)
ikev2_sa_proposal_t * i_proposals
void vlib_put_frame_to_node(vlib_main_t *vm, u32 to_node_index, vlib_frame_t *f)
#define IKEV2_HDR_FLAG_RESPONSE
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
mhash_t profile_index_by_name
ikev2_sa_transform_t * supported_transforms
#define pool_put(P, E)
Free an object E in pool P.
#define vec_dup(V)
Return copy of vector (no header, no alignment)
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
static void ikev2_rekey_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
#define vec_del1(v, i)
Delete the element at index I.
#define IKEV2_PAYLOAD_FLAG_CRITICAL
static void ikev2_sa_auth_init(ikev2_sa_t *sa)
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
#define IKEV2_EXCHANGE_INFORMATIONAL
void ikev2_payload_add_delete(ikev2_payload_chain_t *c, ikev2_delete_t *d)
#define IKEV2_HDR_FLAG_INITIATOR
static uword ikev2_mngr_process_fn(vlib_main_t *vm, vlib_node_runtime_t *rt, vlib_frame_t *f)
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
ipsec_crypto_alg_t crypto_alg
#define VLIB_REGISTER_NODE(x,...)
static_always_inline uword vlib_get_thread_index(void)
static u8 * ikev2_decrypt_sk_payload(ikev2_sa_t *sa, ike_header_t *ike, u8 *payload)
static void ikev2_sa_del_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *child)
ikev2_auth_method_t method
ikev2_transform_encr_type_t
#define vec_free(V)
Free vector's memory (no header).
static void ikev2_process_auth_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
static uword ikev2_node_fn(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
#define clib_warning(format, args...)
#define clib_memcpy(a, b, c)
static void ikev2_process_sa_init_resp(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
ikev2_sa_proposal_t * r_proposals
static u8 * ikev2_sa_generate_authmsg(ikev2_sa_t *sa, int is_responder)
static void ikev2_calc_child_keys(ikev2_sa_t *sa, ikev2_child_sa_t *child)
u32 * if_address_pool_index_by_sw_if_index
Head of doubly linked list of interface addresses for each software interface.
#define hash_create(elts, value_bytes)
void ikev2_payload_add_auth(ikev2_payload_chain_t *c, ikev2_auth_t *auth)
ikev2_protocol_id_t protocol_id
u16 cached_next_index
Next frame index that vector arguments were last enqueued to last time this node ran.
static uword * mhash_get(mhash_t *h, const void *key)
static void ikev2_process_informational_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
ipsec_integ_alg_t integ_alg
void ikev2_sa_free_proposal_vector(ikev2_sa_proposal_t **v)
#define IKEV2_PAYLOAD_AUTH
#define ikev2_payload_new_chain(V)
ikev2_sa_proposal_t * r_proposal
void ikev2_complete_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
#define vec_append(v1, v2)
Append v2 after v1.
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
static vlib_node_registration_t ikev2_node
(constructor) VLIB_REGISTER_NODE (ikev2_node)
ikev2_sa_proposal_t * i_proposal
#define IKEV2_PAYLOAD_TSI
static int ikev2_retransmit_resp(ikev2_sa_t *sa, ike_header_t *ike)
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
struct _vlib_node_registration vlib_node_registration_t
u8 * last_res_packet_data
static char * ikev2_error_strings[]
static void ikev2_process_sa_init_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
void ikev2_payload_chain_add_padding(ikev2_payload_chain_t *c, int bs)
#define IKEV2_PAYLOAD_IDI
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
static void ikev2_process_create_child_sa_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
ikev2_child_sa_t * childs
Linear Congruential Random Number Generator.
#define IKEV2_EXCHANGE_IKE_AUTH
static int ikev2_ts_cmp(ikev2_ts_t *ts1, ikev2_ts_t *ts2)
clib_error_t * ikev2_init(vlib_main_t *vm)
static u32 random_u32(u32 *seed)
32-bit random number generator
ip4_main_t ip4_main
Global ip4 main structure.
clib_error_t * ikev2_cli_init(vlib_main_t *vm)
static vlib_thread_main_t * vlib_get_thread_main()
static u8 ikev2_mngr_process_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *csa)
#define vec_foreach(var, vec)
Vector iterator.
static void ikev2_sa_free_all_child_sa(ikev2_child_sa_t **childs)
u16 flags
Copy of main node flags.
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
static ikev2_sa_proposal_t * ikev2_select_proposal(ikev2_sa_proposal_t *proposals, ikev2_protocol_id_t prot_id)
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
static void * ip_interface_address_get_address(ip_lookup_main_t *lm, ip_interface_address_t *a)
ikev2_transforms_set esp_ts
#define VLIB_NODE_FLAG_TRACE
void ikev2_crypto_init(ikev2_main_t *km)
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index, VLIB_BUFFER_IS_TRACED: trace this buffer.
void ikev2_payload_add_ts(ikev2_payload_chain_t *c, ikev2_ts_t *ts, u8 type)
static u32 vlib_buffer_alloc(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Allocate buffers into supplied array.
v8 * ikev2_decrypt_data(ikev2_sa_t *sa, u8 *data, int len)
static void ikev2_sa_free_all_vec(ikev2_sa_t *sa)
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
static u16 ip4_header_checksum(ip4_header_t *i)
u8 * ikev2_calc_sign(EVP_PKEY *pkey, u8 *data)
v8 * ikev2_calc_integr(ikev2_sa_transform_t *tr, v8 *key, u8 *data, int len)
u8 * format_ikev2_id_type(u8 *s, va_list *args)
#define foreach_ikev2_error
void ikev2_payload_add_notify_2(ikev2_payload_chain_t *c, u16 msg_type, u8 *data, ikev2_notify_t *notify)
ikev2_delete_t * ikev2_parse_delete_payload(ike_payload_header_t *ikep)