FD.io VPP  v19.08.3-2-gbabecb413
Vector Packet Processing
ikev2.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vlib/vlib.h>
17 #include <vlib/unix/plugin.h>
18 #include <vpp/app/version.h>
19 #include <vnet/vnet.h>
20 #include <vnet/pg/pg.h>
21 #include <vppinfra/error.h>
22 #include <vppinfra/random.h>
23 #include <vnet/udp/udp.h>
24 #include <vnet/ipsec/ipsec.h>
25 #include <plugins/ikev2/ikev2.h>
27 #include <openssl/sha.h>
28 
30 
32  ikev2_sa_t * sa,
33  ikev2_child_sa_t * child);
34 
35 #define ikev2_set_state(sa, v) do { \
36  (sa)->state = v; \
37  clib_warning("sa state changed to " #v); \
38  } while(0);
39 
40 typedef struct
41 {
45 
46 static u8 *
47 format_ikev2_trace (u8 * s, va_list * args)
48 {
49  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
50  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
51  ikev2_trace_t *t = va_arg (*args, ikev2_trace_t *);
52 
53  s = format (s, "ikev2: sw_if_index %d, next index %d",
54  t->sw_if_index, t->next_index);
55  return s;
56 }
57 
59 
60 #define foreach_ikev2_error \
61 _(PROCESSED, "IKEv2 packets processed") \
62 _(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \
63 _(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \
64 _(IKE_REQ_RETRANSMIT, "IKE request retransmit") \
65 _(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \
66 _(NOT_IKEV2, "Non IKEv2 packets received")
67 
68 typedef enum
69 {
70 #define _(sym,str) IKEV2_ERROR_##sym,
72 #undef _
75 
76 static char *ikev2_error_strings[] = {
77 #define _(sym,string) string,
79 #undef _
80 };
81 
82 typedef enum
83 {
87 } ikev2_next_t;
88 
89 static ikev2_sa_transform_t *
91 {
92  ikev2_main_t *km = &ikev2_main;
94 
96  {
97  if (td->type != t->type)
98  continue;
99 
100  if (td->transform_id != t->transform_id)
101  continue;
102 
103  if (td->type == IKEV2_TRANSFORM_TYPE_ENCR)
104  {
105  if (vec_len (t->attrs) != 4 || t->attrs[0] != 0x80
106  || t->attrs[1] != 14)
107  continue;
108 
109  if (((t->attrs[2] << 8 | t->attrs[3]) / 8) != td->key_len)
110  continue;
111  }
112  return td;
113  }
114  return 0;
115 }
116 
117 static ikev2_sa_proposal_t *
119  ikev2_protocol_id_t prot_id)
120 {
121  ikev2_sa_proposal_t *rv = 0;
122  ikev2_sa_proposal_t *proposal;
123  ikev2_sa_transform_t *transform, *new_t;
124  u8 mandatory_bitmap, optional_bitmap;
125 
126  if (prot_id == IKEV2_PROTOCOL_IKE)
127  {
128  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
129  (1 << IKEV2_TRANSFORM_TYPE_PRF) |
130  (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
131  optional_bitmap = mandatory_bitmap;
132  }
133  else if (prot_id == IKEV2_PROTOCOL_ESP)
134  {
135  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
136  (1 << IKEV2_TRANSFORM_TYPE_ESN);
137  optional_bitmap = mandatory_bitmap |
138  (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
139  }
140  else if (prot_id == IKEV2_PROTOCOL_AH)
141  {
142  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) |
143  (1 << IKEV2_TRANSFORM_TYPE_ESN);
144  optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH);
145  }
146  else
147  return 0;
148 
149  vec_add2 (rv, proposal, 1);
150 
151  vec_foreach (proposal, proposals)
152  {
153  u8 bitmap = 0;
154  if (proposal->protocol_id != prot_id)
155  continue;
156 
157  vec_foreach (transform, proposal->transforms)
158  {
159  if ((1 << transform->type) & bitmap)
160  continue;
161 
162  if (ikev2_find_transform_data (transform))
163  {
164  bitmap |= 1 << transform->type;
165  vec_add2 (rv->transforms, new_t, 1);
166  clib_memcpy_fast (new_t, transform, sizeof (*new_t));
167  new_t->attrs = vec_dup (transform->attrs);
168  }
169  }
170 
171  clib_warning ("bitmap is %x mandatory is %x optional is %x",
172  bitmap, mandatory_bitmap, optional_bitmap);
173 
174  if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
175  (bitmap & ~optional_bitmap) == 0)
176  {
177  rv->proposal_num = proposal->proposal_num;
178  rv->protocol_id = proposal->protocol_id;
179  RAND_bytes ((u8 *) & rv->spi, sizeof (rv->spi));
180  goto done;
181  }
182  else
183  {
184  vec_free (rv->transforms);
185  }
186  }
187 
188  vec_free (rv);
189 done:
190  return rv;
191 }
192 
196 {
198 
199  if (!p)
200  return 0;
201 
202  vec_foreach (t, p->transforms)
203  {
204  if (t->type == type)
205  return ikev2_find_transform_data (t);
206  }
207  return 0;
208 }
209 
212  int by_initiator)
213 {
215  vec_foreach (c, sa->childs)
216  {
217  ikev2_sa_proposal_t *proposal =
218  by_initiator ? &c->i_proposals[0] : &c->r_proposals[0];
219  if (proposal && proposal->spi == spi && proposal->protocol_id == prot_id)
220  return c;
221  }
222 
223  return 0;
224 }
225 
226 void
228 {
231 
232  if (!*v)
233  return;
234 
235  vec_foreach (p, *v)
236  {
237  vec_foreach (t, p->transforms)
238  {
239  vec_free (t->attrs);
240  }
241  vec_free (p->transforms);
242  }
243  vec_free (*v);
244 };
245 
246 static void
248 {
251  vec_free (c->sk_ai);
252  vec_free (c->sk_ar);
253  vec_free (c->sk_ei);
254  vec_free (c->sk_er);
255  vec_free (c->tsi);
256  vec_free (c->tsr);
257 }
258 
259 static void
261 {
263  vec_foreach (c, *childs) ikev2_sa_free_child_sa (c);
264 
265  vec_free (*childs);
266 }
267 
268 static void
270 {
271  ikev2_sa_free_child_sa (child);
272  vec_del1 (sa->childs, child - sa->childs);
273 }
274 
275 static void
277 {
278  vec_free (sa->i_nonce);
279  vec_free (sa->i_dh_data);
280  vec_free (sa->dh_shared_key);
281  vec_free (sa->dh_private_key);
282 
285 
286  vec_free (sa->sk_d);
287  vec_free (sa->sk_ai);
288  vec_free (sa->sk_ar);
289  vec_free (sa->sk_ei);
290  vec_free (sa->sk_er);
291  vec_free (sa->sk_pi);
292  vec_free (sa->sk_pr);
293 
294  vec_free (sa->i_id.data);
295  vec_free (sa->i_auth.data);
296  vec_free (sa->r_id.data);
297  vec_free (sa->r_auth.data);
298  if (sa->r_auth.key)
299  EVP_PKEY_free (sa->r_auth.key);
300 
301  vec_free (sa->del);
302 
304 }
305 
306 static void
308 {
309  ikev2_main_t *km = &ikev2_main;
310  u32 thread_index = vlib_get_thread_index ();
311  uword *p;
312 
314 
315  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
316  if (p)
317  {
318  hash_unset (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
319  pool_put (km->per_thread_data[thread_index].sas, sa);
320  }
321 }
322 
323 static void
325 {
326  ikev2_sa_transform_t *t = 0, *t2;
327  ikev2_main_t *km = &ikev2_main;
328 
329  if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
330  {
331  return;
332  }
333 
334  /* check if received DH group is on our list of supported groups */
336  {
337  if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
338  {
339  t = t2;
340  break;
341  }
342  }
343 
344  if (!t)
345  {
346  clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
347  vec_len (sa->i_dh_data));
348  sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
349  return;
350  }
351 
352  if (sa->is_initiator)
353  {
354  /* generate rspi */
355  RAND_bytes ((u8 *) & sa->ispi, 8);
356 
357  /* generate nonce */
359  RAND_bytes ((u8 *) sa->i_nonce, IKEV2_NONCE_SIZE);
360  }
361  else
362  {
363  /* generate rspi */
364  RAND_bytes ((u8 *) & sa->rspi, 8);
365 
366  /* generate nonce */
368  RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
369  }
370 
371  /* generate dh keys */
372  ikev2_generate_dh (sa, t);
373 
374 }
375 
376 static void
378 {
379  ikev2_sa_transform_t *t = 0, *t2;
380  ikev2_main_t *km = &ikev2_main;
381 
382 
383  /*move some data to the new SA */
384 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
385  sa->i_nonce = _(sai->i_nonce);
386  sa->i_dh_data = _(sai->i_dh_data);
387  sa->dh_private_key = _(sai->dh_private_key);
388  sa->iaddr.as_u32 = sai->iaddr.as_u32;
389  sa->raddr.as_u32 = sai->raddr.as_u32;
390  sa->is_initiator = sai->is_initiator;
391  sa->i_id.type = sai->i_id.type;
392  sa->profile_index = sai->profile_index;
394  sa->i_id.data = _(sai->i_id.data);
395  sa->i_auth.method = sai->i_auth.method;
396  sa->i_auth.hex = sai->i_auth.hex;
397  sa->i_auth.data = _(sai->i_auth.data);
398  sa->i_auth.key = _(sai->i_auth.key);
400  sa->childs = _(sai->childs);
401 #undef _
402 
403 
404  if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
405  {
406  return;
407  }
408 
409  /* check if received DH group is on our list of supported groups */
411  {
412  if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
413  {
414  t = t2;
415  break;
416  }
417  }
418 
419  if (!t)
420  {
421  clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
422  vec_len (sa->i_dh_data));
423  sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
424  return;
425  }
426 
427 
428  /* generate dh keys */
429  ikev2_complete_dh (sa, t);
430 
431 }
432 
433 static void
435 {
436  u8 *tmp;
437  /* calculate SKEYSEED = prf(Ni | Nr, g^ir) */
438  u8 *skeyseed = 0;
439  u8 *s = 0;
440  ikev2_sa_transform_t *tr_encr, *tr_prf, *tr_integ;
441  tr_encr =
442  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
443  tr_prf =
444  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
445  tr_integ =
446  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
447 
448  vec_append (s, sa->i_nonce);
449  vec_append (s, sa->r_nonce);
450  skeyseed = ikev2_calc_prf (tr_prf, s, sa->dh_shared_key);
451 
452  /* Calculate S = Ni | Nr | SPIi | SPIr */
453  u64 *spi;
454  vec_add2 (s, tmp, 2 * sizeof (*spi));
455  spi = (u64 *) tmp;
456  spi[0] = clib_host_to_net_u64 (sa->ispi);
457  spi[1] = clib_host_to_net_u64 (sa->rspi);
458 
459  /* calculate PRFplus */
460  u8 *keymat;
461  int len = tr_prf->key_trunc + /* SK_d */
462  tr_integ->key_len * 2 + /* SK_ai, SK_ar */
463  tr_encr->key_len * 2 + /* SK_ei, SK_er */
464  tr_prf->key_len * 2; /* SK_pi, SK_pr */
465 
466  keymat = ikev2_calc_prfplus (tr_prf, skeyseed, s, len);
467  vec_free (skeyseed);
468  vec_free (s);
469 
470  int pos = 0;
471 
472  /* SK_d */
473  sa->sk_d = vec_new (u8, tr_prf->key_trunc);
474  clib_memcpy_fast (sa->sk_d, keymat + pos, tr_prf->key_trunc);
475  pos += tr_prf->key_trunc;
476 
477  /* SK_ai */
478  sa->sk_ai = vec_new (u8, tr_integ->key_len);
479  clib_memcpy_fast (sa->sk_ai, keymat + pos, tr_integ->key_len);
480  pos += tr_integ->key_len;
481 
482  /* SK_ar */
483  sa->sk_ar = vec_new (u8, tr_integ->key_len);
484  clib_memcpy_fast (sa->sk_ar, keymat + pos, tr_integ->key_len);
485  pos += tr_integ->key_len;
486 
487  /* SK_ei */
488  sa->sk_ei = vec_new (u8, tr_encr->key_len);
489  clib_memcpy_fast (sa->sk_ei, keymat + pos, tr_encr->key_len);
490  pos += tr_encr->key_len;
491 
492  /* SK_er */
493  sa->sk_er = vec_new (u8, tr_encr->key_len);
494  clib_memcpy_fast (sa->sk_er, keymat + pos, tr_encr->key_len);
495  pos += tr_encr->key_len;
496 
497  /* SK_pi */
498  sa->sk_pi = vec_new (u8, tr_prf->key_len);
499  clib_memcpy_fast (sa->sk_pi, keymat + pos, tr_prf->key_len);
500  pos += tr_prf->key_len;
501 
502  /* SK_pr */
503  sa->sk_pr = vec_new (u8, tr_prf->key_len);
504  clib_memcpy_fast (sa->sk_pr, keymat + pos, tr_prf->key_len);
505  pos += tr_prf->key_len;
506 
507  vec_free (keymat);
508 }
509 
510 static void
512 {
513  u8 *s = 0;
514  ikev2_sa_transform_t *tr_prf, *ctr_encr, *ctr_integ;
515  tr_prf =
516  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
517  ctr_encr =
518  ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
519  ctr_integ =
520  ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
521 
522  vec_append (s, sa->i_nonce);
523  vec_append (s, sa->r_nonce);
524  /* calculate PRFplus */
525  u8 *keymat;
526  int len = ctr_encr->key_len * 2 + ctr_integ->key_len * 2;
527 
528  keymat = ikev2_calc_prfplus (tr_prf, sa->sk_d, s, len);
529 
530  int pos = 0;
531 
532  /* SK_ei */
533  child->sk_ei = vec_new (u8, ctr_encr->key_len);
534  clib_memcpy_fast (child->sk_ei, keymat + pos, ctr_encr->key_len);
535  pos += ctr_encr->key_len;
536 
537  /* SK_ai */
538  child->sk_ai = vec_new (u8, ctr_integ->key_len);
539  clib_memcpy_fast (child->sk_ai, keymat + pos, ctr_integ->key_len);
540  pos += ctr_integ->key_len;
541 
542  /* SK_er */
543  child->sk_er = vec_new (u8, ctr_encr->key_len);
544  clib_memcpy_fast (child->sk_er, keymat + pos, ctr_encr->key_len);
545  pos += ctr_encr->key_len;
546 
547  /* SK_ar */
548  child->sk_ar = vec_new (u8, ctr_integ->key_len);
549  clib_memcpy_fast (child->sk_ar, keymat + pos, ctr_integ->key_len);
550  pos += ctr_integ->key_len;
551 
552  ASSERT (pos == len);
553 
554  vec_free (keymat);
555 }
556 
557 static void
559  ike_header_t * ike)
560 {
561  int p = 0;
562  u32 len = clib_net_to_host_u32 (ike->length);
563  u8 payload = ike->nextpayload;
564 
565  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
566  "exchange %x flags %x msgid %x length %u",
567  clib_net_to_host_u64 (ike->ispi),
568  clib_net_to_host_u64 (ike->rspi),
569  payload, ike->version,
570  ike->exchange, ike->flags,
571  clib_net_to_host_u32 (ike->msgid), len);
572 
573  sa->ispi = clib_net_to_host_u64 (ike->ispi);
574 
575  /* store whole IKE payload - needed for PSK auth */
577  vec_add (sa->last_sa_init_req_packet_data, ike, len);
578 
579  while (p < len && payload != IKEV2_PAYLOAD_NONE)
580  {
581  ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
582  u32 plen = clib_net_to_host_u16 (ikep->length);
583 
584  if (plen < sizeof (ike_payload_header_t))
585  return;
586 
587  if (payload == IKEV2_PAYLOAD_SA)
588  {
590  sa->i_proposals = ikev2_parse_sa_payload (ikep);
591  }
592  else if (payload == IKEV2_PAYLOAD_KE)
593  {
594  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
595  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
596  vec_free (sa->i_dh_data);
597  vec_add (sa->i_dh_data, ke->payload, plen - sizeof (*ke));
598  }
599  else if (payload == IKEV2_PAYLOAD_NONCE)
600  {
601  vec_free (sa->i_nonce);
602  vec_add (sa->i_nonce, ikep->payload, plen - sizeof (*ikep));
603  }
604  else if (payload == IKEV2_PAYLOAD_NOTIFY)
605  {
607  vec_free (n);
608  }
609  else if (payload == IKEV2_PAYLOAD_VENDOR)
610  {
612  }
613  else
614  {
615  clib_warning ("unknown payload %u flags %x length %u", payload,
616  ikep->flags, plen);
617  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
618  {
620  sa->unsupported_cp = payload;
621  return;
622  }
623  }
624 
625  payload = ikep->nextpayload;
626  p += plen;
627  }
628 
630 }
631 
632 static void
634  ike_header_t * ike)
635 {
636  int p = 0;
637  u32 len = clib_net_to_host_u32 (ike->length);
638  u8 payload = ike->nextpayload;
639 
640  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
641  "exchange %x flags %x msgid %x length %u",
642  clib_net_to_host_u64 (ike->ispi),
643  clib_net_to_host_u64 (ike->rspi),
644  payload, ike->version,
645  ike->exchange, ike->flags,
646  clib_net_to_host_u32 (ike->msgid), len);
647 
648  sa->ispi = clib_net_to_host_u64 (ike->ispi);
649  sa->rspi = clib_net_to_host_u64 (ike->rspi);
650 
651  /* store whole IKE payload - needed for PSK auth */
653  vec_add (sa->last_sa_init_res_packet_data, ike, len);
654 
655  while (p < len && payload != IKEV2_PAYLOAD_NONE)
656  {
657  ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
658  u32 plen = clib_net_to_host_u16 (ikep->length);
659 
660  if (plen < sizeof (ike_payload_header_t))
661  return;
662 
663  if (payload == IKEV2_PAYLOAD_SA)
664  {
666  sa->r_proposals = ikev2_parse_sa_payload (ikep);
667  if (sa->r_proposals)
668  {
670  ike->msgid =
671  clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1);
672  }
673  }
674  else if (payload == IKEV2_PAYLOAD_KE)
675  {
676  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
677  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
678  vec_free (sa->r_dh_data);
679  vec_add (sa->r_dh_data, ke->payload, plen - sizeof (*ke));
680  }
681  else if (payload == IKEV2_PAYLOAD_NONCE)
682  {
683  vec_free (sa->r_nonce);
684  vec_add (sa->r_nonce, ikep->payload, plen - sizeof (*ikep));
685  }
686  else if (payload == IKEV2_PAYLOAD_NOTIFY)
687  {
689  vec_free (n);
690  }
691  else if (payload == IKEV2_PAYLOAD_VENDOR)
692  {
694  }
695  else
696  {
697  clib_warning ("unknown payload %u flags %x length %u", payload,
698  ikep->flags, plen);
699  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
700  {
702  sa->unsupported_cp = payload;
703  return;
704  }
705  }
706 
707  payload = ikep->nextpayload;
708  p += plen;
709  }
710 }
711 
712 static u8 *
713 ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload)
714 {
715  int p = 0;
716  u8 last_payload = 0;
717  u8 *hmac = 0;
718  u32 len = clib_net_to_host_u32 (ike->length);
719  ike_payload_header_t *ikep = 0;
720  u32 plen = 0;
721  ikev2_sa_transform_t *tr_integ;
722  tr_integ =
723  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
724 
725  while (p < len &&
726  *payload != IKEV2_PAYLOAD_NONE && last_payload != IKEV2_PAYLOAD_SK)
727  {
728  ikep = (ike_payload_header_t *) & ike->payload[p];
729  plen = clib_net_to_host_u16 (ikep->length);
730 
731  if (plen < sizeof (*ikep))
732  return 0;
733 
734  if (*payload == IKEV2_PAYLOAD_SK)
735  {
736  clib_warning ("received IKEv2 payload SK, len %u", plen - 4);
737  last_payload = *payload;
738  }
739  else
740  {
741  clib_warning ("unknown payload %u flags %x length %u", payload,
742  ikep->flags, plen);
743  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
744  {
745  sa->unsupported_cp = *payload;
746  return 0;
747  }
748  }
749 
750  *payload = ikep->nextpayload;
751  p += plen;
752  }
753 
754  if (last_payload != IKEV2_PAYLOAD_SK)
755  {
756  clib_warning ("Last payload must be SK");
757  return 0;
758  }
759 
760  hmac =
761  ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ar : sa->sk_ai,
762  (u8 *) ike, len - tr_integ->key_trunc);
763 
764  plen = plen - sizeof (*ikep) - tr_integ->key_trunc;
765 
766  if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
767  {
768  clib_warning ("message integrity check failed");
769  vec_free (hmac);
770  return 0;
771  }
772  vec_free (hmac);
773 
774  return ikev2_decrypt_data (sa, ikep->payload, plen);
775 }
776 
777 static void
779 {
780  ikev2_main_t *km = &ikev2_main;
781  ikev2_sa_t *tmp;
782  u32 i, *delete = 0;
784  u32 thread_index = vlib_get_thread_index ();
785 
786  if (!sa->initial_contact)
787  return;
788 
789  /* find old IKE SAs with the same authenticated identity */
790  /* *INDENT-OFF* */
791  pool_foreach (tmp, km->per_thread_data[thread_index].sas, ({
792  if (tmp->i_id.type != sa->i_id.type ||
793  vec_len(tmp->i_id.data) != vec_len(sa->i_id.data) ||
794  memcmp(sa->i_id.data, tmp->i_id.data, vec_len(sa->i_id.data)))
795  continue;
796 
797  if (sa->rspi != tmp->rspi)
798  vec_add1(delete, tmp - km->per_thread_data[thread_index].sas);
799  }));
800  /* *INDENT-ON* */
801 
802  for (i = 0; i < vec_len (delete); i++)
803  {
804  tmp =
805  pool_elt_at_index (km->per_thread_data[thread_index].sas, delete[i]);
806  vec_foreach (c,
808  tmp, c);
809  ikev2_delete_sa (tmp);
810  }
811 
812  vec_free (delete);
813  sa->initial_contact = 0;
814 }
815 
816 static void
817 ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
818 {
819  ikev2_child_sa_t *first_child_sa;
820  int p = 0;
821  u32 len = clib_net_to_host_u32 (ike->length);
822  u8 payload = ike->nextpayload;
823  u8 *plaintext = 0;
824 
825  ike_payload_header_t *ikep;
826  u32 plen;
827 
828  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
829  "exchange %x flags %x msgid %x length %u",
830  clib_net_to_host_u64 (ike->ispi),
831  clib_net_to_host_u64 (ike->rspi),
832  payload, ike->version,
833  ike->exchange, ike->flags,
834  clib_net_to_host_u32 (ike->msgid), len);
835 
836  ikev2_calc_keys (sa);
837 
838  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
839 
840  if (!plaintext)
841  {
842  if (sa->unsupported_cp)
844  goto cleanup_and_exit;
845  }
846 
847  /* select or create 1st child SA */
848  if (sa->is_initiator)
849  {
850  first_child_sa = &sa->childs[0];
851  }
852  else
853  {
855  vec_add2 (sa->childs, first_child_sa, 1);
856  }
857 
858 
859  /* process encrypted payload */
860  p = 0;
861  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
862  {
863  ikep = (ike_payload_header_t *) & plaintext[p];
864  plen = clib_net_to_host_u16 (ikep->length);
865 
866  if (plen < sizeof (ike_payload_header_t))
867  goto cleanup_and_exit;
868 
869  if (payload == IKEV2_PAYLOAD_SA) /* 33 */
870  {
871  clib_warning ("received payload SA, len %u", plen - sizeof (*ikep));
872  if (sa->is_initiator)
873  {
874  ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals);
875  first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep);
876  }
877  else
878  {
879  ikev2_sa_free_proposal_vector (&first_child_sa->i_proposals);
880  first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep);
881  }
882  }
883  else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */
884  {
885  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
886 
887  sa->i_id.type = id->id_type;
888  vec_free (sa->i_id.data);
889  vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
890 
891  clib_warning ("received payload IDi, len %u id_type %u",
892  plen - sizeof (*id), id->id_type);
893  }
894  else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */
895  {
896  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
897 
898  sa->r_id.type = id->id_type;
899  vec_free (sa->r_id.data);
900  vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
901 
902  clib_warning ("received payload IDr len %u id_type %u",
903  plen - sizeof (*id), id->id_type);
904  }
905  else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */
906  {
907  ike_auth_payload_header_t *a = (ike_auth_payload_header_t *) ikep;
908 
909  if (sa->is_initiator)
910  {
911  sa->r_auth.method = a->auth_method;
912  vec_free (sa->r_auth.data);
913  vec_add (sa->r_auth.data, a->payload, plen - sizeof (*a));
914  }
915  else
916  {
917  sa->i_auth.method = a->auth_method;
918  vec_free (sa->i_auth.data);
919  vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a));
920  }
921 
922  clib_warning ("received payload AUTH, len %u auth_type %u",
923  plen - sizeof (*a), a->auth_method);
924  }
925  else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
926  {
928  if (n->msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
929  {
930  sa->initial_contact = 1;
931  }
932  vec_free (n);
933  }
934  else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
935  {
937  }
938  else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */
939  {
940  clib_warning ("received payload TSi, len %u",
941  plen - sizeof (*ikep));
942 
943  vec_free (first_child_sa->tsi);
944  first_child_sa->tsi = ikev2_parse_ts_payload (ikep);
945  }
946  else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */
947  {
948  clib_warning ("received payload TSr, len %u",
949  plen - sizeof (*ikep));
950 
951  vec_free (first_child_sa->tsr);
952  first_child_sa->tsr = ikev2_parse_ts_payload (ikep);
953  }
954  else
955  {
956  clib_warning ("unknown payload %u flags %x length %u data %u",
957  payload, ikep->flags, plen - 4,
958  format_hex_bytes, ikep->payload, plen - 4);
959 
960  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
961  {
963  sa->unsupported_cp = payload;
964  return;
965  }
966  }
967 
968  payload = ikep->nextpayload;
969  p += plen;
970  }
971 
972 cleanup_and_exit:
973  vec_free (plaintext);
974 }
975 
976 static void
978  ike_header_t * ike)
979 {
980  int p = 0;
981  u32 len = clib_net_to_host_u32 (ike->length);
982  u8 payload = ike->nextpayload;
983  u8 *plaintext = 0;
984 
985  ike_payload_header_t *ikep;
986  u32 plen;
987 
988  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
989  "exchange %x flags %x msgid %x length %u",
990  clib_net_to_host_u64 (ike->ispi),
991  clib_net_to_host_u64 (ike->rspi),
992  payload, ike->version,
993  ike->exchange, ike->flags,
994  clib_net_to_host_u32 (ike->msgid), len);
995 
996  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
997 
998  if (!plaintext)
999  goto cleanup_and_exit;
1000 
1001  /* process encrypted payload */
1002  p = 0;
1003  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
1004  {
1005  ikep = (ike_payload_header_t *) & plaintext[p];
1006  plen = clib_net_to_host_u16 (ikep->length);
1007 
1008  if (plen < sizeof (ike_payload_header_t))
1009  goto cleanup_and_exit;
1010 
1011  if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
1012  {
1014  if (n->msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
1016  vec_free (n);
1017  }
1018  else if (payload == IKEV2_PAYLOAD_DELETE) /* 42 */
1019  {
1020  sa->del = ikev2_parse_delete_payload (ikep);
1021  }
1022  else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
1023  {
1025  }
1026  else
1027  {
1028  clib_warning ("unknown payload %u flags %x length %u data %u",
1029  payload, ikep->flags, plen - 4,
1030  format_hex_bytes, ikep->payload, plen - 4);
1031 
1032  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1033  {
1034  sa->unsupported_cp = payload;
1035  return;
1036  }
1037  }
1038 
1039  payload = ikep->nextpayload;
1040  p += plen;
1041  }
1042 
1043 cleanup_and_exit:
1044  vec_free (plaintext);
1045 }
1046 
1047 static void
1049  ike_header_t * ike)
1050 {
1051  int p = 0;
1052  u32 len = clib_net_to_host_u32 (ike->length);
1053  u8 payload = ike->nextpayload;
1054  u8 *plaintext = 0;
1055  u8 rekeying = 0;
1056  u8 nonce[IKEV2_NONCE_SIZE];
1057 
1058  ike_payload_header_t *ikep;
1059  u32 plen;
1060  ikev2_notify_t *n = 0;
1061  ikev2_ts_t *tsi = 0;
1062  ikev2_ts_t *tsr = 0;
1063  ikev2_sa_proposal_t *proposal = 0;
1064  ikev2_child_sa_t *child_sa;
1065 
1066  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
1067  "exchange %x flags %x msgid %x length %u",
1068  clib_net_to_host_u64 (ike->ispi),
1069  clib_net_to_host_u64 (ike->rspi),
1070  payload, ike->version,
1071  ike->exchange, ike->flags,
1072  clib_net_to_host_u32 (ike->msgid), len);
1073 
1074  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
1075 
1076  if (!plaintext)
1077  goto cleanup_and_exit;
1078 
1079  /* process encrypted payload */
1080  p = 0;
1081  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
1082  {
1083  ikep = (ike_payload_header_t *) & plaintext[p];
1084  plen = clib_net_to_host_u16 (ikep->length);
1085 
1086  if (plen < sizeof (ike_payload_header_t))
1087  goto cleanup_and_exit;
1088 
1089  else if (payload == IKEV2_PAYLOAD_SA)
1090  {
1091  proposal = ikev2_parse_sa_payload (ikep);
1092  }
1093  else if (payload == IKEV2_PAYLOAD_NOTIFY)
1094  {
1095  n = ikev2_parse_notify_payload (ikep);
1096  if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
1097  {
1098  rekeying = 1;
1099  }
1100  }
1101  else if (payload == IKEV2_PAYLOAD_DELETE)
1102  {
1103  sa->del = ikev2_parse_delete_payload (ikep);
1104  }
1105  else if (payload == IKEV2_PAYLOAD_VENDOR)
1106  {
1108  }
1109  else if (payload == IKEV2_PAYLOAD_NONCE)
1110  {
1111  clib_memcpy_fast (nonce, ikep->payload, plen - sizeof (*ikep));
1112  }
1113  else if (payload == IKEV2_PAYLOAD_TSI)
1114  {
1115  tsi = ikev2_parse_ts_payload (ikep);
1116  }
1117  else if (payload == IKEV2_PAYLOAD_TSR)
1118  {
1119  tsr = ikev2_parse_ts_payload (ikep);
1120  }
1121  else
1122  {
1123  clib_warning ("unknown payload %u flags %x length %u data %u",
1124  payload, ikep->flags, plen - 4,
1125  format_hex_bytes, ikep->payload, plen - 4);
1126 
1127  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1128  {
1129  sa->unsupported_cp = payload;
1130  return;
1131  }
1132  }
1133 
1134  payload = ikep->nextpayload;
1135  p += plen;
1136  }
1137 
1138  if (sa->is_initiator && proposal->protocol_id == IKEV2_PROTOCOL_ESP)
1139  {
1140  ikev2_rekey_t *rekey = &sa->rekey[0];
1141  rekey->protocol_id = proposal->protocol_id;
1142  rekey->i_proposal =
1144  rekey->i_proposal->spi = rekey->spi;
1145  rekey->r_proposal = proposal;
1146  rekey->tsi = tsi;
1147  rekey->tsr = tsr;
1148  /* update Nr */
1149  vec_free (sa->r_nonce);
1150  vec_add (sa->r_nonce, nonce, IKEV2_NONCE_SIZE);
1151  child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1);
1152  if (child_sa)
1153  {
1154  child_sa->rekey_retries = 0;
1155  }
1156  }
1157  else if (rekeying)
1158  {
1159  ikev2_rekey_t *rekey;
1160  child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
1161  if (!child_sa)
1162  {
1163  clib_warning ("child SA spi %lx not found", n->spi);
1164  goto cleanup_and_exit;
1165  }
1166  vec_add2 (sa->rekey, rekey, 1);
1167  rekey->protocol_id = n->protocol_id;
1168  rekey->spi = n->spi;
1169  rekey->i_proposal = proposal;
1170  rekey->r_proposal =
1172  rekey->tsi = tsi;
1173  rekey->tsr = tsr;
1174  /* update Ni */
1175  vec_free (sa->i_nonce);
1176  vec_add (sa->i_nonce, nonce, IKEV2_NONCE_SIZE);
1177  /* generate new Nr */
1178  vec_free (sa->r_nonce);
1180  RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
1181  }
1182 
1183 cleanup_and_exit:
1184  vec_free (plaintext);
1185  vec_free (n);
1186 }
1187 
1188 static u8 *
1189 ikev2_sa_generate_authmsg (ikev2_sa_t * sa, int is_responder)
1190 {
1191  u8 *authmsg = 0;
1192  u8 *data;
1193  u8 *nonce;
1194  ikev2_id_t *id;
1195  u8 *key;
1196  u8 *packet_data;
1197  ikev2_sa_transform_t *tr_prf;
1198 
1199  tr_prf =
1200  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1201 
1202  if (is_responder)
1203  {
1204  id = &sa->r_id;
1205  key = sa->sk_pr;
1206  nonce = sa->i_nonce;
1207  packet_data = sa->last_sa_init_res_packet_data;
1208  }
1209  else
1210  {
1211  id = &sa->i_id;
1212  key = sa->sk_pi;
1213  nonce = sa->r_nonce;
1214  packet_data = sa->last_sa_init_req_packet_data;
1215  }
1216 
1217  data = vec_new (u8, 4);
1218  data[0] = id->type;
1219  vec_append (data, id->data);
1220 
1221  u8 *id_hash = ikev2_calc_prf (tr_prf, key, data);
1222  vec_append (authmsg, packet_data);
1223  vec_append (authmsg, nonce);
1224  vec_append (authmsg, id_hash);
1225  vec_free (id_hash);
1226  vec_free (data);
1227 
1228  return authmsg;
1229 }
1230 
1231 static int
1233 {
1234  if (ts1->ts_type == ts2->ts_type && ts1->protocol_id == ts2->protocol_id &&
1235  ts1->start_port == ts2->start_port && ts1->end_port == ts2->end_port &&
1236  ts1->start_addr.as_u32 == ts2->start_addr.as_u32 &&
1237  ts1->end_addr.as_u32 == ts2->end_addr.as_u32)
1238  return 1;
1239 
1240  return 0;
1241 }
1242 
1243 static void
1245 {
1246  ikev2_main_t *km = &ikev2_main;
1247  ikev2_profile_t *p;
1248  ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0;
1249  ikev2_id_t *id;
1250 
1251  /* *INDENT-OFF* */
1252  pool_foreach (p, km->profiles, ({
1253 
1254  if (sa->is_initiator)
1255  {
1256  p_tsi = &p->loc_ts;
1257  p_tsr = &p->rem_ts;
1258  id = &sa->r_id;
1259  }
1260  else
1261  {
1262  p_tsi = &p->rem_ts;
1263  p_tsr = &p->loc_ts;
1264  id = &sa->i_id;
1265  }
1266 
1267  /* check id */
1268  if (p->rem_id.type != id->type ||
1269  vec_len(p->rem_id.data) != vec_len(id->data) ||
1270  memcmp(p->rem_id.data, id->data, vec_len(p->rem_id.data)))
1271  continue;
1272 
1273  vec_foreach(ts, sa->childs[0].tsi)
1274  {
1275  if (ikev2_ts_cmp(p_tsi, ts))
1276  {
1277  vec_add1 (tsi, ts[0]);
1278  break;
1279  }
1280  }
1281 
1282  vec_foreach(ts, sa->childs[0].tsr)
1283  {
1284  if (ikev2_ts_cmp(p_tsr, ts))
1285  {
1286  vec_add1 (tsr, ts[0]);
1287  break;
1288  }
1289  }
1290 
1291  break;
1292  }));
1293  /* *INDENT-ON* */
1294 
1295  if (tsi && tsr)
1296  {
1297  vec_free (sa->childs[0].tsi);
1298  vec_free (sa->childs[0].tsr);
1299  sa->childs[0].tsi = tsi;
1300  sa->childs[0].tsr = tsr;
1301  }
1302  else
1303  {
1304  vec_free (tsi);
1305  vec_free (tsr);
1307  }
1308 }
1309 
1310 static void
1312 {
1313  ikev2_main_t *km = &ikev2_main;
1314  ikev2_profile_t *p, *sel_p = 0;
1315  u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1316  ikev2_sa_transform_t *tr_prf;
1317 
1318  tr_prf =
1319  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1320 
1321  /* only shared key and rsa signature */
1322  if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1323  sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1324  {
1325  clib_warning ("unsupported authentication method %u",
1326  sa->i_auth.method);
1328  return;
1329  }
1330 
1331  key_pad = format (0, "%s", IKEV2_KEY_PAD);
1332  authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator);
1333 
1334  ikev2_id_t *sa_id;
1335  ikev2_auth_t *sa_auth;
1336 
1337  if (sa->is_initiator)
1338  {
1339  sa_id = &sa->r_id;
1340  sa_auth = &sa->r_auth;
1341  }
1342  else
1343  {
1344  sa_id = &sa->i_id;
1345  sa_auth = &sa->i_auth;
1346  }
1347 
1348  /* *INDENT-OFF* */
1349  pool_foreach (p, km->profiles, ({
1350 
1351  /* check id */
1352  if (p->rem_id.type != sa_id->type ||
1353  vec_len(p->rem_id.data) != vec_len(sa_id->data) ||
1354  memcmp(p->rem_id.data, sa_id->data, vec_len(p->rem_id.data)))
1355  continue;
1356 
1357  if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1358  {
1359  if (!p->auth.data ||
1360  p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1361  continue;
1362 
1363  psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
1364  auth = ikev2_calc_prf(tr_prf, psk, authmsg);
1365 
1366  if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
1367  {
1368  ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1369  vec_free(auth);
1370  sel_p = p;
1371  break;
1372  }
1373 
1374  }
1375  else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG)
1376  {
1377  if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
1378  continue;
1379 
1380  if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1)
1381  {
1382  ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1383  sel_p = p;
1384  break;
1385  }
1386  }
1387 
1388  vec_free(auth);
1389  vec_free(psk);
1390  }));
1391  /* *INDENT-ON* */
1392 
1393  vec_free (authmsg);
1394 
1395  if (sa->state == IKEV2_STATE_AUTHENTICATED)
1396  {
1397  if (!sa->is_initiator)
1398  {
1399  vec_free (sa->r_id.data);
1400  sa->r_id.data = vec_dup (sel_p->loc_id.data);
1401  sa->r_id.type = sel_p->loc_id.type;
1402 
1403  /* generate our auth data */
1404  authmsg = ikev2_sa_generate_authmsg (sa, 1);
1405  if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1406  {
1407  sa->r_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
1408  sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1409  }
1410  else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1411  {
1412  sa->r_auth.data = ikev2_calc_sign (km->pkey, authmsg);
1413  sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1414  }
1415  vec_free (authmsg);
1416 
1417  /* select transforms for 1st child sa */
1418  ikev2_sa_free_proposal_vector (&sa->childs[0].r_proposals);
1419  sa->childs[0].r_proposals =
1420  ikev2_select_proposal (sa->childs[0].i_proposals,
1422  }
1423  }
1424  else
1425  {
1427  }
1428  vec_free (psk);
1429  vec_free (key_pad);
1430 }
1431 
1432 
1433 static void
1435 {
1436  ikev2_main_t *km = &ikev2_main;
1437  u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1438  ikev2_sa_transform_t *tr_prf;
1439 
1440  tr_prf =
1441  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1442 
1443  /* only shared key and rsa signature */
1444  if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1445  sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1446  {
1447  clib_warning ("unsupported authentication method %u",
1448  sa->i_auth.method);
1450  return;
1451  }
1452 
1453  key_pad = format (0, "%s", IKEV2_KEY_PAD);
1454  authmsg = ikev2_sa_generate_authmsg (sa, 0);
1455  psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad);
1456  auth = ikev2_calc_prf (tr_prf, psk, authmsg);
1457 
1458 
1459  if (sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1460  {
1461  sa->i_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
1462  sa->i_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1463  }
1464  else if (sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1465  {
1466  sa->i_auth.data = ikev2_calc_sign (km->pkey, authmsg);
1467  sa->i_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1468  }
1469 
1470  vec_free (psk);
1471  vec_free (key_pad);
1472  vec_free (auth);
1473  vec_free (authmsg);
1474 }
1475 
1476 
1477 static int
1479  ikev2_child_sa_t * child)
1480 {
1481  ikev2_main_t *km = &ikev2_main;
1482  ikev2_profile_t *p = 0;
1485  ikev2_sa_proposal_t *proposals;
1486  u8 encr_type = 0;
1487  u8 integ_type = 0;
1488 
1489  if (!child->r_proposals)
1490  {
1492  return 1;
1493  }
1494 
1495  clib_memset (&a, 0, sizeof (a));
1496  a.is_add = 1;
1497  if (sa->is_initiator)
1498  {
1499  a.local_ip.ip4.as_u32 = sa->iaddr.as_u32;
1500  a.remote_ip.ip4.as_u32 = sa->raddr.as_u32;
1501  proposals = child->r_proposals;
1502  a.local_spi = child->r_proposals[0].spi;
1503  a.remote_spi = child->i_proposals[0].spi;
1504  }
1505  else
1506  {
1507  a.local_ip.ip4.as_u32 = sa->raddr.as_u32;
1508  a.remote_ip.ip4.as_u32 = sa->iaddr.as_u32;
1509  proposals = child->i_proposals;
1510  a.local_spi = child->i_proposals[0].spi;
1511  a.remote_spi = child->r_proposals[0].spi;
1512  }
1513  a.anti_replay = 1;
1514 
1515  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN);
1516  if (tr)
1517  a.esn = tr->esn_type;
1518  else
1519  a.esn = 0;
1520 
1521  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ENCR);
1522  if (tr)
1523  {
1524  if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC && tr->key_len)
1525  {
1526  switch (tr->key_len)
1527  {
1528  case 16:
1529  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128;
1530  break;
1531  case 24:
1532  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192;
1533  break;
1534  case 32:
1535  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256;
1536  break;
1537  default:
1539  return 1;
1540  break;
1541  }
1542  }
1543  else if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM
1544  && tr->key_len)
1545  {
1546  switch (tr->key_len)
1547  {
1548  case 16:
1549  encr_type = IPSEC_CRYPTO_ALG_AES_GCM_128;
1550  break;
1551  case 24:
1552  encr_type = IPSEC_CRYPTO_ALG_AES_GCM_192;
1553  break;
1554  case 32:
1555  encr_type = IPSEC_CRYPTO_ALG_AES_GCM_256;
1556  break;
1557  default:
1559  return 1;
1560  break;
1561  }
1562  }
1563  else
1564  {
1566  return 1;
1567  }
1568  }
1569  else
1570  {
1572  return 1;
1573  }
1574 
1575  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG);
1576  if (tr)
1577  {
1578  switch (tr->integ_type)
1579  {
1580  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
1581  integ_type = IPSEC_INTEG_ALG_SHA_256_128;
1582  break;
1583  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
1584  integ_type = IPSEC_INTEG_ALG_SHA_384_192;
1585  break;
1586  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
1587  integ_type = IPSEC_INTEG_ALG_SHA_512_256;
1588  break;
1589  case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
1590  integ_type = IPSEC_INTEG_ALG_SHA1_96;
1591  break;
1592  default:
1594  return 1;
1595  }
1596  }
1597  else
1598  {
1600  return 1;
1601  }
1602 
1603  ikev2_calc_child_keys (sa, child);
1604 
1605  u8 *loc_ckey, *rem_ckey, *loc_ikey, *rem_ikey;
1606  if (sa->is_initiator)
1607  {
1608  loc_ikey = child->sk_ai;
1609  rem_ikey = child->sk_ar;
1610  loc_ckey = child->sk_ei;
1611  rem_ckey = child->sk_er;
1612  }
1613  else
1614  {
1615  loc_ikey = child->sk_ar;
1616  rem_ikey = child->sk_ai;
1617  loc_ckey = child->sk_er;
1618  rem_ckey = child->sk_ei;
1619  }
1620 
1621  a.integ_alg = integ_type;
1622  a.local_integ_key_len = vec_len (loc_ikey);
1624  a.remote_integ_key_len = vec_len (rem_ikey);
1626 
1627  a.crypto_alg = encr_type;
1628  a.local_crypto_key_len = vec_len (loc_ckey);
1630  a.remote_crypto_key_len = vec_len (rem_ckey);
1632 
1633  if (sa->is_profile_index_set)
1634  p = pool_elt_at_index (km->profiles, sa->profile_index);
1635 
1636  if (p && p->lifetime)
1637  {
1638  child->time_to_expiration =
1639  vlib_time_now (vnm->vlib_main) + p->lifetime;
1640  if (p->lifetime_jitter)
1641  {
1642  // This is not much better than rand(3), which Coverity warns
1643  // is unsuitable for security applications; random_u32 is
1644  // however fast. If this perturbance to the expiration time
1645  // needs to use a better RNG then we may need to use something
1646  // like /dev/urandom which has significant overhead.
1647  u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
1648  rnd = random_u32 (&rnd);
1649 
1650  child->time_to_expiration += 1 + (rnd % p->lifetime_jitter);
1651  }
1652  }
1653 
1655 
1656  return 0;
1657 }
1658 
1659 static int
1661  ikev2_child_sa_t * child)
1662 {
1664 
1665  if (sa->is_initiator)
1666  {
1667  if (!vec_len (child->i_proposals))
1668  return 0;
1669 
1670  a.is_add = 0;
1671  a.local_ip.ip4.as_u32 = sa->iaddr.as_u32;
1672  a.remote_ip.ip4.as_u32 = sa->raddr.as_u32;
1673  a.local_spi = child->r_proposals[0].spi;
1674  a.remote_spi = child->i_proposals[0].spi;
1675  }
1676  else
1677  {
1678  if (!vec_len (child->r_proposals))
1679  return 0;
1680 
1681  a.is_add = 0;
1682  a.local_ip.ip4.as_u32 = sa->raddr.as_u32;
1683  a.remote_ip.ip4.as_u32 = sa->iaddr.as_u32;
1684  a.local_spi = child->i_proposals[0].spi;
1685  a.remote_spi = child->r_proposals[0].spi;
1686  }
1687 
1689  return 0;
1690 }
1691 
1692 static u32
1693 ikev2_generate_message (ikev2_sa_t * sa, ike_header_t * ike, void *user)
1694 {
1695  v8 *integ = 0;
1696  ike_payload_header_t *ph;
1697  u16 plen;
1698  u32 tlen = 0;
1699 
1700  ikev2_sa_transform_t *tr_encr, *tr_integ;
1701  tr_encr =
1702  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
1703  tr_integ =
1704  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
1705 
1706  ikev2_payload_chain_t *chain = 0;
1707  ikev2_payload_new_chain (chain);
1708 
1709  if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
1710  {
1711  if (sa->r_proposals == 0)
1712  {
1713  ikev2_payload_add_notify (chain,
1714  IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1716  }
1717  else if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
1718  {
1719  u8 *data = vec_new (u8, 2);
1720  ikev2_sa_transform_t *tr_dh;
1721  tr_dh =
1723  IKEV2_TRANSFORM_TYPE_DH);
1724  ASSERT (tr_dh && tr_dh->dh_type);
1725 
1726  data[0] = (tr_dh->dh_type >> 8) & 0xff;
1727  data[1] = (tr_dh->dh_type) & 0xff;
1728 
1729  ikev2_payload_add_notify (chain,
1730  IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD,
1731  data);
1732  vec_free (data);
1734  }
1735  else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
1736  {
1737  u8 *data = vec_new (u8, 1);
1738 
1739  data[0] = sa->unsupported_cp;
1740  ikev2_payload_add_notify (chain,
1741  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1742  data);
1743  vec_free (data);
1744  }
1745  else
1746  {
1747  ike->rspi = clib_host_to_net_u64 (sa->rspi);
1748  ikev2_payload_add_sa (chain, sa->r_proposals);
1749  ikev2_payload_add_ke (chain, sa->dh_group, sa->r_dh_data);
1750  ikev2_payload_add_nonce (chain, sa->r_nonce);
1751  }
1752  }
1753  else if (ike->exchange == IKEV2_EXCHANGE_IKE_AUTH)
1754  {
1755  if (sa->state == IKEV2_STATE_AUTHENTICATED)
1756  {
1758  ikev2_payload_add_auth (chain, &sa->r_auth);
1759  ikev2_payload_add_sa (chain, sa->childs[0].r_proposals);
1762  }
1763  else if (sa->state == IKEV2_STATE_AUTH_FAILED)
1764  {
1765  ikev2_payload_add_notify (chain,
1766  IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED,
1767  0);
1769  }
1770  else if (sa->state == IKEV2_STATE_TS_UNACCEPTABLE)
1771  {
1772  ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_TS_UNACCEPTABLE,
1773  0);
1775  ikev2_payload_add_auth (chain, &sa->r_auth);
1776  }
1777  else if (sa->state == IKEV2_STATE_NO_PROPOSAL_CHOSEN)
1778  {
1779  ikev2_payload_add_notify (chain,
1780  IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1782  ikev2_payload_add_auth (chain, &sa->r_auth);
1785  }
1786  else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
1787  {
1788  u8 *data = vec_new (u8, 1);
1789 
1790  data[0] = sa->unsupported_cp;
1791  ikev2_payload_add_notify (chain,
1792  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1793  data);
1794  vec_free (data);
1795  }
1796  else if (sa->state == IKEV2_STATE_SA_INIT)
1797  {
1799  ikev2_payload_add_auth (chain, &sa->i_auth);
1800  ikev2_payload_add_sa (chain, sa->childs[0].i_proposals);
1803  }
1804  else
1805  {
1807  goto done;
1808  }
1809  }
1810  else if (ike->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
1811  {
1812  /* if pending delete */
1813  if (sa->del)
1814  {
1815  if (sa->del[0].protocol_id == IKEV2_PROTOCOL_IKE)
1816  {
1817  if (sa->is_initiator)
1818  ikev2_payload_add_delete (chain, sa->del);
1819 
1820  /* The response to a request that deletes the IKE SA is an empty
1821  INFORMATIONAL response. */
1823  }
1824  /* The response to a request that deletes ESP or AH SAs will contain
1825  delete payloads for the paired SAs going in the other direction. */
1826  else
1827  {
1828  ikev2_payload_add_delete (chain, sa->del);
1829  }
1830  vec_free (sa->del);
1831  sa->del = 0;
1832  }
1833  /* received N(AUTHENTICATION_FAILED) */
1834  else if (sa->state == IKEV2_STATE_AUTH_FAILED)
1835  {
1837  goto done;
1838  }
1839  /* received unsupported critical payload */
1840  else if (sa->unsupported_cp)
1841  {
1842  u8 *data = vec_new (u8, 1);
1843 
1844  data[0] = sa->unsupported_cp;
1845  ikev2_payload_add_notify (chain,
1846  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1847  data);
1848  vec_free (data);
1849  sa->unsupported_cp = 0;
1850  }
1851  /* else send empty response */
1852  }
1853  else if (ike->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
1854  {
1855  if (sa->is_initiator)
1856  {
1857 
1858  ikev2_sa_proposal_t *proposals = (ikev2_sa_proposal_t *) user;
1859  ikev2_notify_t notify;
1860  u8 *data = vec_new (u8, 4);
1861  clib_memset (&notify, 0, sizeof (notify));
1863  notify.spi = sa->childs[0].i_proposals->spi;
1864  *(u32 *) data = clib_host_to_net_u32 (notify.spi);
1865 
1866  ikev2_payload_add_sa (chain, proposals);
1867  ikev2_payload_add_nonce (chain, sa->i_nonce);
1870  ikev2_payload_add_notify_2 (chain, IKEV2_NOTIFY_MSG_REKEY_SA, data,
1871  &notify);
1872 
1873  vec_free (data);
1874  }
1875  else
1876  {
1877  if (sa->rekey)
1878  {
1879  ikev2_payload_add_sa (chain, sa->rekey[0].r_proposal);
1880  ikev2_payload_add_nonce (chain, sa->r_nonce);
1881  ikev2_payload_add_ts (chain, sa->rekey[0].tsi,
1883  ikev2_payload_add_ts (chain, sa->rekey[0].tsr,
1885  vec_del1 (sa->rekey, 0);
1886  }
1887  else if (sa->unsupported_cp)
1888  {
1889  u8 *data = vec_new (u8, 1);
1890 
1891  data[0] = sa->unsupported_cp;
1892  ikev2_payload_add_notify (chain,
1893  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1894  data);
1895  vec_free (data);
1896  sa->unsupported_cp = 0;
1897  }
1898  else
1899  {
1900  ikev2_payload_add_notify (chain,
1901  IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
1902  0);
1903  }
1904  }
1905  }
1906 
1907  /* IKEv2 header */
1908  ike->version = IKE_VERSION_2;
1909  ike->nextpayload = IKEV2_PAYLOAD_SK;
1910  tlen = sizeof (*ike);
1911  if (sa->is_initiator)
1912  {
1913  ike->flags = IKEV2_HDR_FLAG_INITIATOR;
1914  sa->last_init_msg_id = clib_net_to_host_u32 (ike->msgid);
1915  }
1916  else
1917  {
1918  ike->flags = IKEV2_HDR_FLAG_RESPONSE;
1919  }
1920 
1921 
1922  if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
1923  {
1924  tlen += vec_len (chain->data);
1925  ike->nextpayload = chain->first_payload_type;
1926  ike->length = clib_host_to_net_u32 (tlen);
1927  clib_memcpy_fast (ike->payload, chain->data, vec_len (chain->data));
1928 
1929  /* store whole IKE payload - needed for PSK auth */
1931  vec_add (sa->last_sa_init_res_packet_data, ike, tlen);
1932  }
1933  else
1934  {
1935 
1936  ikev2_payload_chain_add_padding (chain, tr_encr->block_size);
1937 
1938  /* SK payload */
1939  plen = sizeof (*ph);
1940  ph = (ike_payload_header_t *) & ike->payload[0];
1941  ph->nextpayload = chain->first_payload_type;
1942  ph->flags = 0;
1943  int enc_len = ikev2_encrypt_data (sa, chain->data, ph->payload);
1944  plen += enc_len;
1945 
1946  /* add space for hmac */
1947  plen += tr_integ->key_trunc;
1948  tlen += plen;
1949 
1950  /* payload and total length */
1951  ph->length = clib_host_to_net_u16 (plen);
1952  ike->length = clib_host_to_net_u32 (tlen);
1953 
1954  /* calc integrity data for whole packet except hash itself */
1955  integ =
1956  ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ai : sa->sk_ar,
1957  (u8 *) ike, tlen - tr_integ->key_trunc);
1958 
1959  clib_memcpy_fast (ike->payload + tlen - tr_integ->key_trunc -
1960  sizeof (*ike), integ, tr_integ->key_trunc);
1961 
1962  /* store whole IKE payload - needed for retransmit */
1964  vec_add (sa->last_res_packet_data, ike, tlen);
1965  }
1966 
1967 done:
1969  vec_free (integ);
1970  return tlen;
1971 }
1972 
1973 static int
1974 ikev2_retransmit_sa_init (ike_header_t * ike,
1975  ip4_address_t iaddr, ip4_address_t raddr)
1976 {
1977  ikev2_main_t *km = &ikev2_main;
1978  ikev2_sa_t *sa;
1979  u32 thread_index = vlib_get_thread_index ();
1980 
1981  /* *INDENT-OFF* */
1982  pool_foreach (sa, km->per_thread_data[thread_index].sas, ({
1983  if (sa->ispi == clib_net_to_host_u64(ike->ispi) &&
1984  sa->iaddr.as_u32 == iaddr.as_u32 &&
1985  sa->raddr.as_u32 == raddr.as_u32)
1986  {
1987  int p = 0;
1988  u32 len = clib_net_to_host_u32(ike->length);
1989  u8 payload = ike->nextpayload;
1990 
1991  while (p < len && payload!= IKEV2_PAYLOAD_NONE) {
1992  ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
1993  u32 plen = clib_net_to_host_u16(ikep->length);
1994 
1995  if (plen < sizeof(ike_payload_header_t))
1996  return -1;
1997 
1998  if (payload == IKEV2_PAYLOAD_NONCE)
1999  {
2000  if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep)))
2001  {
2002  /* req is retransmit */
2003  if (sa->state == IKEV2_STATE_SA_INIT)
2004  {
2005  ike_header_t * tmp;
2006  tmp = (ike_header_t*)sa->last_sa_init_res_packet_data;
2007  ike->ispi = tmp->ispi;
2008  ike->rspi = tmp->rspi;
2009  ike->nextpayload = tmp->nextpayload;
2010  ike->version = tmp->version;
2011  ike->exchange = tmp->exchange;
2012  ike->flags = tmp->flags;
2013  ike->msgid = tmp->msgid;
2014  ike->length = tmp->length;
2015  clib_memcpy_fast(ike->payload, tmp->payload,
2016  clib_net_to_host_u32(tmp->length) - sizeof(*ike));
2017  clib_warning("IKE_SA_INIT retransmit from %U to %U",
2018  format_ip4_address, &raddr,
2019  format_ip4_address, &iaddr);
2020  return 1;
2021  }
2022  /* else ignore req */
2023  else
2024  {
2025  clib_warning("IKE_SA_INIT ignore from %U to %U",
2026  format_ip4_address, &raddr,
2027  format_ip4_address, &iaddr);
2028  return -1;
2029  }
2030  }
2031  }
2032  payload = ikep->nextpayload;
2033  p+=plen;
2034  }
2035  }
2036  }));
2037  /* *INDENT-ON* */
2038 
2039  /* req is not retransmit */
2040  return 0;
2041 }
2042 
2043 static int
2044 ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
2045 {
2046  u32 msg_id = clib_net_to_host_u32 (ike->msgid);
2047 
2048  /* new req */
2049  if (msg_id > sa->last_msg_id)
2050  {
2051  sa->last_msg_id = msg_id;
2052  return 0;
2053  }
2054  /* retransmitted req */
2055  else if (msg_id == sa->last_msg_id)
2056  {
2057  ike_header_t *tmp;
2058  tmp = (ike_header_t *) sa->last_res_packet_data;
2059  ike->ispi = tmp->ispi;
2060  ike->rspi = tmp->rspi;
2061  ike->nextpayload = tmp->nextpayload;
2062  ike->version = tmp->version;
2063  ike->exchange = tmp->exchange;
2064  ike->flags = tmp->flags;
2065  ike->msgid = tmp->msgid;
2066  ike->length = tmp->length;
2067  clib_memcpy_fast (ike->payload, tmp->payload,
2068  clib_net_to_host_u32 (tmp->length) - sizeof (*ike));
2069  clib_warning ("IKE msgid %u retransmit from %U to %U",
2070  msg_id,
2071  format_ip4_address, &sa->raddr,
2072  format_ip4_address, &sa->iaddr);
2073  return 1;
2074  }
2075  /* old req ignore */
2076  else
2077  {
2078  clib_warning ("IKE msgid %u req ignore from %U to %U",
2079  msg_id,
2080  format_ip4_address, &sa->raddr,
2081  format_ip4_address, &sa->iaddr);
2082  return -1;
2083  }
2084 }
2085 
2086 
2087 static uword
2089  vlib_node_runtime_t * node, vlib_frame_t * frame)
2090 {
2091  u32 n_left_from, *from, *to_next;
2092  ikev2_next_t next_index;
2093  ikev2_main_t *km = &ikev2_main;
2094  u32 thread_index = vlib_get_thread_index ();
2095 
2096  from = vlib_frame_vector_args (frame);
2097  n_left_from = frame->n_vectors;
2098  next_index = node->cached_next_index;
2099 
2100  while (n_left_from > 0)
2101  {
2102  u32 n_left_to_next;
2103 
2104  vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2105 
2106  while (n_left_from > 0 && n_left_to_next > 0)
2107  {
2108  u32 bi0;
2109  vlib_buffer_t *b0;
2110  u32 next0 = IKEV2_NEXT_ERROR_DROP;
2111  u32 sw_if_index0;
2112  ip4_header_t *ip40;
2113  udp_header_t *udp0;
2114  ike_header_t *ike0;
2115  ikev2_sa_t *sa0 = 0;
2116  ikev2_sa_t sa; /* temporary store for SA */
2117  int len = 0;
2118  int r;
2119 
2120  /* speculatively enqueue b0 to the current next frame */
2121  bi0 = from[0];
2122  to_next[0] = bi0;
2123  from += 1;
2124  to_next += 1;
2125  n_left_from -= 1;
2126  n_left_to_next -= 1;
2127 
2128  b0 = vlib_get_buffer (vm, bi0);
2129  ike0 = vlib_buffer_get_current (b0);
2130  vlib_buffer_advance (b0, -sizeof (*udp0));
2131  udp0 = vlib_buffer_get_current (b0);
2132  vlib_buffer_advance (b0, -sizeof (*ip40));
2133  ip40 = vlib_buffer_get_current (b0);
2134 
2135  if (ike0->version != IKE_VERSION_2)
2136  {
2138  IKEV2_ERROR_NOT_IKEV2, 1);
2139  goto dispatch0;
2140  }
2141 
2142  if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
2143  {
2144  sa0 = &sa;
2145  clib_memset (sa0, 0, sizeof (*sa0));
2146 
2147  if (ike0->flags & IKEV2_HDR_FLAG_INITIATOR)
2148  {
2149  if (ike0->rspi == 0)
2150  {
2151  sa0->raddr.as_u32 = ip40->dst_address.as_u32;
2152  sa0->iaddr.as_u32 = ip40->src_address.as_u32;
2153 
2154  r = ikev2_retransmit_sa_init (ike0, sa0->iaddr,
2155  sa0->raddr);
2156  if (r == 1)
2157  {
2159  IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT,
2160  1);
2161  len = clib_net_to_host_u32 (ike0->length);
2162  goto dispatch0;
2163  }
2164  else if (r == -1)
2165  {
2167  IKEV2_ERROR_IKE_SA_INIT_IGNORE,
2168  1);
2169  goto dispatch0;
2170  }
2171 
2172  ikev2_process_sa_init_req (vm, sa0, ike0);
2173 
2174  if (sa0->state == IKEV2_STATE_SA_INIT)
2175  {
2177  sa0->r_proposals =
2181  }
2182 
2183  if (sa0->state == IKEV2_STATE_SA_INIT
2185  {
2186  len = ikev2_generate_message (sa0, ike0, 0);
2187  }
2188 
2189  if (sa0->state == IKEV2_STATE_SA_INIT)
2190  {
2191  /* add SA to the pool */
2192  pool_get (km->per_thread_data[thread_index].sas,
2193  sa0);
2194  clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
2195  hash_set (km->
2196  per_thread_data[thread_index].sa_by_rspi,
2197  sa0->rspi,
2198  sa0 -
2199  km->per_thread_data[thread_index].sas);
2200  }
2201  else
2202  {
2203  ikev2_sa_free_all_vec (sa0);
2204  }
2205  }
2206  }
2207  else //received sa_init without initiator flag
2208  {
2209  ikev2_process_sa_init_resp (vm, sa0, ike0);
2210 
2211  if (sa0->state == IKEV2_STATE_SA_INIT)
2212  {
2213  ike0->exchange = IKEV2_EXCHANGE_IKE_AUTH;
2214  uword *p = hash_get (km->sa_by_ispi, ike0->ispi);
2215  if (p)
2216  {
2217  ikev2_sa_t *sai =
2218  pool_elt_at_index (km->sais, p[0]);
2219 
2220  ikev2_complete_sa_data (sa0, sai);
2221  ikev2_calc_keys (sa0);
2222  ikev2_sa_auth_init (sa0);
2223  len = ikev2_generate_message (sa0, ike0, 0);
2224  }
2225  }
2226 
2227  if (sa0->state == IKEV2_STATE_SA_INIT)
2228  {
2229  /* add SA to the pool */
2230  pool_get (km->per_thread_data[thread_index].sas, sa0);
2231  clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
2232  hash_set (km->per_thread_data[thread_index].sa_by_rspi,
2233  sa0->rspi,
2234  sa0 - km->per_thread_data[thread_index].sas);
2235  }
2236  else
2237  {
2238  ikev2_sa_free_all_vec (sa0);
2239  }
2240  }
2241  }
2242  else if (ike0->exchange == IKEV2_EXCHANGE_IKE_AUTH)
2243  {
2244  uword *p;
2245  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2246  clib_net_to_host_u64 (ike0->rspi));
2247  if (p)
2248  {
2249  sa0 =
2250  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2251  p[0]);
2252 
2253  r = ikev2_retransmit_resp (sa0, ike0);
2254  if (r == 1)
2255  {
2257  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2258  1);
2259  len = clib_net_to_host_u32 (ike0->length);
2260  goto dispatch0;
2261  }
2262  else if (r == -1)
2263  {
2265  IKEV2_ERROR_IKE_REQ_IGNORE,
2266  1);
2267  goto dispatch0;
2268  }
2269 
2270  ikev2_process_auth_req (vm, sa0, ike0);
2271  ikev2_sa_auth (sa0);
2272  if (sa0->state == IKEV2_STATE_AUTHENTICATED)
2273  {
2275  ikev2_sa_match_ts (sa0);
2276  if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE)
2278  &sa0->childs[0]);
2279  }
2280 
2281  if (sa0->is_initiator)
2282  {
2283  uword *p = hash_get (km->sa_by_ispi, ike0->ispi);
2284  if (p)
2285  {
2286  ikev2_sa_t *sai =
2287  pool_elt_at_index (km->sais, p[0]);
2288  hash_unset (km->sa_by_ispi, sai->ispi);
2289  ikev2_sa_free_all_vec (sai);
2290  pool_put (km->sais, sai);
2291  }
2292  }
2293  else
2294  {
2295  len = ikev2_generate_message (sa0, ike0, 0);
2296  }
2297  }
2298  }
2299  else if (ike0->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
2300  {
2301  uword *p;
2302  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2303  clib_net_to_host_u64 (ike0->rspi));
2304  if (p)
2305  {
2306  sa0 =
2307  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2308  p[0]);
2309 
2310  r = ikev2_retransmit_resp (sa0, ike0);
2311  if (r == 1)
2312  {
2314  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2315  1);
2316  len = clib_net_to_host_u32 (ike0->length);
2317  goto dispatch0;
2318  }
2319  else if (r == -1)
2320  {
2322  IKEV2_ERROR_IKE_REQ_IGNORE,
2323  1);
2324  goto dispatch0;
2325  }
2326 
2327  ikev2_process_informational_req (vm, sa0, ike0);
2328  if (sa0->del)
2329  {
2330  if (sa0->del[0].protocol_id != IKEV2_PROTOCOL_IKE)
2331  {
2332  ikev2_delete_t *d, *tmp, *resp = 0;
2333  vec_foreach (d, sa0->del)
2334  {
2335  ikev2_child_sa_t *ch_sa;
2336  ch_sa = ikev2_sa_get_child (sa0, d->spi,
2337  d->protocol_id,
2338  !sa0->is_initiator);
2339  if (ch_sa)
2340  {
2342  sa0, ch_sa);
2343  if (!sa0->is_initiator)
2344  {
2345  vec_add2 (resp, tmp, 1);
2346  tmp->protocol_id = d->protocol_id;
2347  tmp->spi = ch_sa->r_proposals[0].spi;
2348  }
2349  ikev2_sa_del_child_sa (sa0, ch_sa);
2350  }
2351  }
2352  if (!sa0->is_initiator)
2353  {
2354  vec_free (sa0->del);
2355  sa0->del = resp;
2356  }
2357  }
2358  }
2359  if (!sa0->is_initiator)
2360  {
2361  len = ikev2_generate_message (sa0, ike0, 0);
2362  }
2363  }
2364  }
2365  else if (ike0->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
2366  {
2367  uword *p;
2368  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2369  clib_net_to_host_u64 (ike0->rspi));
2370  if (p)
2371  {
2372  sa0 =
2373  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2374  p[0]);
2375 
2376  r = ikev2_retransmit_resp (sa0, ike0);
2377  if (r == 1)
2378  {
2380  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2381  1);
2382  len = clib_net_to_host_u32 (ike0->length);
2383  goto dispatch0;
2384  }
2385  else if (r == -1)
2386  {
2388  IKEV2_ERROR_IKE_REQ_IGNORE,
2389  1);
2390  goto dispatch0;
2391  }
2392 
2393  ikev2_process_create_child_sa_req (vm, sa0, ike0);
2394  if (sa0->rekey)
2395  {
2396  if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
2397  {
2398  ikev2_child_sa_t *child;
2399  vec_add2 (sa0->childs, child, 1);
2400  child->r_proposals = sa0->rekey[0].r_proposal;
2401  child->i_proposals = sa0->rekey[0].i_proposal;
2402  child->tsi = sa0->rekey[0].tsi;
2403  child->tsr = sa0->rekey[0].tsr;
2405  child);
2406  }
2407  if (sa0->is_initiator)
2408  {
2409  vec_del1 (sa0->rekey, 0);
2410  }
2411  else
2412  {
2413  len = ikev2_generate_message (sa0, ike0, 0);
2414  }
2415  }
2416  }
2417  }
2418  else
2419  {
2420  clib_warning ("IKEv2 exchange %u packet received from %U to %U",
2421  ike0->exchange,
2424  }
2425 
2426  dispatch0:
2427  /* if we are sending packet back, rewrite headers */
2428  if (len)
2429  {
2430  next0 = IKEV2_NEXT_IP4_LOOKUP;
2431  if (sa0->is_initiator)
2432  {
2433  ip40->dst_address.as_u32 = sa0->raddr.as_u32;
2434  ip40->src_address.as_u32 = sa0->iaddr.as_u32;
2435  }
2436  else
2437  {
2438  ip40->dst_address.as_u32 = sa0->iaddr.as_u32;
2439  ip40->src_address.as_u32 = sa0->raddr.as_u32;
2440  }
2441  udp0->length =
2442  clib_host_to_net_u16 (len + sizeof (udp_header_t));
2443  udp0->checksum = 0;
2444  b0->current_length =
2445  len + sizeof (ip4_header_t) + sizeof (udp_header_t);
2446  ip40->length = clib_host_to_net_u16 (b0->current_length);
2447  ip40->checksum = ip4_header_checksum (ip40);
2448  }
2449  /* delete sa */
2450  if (sa0 && (sa0->state == IKEV2_STATE_DELETED ||
2452  {
2454 
2455  vec_foreach (c, sa0->childs)
2457 
2458  ikev2_delete_sa (sa0);
2459  }
2460  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2461 
2463  && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2464  {
2465  ikev2_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
2466  t->sw_if_index = sw_if_index0;
2467  t->next_index = next0;
2468  }
2469 
2470  vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
2471  n_left_to_next, bi0, next0);
2472  }
2473 
2474  vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2475  }
2476 
2478  IKEV2_ERROR_PROCESSED, frame->n_vectors);
2479  return frame->n_vectors;
2480 }
2481 
2482 /* *INDENT-OFF* */
2483 VLIB_REGISTER_NODE (ikev2_node,static) = {
2484  .function = ikev2_node_fn,
2485  .name = "ikev2",
2486  .vector_size = sizeof (u32),
2487  .format_trace = format_ikev2_trace,
2489 
2490  .n_errors = ARRAY_LEN(ikev2_error_strings),
2491  .error_strings = ikev2_error_strings,
2492 
2493  .n_next_nodes = IKEV2_N_NEXT,
2494 
2495  .next_nodes = {
2496  [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
2497  [IKEV2_NEXT_ERROR_DROP] = "error-drop",
2498  },
2499 };
2500 /* *INDENT-ON* */
2501 
2502 // set ikev2 proposals when vpp is used as initiator
2503 static clib_error_t *
2505  ikev2_transforms_set * ts,
2506  ikev2_sa_proposal_t ** proposals, int is_ike)
2507 {
2508  clib_error_t *r;
2509  ikev2_main_t *km = &ikev2_main;
2510  ikev2_sa_proposal_t *proposal;
2511  vec_add2 (*proposals, proposal, 1);
2513  int error;
2514 
2515  /* Encryption */
2516  error = 1;
2518  {
2519  if (td->type == IKEV2_TRANSFORM_TYPE_ENCR
2520  && td->encr_type == ts->crypto_alg
2521  && td->key_len == ts->crypto_key_size / 8)
2522  {
2523  u16 attr[2];
2524  attr[0] = clib_host_to_net_u16 (14 | (1 << 15));
2525  attr[1] = clib_host_to_net_u16 (td->key_len << 3);
2526  vec_add (td->attrs, (u8 *) attr, 4);
2527  vec_add1 (proposal->transforms, *td);
2528  td->attrs = 0;
2529 
2530  error = 0;
2531  break;
2532  }
2533  }
2534  if (error)
2535  {
2536  r = clib_error_return (0, "Unsupported algorithm");
2537  return r;
2538  }
2539 
2540  /* Integrity */
2541  error = 1;
2543  {
2544  if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
2545  && td->integ_type == ts->integ_alg)
2546  {
2547  vec_add1 (proposal->transforms, *td);
2548  error = 0;
2549  break;
2550  }
2551  }
2552  if (error)
2553  {
2554  clib_warning
2555  ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
2556  r = clib_error_return (0, "Unsupported algorithm");
2557  return r;
2558  }
2559 
2560  /* PRF */
2561  if (is_ike)
2562  {
2563  error = 1;
2565  {
2566  if (td->type == IKEV2_TRANSFORM_TYPE_PRF
2567  && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
2568  {
2569  vec_add1 (proposal->transforms, *td);
2570  error = 0;
2571  break;
2572  }
2573  }
2574  if (error)
2575  {
2576  r = clib_error_return (0, "Unsupported algorithm");
2577  return r;
2578  }
2579  }
2580 
2581  /* DH */
2582  if (is_ike || ts->dh_type != IKEV2_TRANSFORM_DH_TYPE_NONE)
2583  {
2584  error = 1;
2586  {
2587  if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
2588  {
2589  vec_add1 (proposal->transforms, *td);
2590  if (is_ike)
2591  {
2592  sa->dh_group = td->dh_type;
2593  }
2594  error = 0;
2595  break;
2596  }
2597  }
2598  if (error)
2599  {
2600  r = clib_error_return (0, "Unsupported algorithm");
2601  return r;
2602  }
2603  }
2604 
2605  if (!is_ike)
2606  {
2607  error = 1;
2609  {
2610  if (td->type == IKEV2_TRANSFORM_TYPE_ESN)
2611  {
2612  vec_add1 (proposal->transforms, *td);
2613  error = 0;
2614  }
2615  }
2616  if (error)
2617  {
2618  r = clib_error_return (0, "Unsupported algorithm");
2619  return r;
2620  }
2621  }
2622 
2623 
2624  return 0;
2625 }
2626 
2627 static ikev2_profile_t *
2629 {
2630  ikev2_main_t *km = &ikev2_main;
2631  uword *p;
2632 
2633  p = mhash_get (&km->profile_index_by_name, name);
2634  if (!p)
2635  return 0;
2636 
2637  return pool_elt_at_index (km->profiles, p[0]);
2638 }
2639 
2640 
2641 static void
2643  u32 bi0, u32 len)
2644 {
2645  ip4_header_t *ip40;
2646  udp_header_t *udp0;
2647  vlib_buffer_t *b0;
2648  vlib_frame_t *f;
2649  u32 *to_next;
2650 
2651  b0 = vlib_get_buffer (vm, bi0);
2652  vlib_buffer_advance (b0, -sizeof (udp_header_t));
2653  udp0 = vlib_buffer_get_current (b0);
2654  vlib_buffer_advance (b0, -sizeof (ip4_header_t));
2655  ip40 = vlib_buffer_get_current (b0);
2656 
2657 
2658  ip40->ip_version_and_header_length = 0x45;
2659  ip40->tos = 0;
2660  ip40->fragment_id = 0;
2661  ip40->flags_and_fragment_offset = 0;
2662  ip40->ttl = 0xff;
2663  ip40->protocol = IP_PROTOCOL_UDP;
2664  ip40->dst_address.as_u32 = dst->as_u32;
2665  ip40->src_address.as_u32 = src->as_u32;
2666  udp0->dst_port = clib_host_to_net_u16 (500);
2667  udp0->src_port = clib_host_to_net_u16 (500);
2668  udp0->length = clib_host_to_net_u16 (len + sizeof (udp_header_t));
2669  udp0->checksum = 0;
2670  b0->current_length = len + sizeof (ip4_header_t) + sizeof (udp_header_t);
2671  ip40->length = clib_host_to_net_u16 (b0->current_length);
2672  ip40->checksum = ip4_header_checksum (ip40);
2673 
2674 
2675  /* send the request */
2676  f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
2677  to_next = vlib_frame_vector_args (f);
2678  to_next[0] = bi0;
2679  f->n_vectors = 1;
2680  vlib_put_frame_to_node (vm, ip4_lookup_node.index, f);
2681 
2682 }
2683 
2684 static u32
2686 {
2687  u32 bi0;
2688  if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
2689  {
2690  *ike = 0;
2691  return 0;
2692  }
2693  vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
2694  *ike = vlib_buffer_get_current (b0);
2695  return bi0;
2696 }
2697 
2698 clib_error_t *
2700 {
2701  ikev2_main_t *km = &ikev2_main;
2702 
2703  km->pkey = ikev2_load_key_file (file);
2704  if (km->pkey == NULL)
2705  return clib_error_return (0, "load key '%s' failed", file);
2706 
2707  return 0;
2708 }
2709 
2710 clib_error_t *
2712 {
2713  ikev2_main_t *km = &ikev2_main;
2714  ikev2_profile_t *p;
2715 
2716  if (is_add)
2717  {
2718  if (ikev2_profile_index_by_name (name))
2719  return clib_error_return (0, "policy %v already exists", name);
2720 
2721  pool_get (km->profiles, p);
2722  clib_memset (p, 0, sizeof (*p));
2723  p->name = vec_dup (name);
2724  p->responder.sw_if_index = ~0;
2725  uword index = p - km->profiles;
2726  mhash_set_mem (&km->profile_index_by_name, name, &index, 0);
2727  }
2728  else
2729  {
2730  p = ikev2_profile_index_by_name (name);
2731  if (!p)
2732  return clib_error_return (0, "policy %v does not exists", name);
2733 
2734  vec_free (p->name);
2735  pool_put (km->profiles, p);
2736  mhash_unset (&km->profile_index_by_name, name, 0);
2737  }
2738  return 0;
2739 }
2740 
2741 clib_error_t *
2743  u8 * auth_data, u8 data_hex_format)
2744 {
2745  ikev2_profile_t *p;
2746  clib_error_t *r;
2747 
2748  p = ikev2_profile_index_by_name (name);
2749 
2750  if (!p)
2751  {
2752  r = clib_error_return (0, "unknown profile %v", name);
2753  return r;
2754  }
2755  vec_free (p->auth.data);
2756  p->auth.method = auth_method;
2757  p->auth.data = vec_dup (auth_data);
2758  p->auth.hex = data_hex_format;
2759 
2760  if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG)
2761  {
2762  vec_add1 (p->auth.data, 0);
2763  if (p->auth.key)
2764  EVP_PKEY_free (p->auth.key);
2765  p->auth.key = ikev2_load_cert_file (auth_data);
2766  if (p->auth.key == NULL)
2767  return clib_error_return (0, "load cert '%s' failed", auth_data);
2768  }
2769 
2770  return 0;
2771 }
2772 
2773 clib_error_t *
2775  int is_local)
2776 {
2777  ikev2_profile_t *p;
2778  clib_error_t *r;
2779 
2780  if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR
2781  && id_type < IKEV2_ID_TYPE_ID_KEY_ID)
2782  {
2783  r = clib_error_return (0, "unsupported identity type %U",
2784  format_ikev2_id_type, id_type);
2785  return r;
2786  }
2787 
2788  p = ikev2_profile_index_by_name (name);
2789 
2790  if (!p)
2791  {
2792  r = clib_error_return (0, "unknown profile %v", name);
2793  return r;
2794  }
2795 
2796  if (is_local)
2797  {
2798  vec_free (p->loc_id.data);
2799  p->loc_id.type = id_type;
2800  p->loc_id.data = vec_dup (data);
2801  }
2802  else
2803  {
2804  vec_free (p->rem_id.data);
2805  p->rem_id.type = id_type;
2806  p->rem_id.data = vec_dup (data);
2807  }
2808 
2809  return 0;
2810 }
2811 
2812 clib_error_t *
2814  u16 start_port, u16 end_port, ip4_address_t start_addr,
2815  ip4_address_t end_addr, int is_local)
2816 {
2817  ikev2_profile_t *p;
2818  clib_error_t *r;
2819 
2820  p = ikev2_profile_index_by_name (name);
2821 
2822  if (!p)
2823  {
2824  r = clib_error_return (0, "unknown profile %v", name);
2825  return r;
2826  }
2827 
2828  if (is_local)
2829  {
2830  p->loc_ts.start_addr.as_u32 = start_addr.as_u32;
2831  p->loc_ts.end_addr.as_u32 = end_addr.as_u32;
2832  p->loc_ts.start_port = start_port;
2833  p->loc_ts.end_port = end_port;
2834  p->loc_ts.protocol_id = protocol_id;
2835  p->loc_ts.ts_type = 7;
2836  }
2837  else
2838  {
2839  p->rem_ts.start_addr.as_u32 = start_addr.as_u32;
2840  p->rem_ts.end_addr.as_u32 = end_addr.as_u32;
2841  p->rem_ts.start_port = start_port;
2842  p->rem_ts.end_port = end_port;
2843  p->rem_ts.protocol_id = protocol_id;
2844  p->rem_ts.ts_type = 7;
2845  }
2846 
2847  return 0;
2848 }
2849 
2850 
2851 clib_error_t *
2854 {
2855  ikev2_profile_t *p;
2856  clib_error_t *r;
2857 
2858  p = ikev2_profile_index_by_name (name);
2859 
2860  if (!p)
2861  {
2862  r = clib_error_return (0, "unknown profile %v", name);
2863  return r;
2864  }
2865 
2867  p->responder.ip4 = ip4;
2868 
2869  return 0;
2870 }
2871 
2872 clib_error_t *
2874  ikev2_transform_encr_type_t crypto_alg,
2875  ikev2_transform_integ_type_t integ_alg,
2876  ikev2_transform_dh_type_t dh_type,
2877  u32 crypto_key_size)
2878 {
2879  ikev2_profile_t *p;
2880  clib_error_t *r;
2881 
2882  p = ikev2_profile_index_by_name (name);
2883 
2884  if (!p)
2885  {
2886  r = clib_error_return (0, "unknown profile %v", name);
2887  return r;
2888  }
2889 
2890  p->ike_ts.crypto_alg = crypto_alg;
2891  p->ike_ts.integ_alg = integ_alg;
2892  p->ike_ts.dh_type = dh_type;
2893  p->ike_ts.crypto_key_size = crypto_key_size;
2894  return 0;
2895 }
2896 
2897 clib_error_t *
2899  ikev2_transform_encr_type_t crypto_alg,
2900  ikev2_transform_integ_type_t integ_alg,
2901  ikev2_transform_dh_type_t dh_type,
2902  u32 crypto_key_size)
2903 {
2904  ikev2_profile_t *p;
2905  clib_error_t *r;
2906 
2907  p = ikev2_profile_index_by_name (name);
2908 
2909  if (!p)
2910  {
2911  r = clib_error_return (0, "unknown profile %v", name);
2912  return r;
2913  }
2914 
2915  p->esp_ts.crypto_alg = crypto_alg;
2916  p->esp_ts.integ_alg = integ_alg;
2917  p->esp_ts.dh_type = dh_type;
2918  p->esp_ts.crypto_key_size = crypto_key_size;
2919  return 0;
2920 }
2921 
2922 clib_error_t *
2924  u64 lifetime, u32 jitter, u32 handover,
2925  u64 maxdata)
2926 {
2927  ikev2_profile_t *p;
2928  clib_error_t *r;
2929 
2930  p = ikev2_profile_index_by_name (name);
2931 
2932  if (!p)
2933  {
2934  r = clib_error_return (0, "unknown profile %v", name);
2935  return r;
2936  }
2937 
2938  p->lifetime = lifetime;
2939  p->lifetime_jitter = jitter;
2940  p->handover = handover;
2941  p->lifetime_maxdata = maxdata;
2942  return 0;
2943 }
2944 
2945 clib_error_t *
2947 {
2948  ikev2_profile_t *p;
2949  clib_error_t *r;
2950  ip4_main_t *im = &ip4_main;
2951  ikev2_main_t *km = &ikev2_main;
2952 
2953  p = ikev2_profile_index_by_name (name);
2954 
2955  if (!p)
2956  {
2957  r = clib_error_return (0, "unknown profile %v", name);
2958  return r;
2959  }
2960 
2961  if (p->responder.sw_if_index == ~0 || p->responder.ip4.data_u32 == 0)
2962  {
2963  r = clib_error_return (0, "responder not set for profile %v", name);
2964  return r;
2965  }
2966 
2967 
2968  /* Create the Initiator Request */
2969  {
2970  ike_header_t *ike0;
2971  u32 bi0 = 0;
2972  ip_lookup_main_t *lm = &im->lookup_main;
2973  u32 if_add_index0;
2974  int len = sizeof (ike_header_t);
2975 
2976  /* Get own iface IP */
2977  if_add_index0 =
2979  ip_interface_address_t *if_add =
2980  pool_elt_at_index (lm->if_address_pool, if_add_index0);
2981  ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add);
2982 
2983  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
2984 
2985  /* Prepare the SA and the IKE payload */
2986  ikev2_sa_t sa;
2987  clib_memset (&sa, 0, sizeof (ikev2_sa_t));
2988  ikev2_payload_chain_t *chain = 0;
2989  ikev2_payload_new_chain (chain);
2990 
2991  /* Build the IKE proposal payload */
2992  ikev2_sa_proposal_t *proposals = 0;
2993  ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
2994  proposals[0].proposal_num = 1;
2995  proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
2996 
2997  /* Add and then cleanup proposal data */
2998  ikev2_payload_add_sa (chain, proposals);
2999  ikev2_sa_free_proposal_vector (&proposals);
3000 
3001  sa.is_initiator = 1;
3002  sa.profile_index = p - km->profiles;
3003  sa.is_profile_index_set = 1;
3006  ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
3007  ikev2_payload_add_nonce (chain, sa.i_nonce);
3008 
3009  /* Build the child SA proposal */
3010  vec_resize (sa.childs, 1);
3011  ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
3012  &sa.childs[0].i_proposals, 0);
3013  sa.childs[0].i_proposals[0].proposal_num = 1;
3015  RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
3016  sizeof (sa.childs[0].i_proposals[0].spi));
3017 
3018 
3019 
3020  /* Add NAT detection notification messages (mandatory) */
3021  u8 nat_detection_source[8 + 8 + 4 + 2];
3022  u8 *nat_detection_sha1 = vec_new (u8, 20);
3023 
3024  u64 tmpspi = clib_host_to_net_u64 (sa.ispi);
3025  clib_memcpy_fast (&nat_detection_source[0], &tmpspi, sizeof (tmpspi));
3026  tmpspi = clib_host_to_net_u64 (sa.rspi);
3027  clib_memcpy_fast (&nat_detection_source[8], &tmpspi, sizeof (tmpspi));
3028  u16 tmpport = clib_host_to_net_u16 (500);
3029  clib_memcpy_fast (&nat_detection_source[8 + 8 + 4], &tmpport,
3030  sizeof (tmpport));
3031  u32 tmpip = clib_host_to_net_u32 (if_ip->as_u32);
3032  clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
3033  SHA1 (nat_detection_source, sizeof (nat_detection_source),
3034  nat_detection_sha1);
3035  ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
3036  nat_detection_sha1);
3037  tmpip = clib_host_to_net_u32 (p->responder.ip4.as_u32);
3038  clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
3039  SHA1 (nat_detection_source, sizeof (nat_detection_source),
3040  nat_detection_sha1);
3041  ikev2_payload_add_notify (chain,
3042  IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
3043  nat_detection_sha1);
3044  vec_free (nat_detection_sha1);
3045 
3046  u8 *sig_hash_algo = vec_new (u8, 8);
3047  u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
3048  clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig));
3049  ikev2_payload_add_notify (chain,
3050  IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
3051  sig_hash_algo);
3052  vec_free (sig_hash_algo);
3053 
3054 
3055  /* Buffer update and boilerplate */
3056  len += vec_len (chain->data);
3057  ike0->nextpayload = chain->first_payload_type;
3058  ike0->length = clib_host_to_net_u32 (len);
3059  clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data));
3061 
3062  ike0->version = IKE_VERSION_2;
3063  ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3064  ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
3065  ike0->ispi = sa.ispi;
3066  ike0->rspi = 0;
3067  ike0->msgid = 0;
3068 
3069  /* store whole IKE payload - needed for PSK auth */
3071  vec_add (sa.last_sa_init_req_packet_data, ike0, len);
3072 
3073  /* add data to the SA then add it to the pool */
3074  sa.iaddr.as_u32 = if_ip->as_u32;
3075  sa.raddr.as_u32 = p->responder.ip4.as_u32;
3076  sa.i_id.type = p->loc_id.type;
3077  sa.i_id.data = vec_dup (p->loc_id.data);
3078  sa.i_auth.method = p->auth.method;
3079  sa.i_auth.hex = p->auth.hex;
3080  sa.i_auth.data = vec_dup (p->auth.data);
3081  vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
3082  vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
3083 
3084  /* add SA to the pool */
3085  ikev2_sa_t *sa0 = 0;
3086  pool_get (km->sais, sa0);
3087  clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
3088  hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
3089 
3090  ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len);
3091 
3092  }
3093 
3094  return 0;
3095 }
3096 
3097 static void
3099  ikev2_child_sa_t * csa)
3100 {
3101  /* Create the Initiator notification for child SA removal */
3102  ikev2_main_t *km = &ikev2_main;
3103  ike_header_t *ike0;
3104  u32 bi0 = 0;
3105  int len;
3106 
3107  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3108 
3109 
3110  ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
3111  ike0->ispi = clib_host_to_net_u64 (sa->ispi);
3112  ike0->rspi = clib_host_to_net_u64 (sa->rspi);
3113  vec_resize (sa->del, 1);
3115  sa->del->spi = csa->i_proposals->spi;
3116  ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
3117  sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3118  len = ikev2_generate_message (sa, ike0, 0);
3119 
3120  ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
3121 
3122  /* delete local child SA */
3124  ikev2_sa_del_child_sa (sa, csa);
3125 }
3126 
3127 clib_error_t *
3129 {
3130  clib_error_t *r;
3131  ikev2_main_t *km = &ikev2_main;
3133  ikev2_sa_t *fsa = 0;
3134  ikev2_child_sa_t *fchild = 0;
3135 
3136  /* Search for the child SA */
3137  vec_foreach (tkm, km->per_thread_data)
3138  {
3139  ikev2_sa_t *sa;
3140  if (fchild)
3141  break;
3142  /* *INDENT-OFF* */
3143  pool_foreach (sa, tkm->sas, ({
3144  fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3145  if (fchild)
3146  {
3147  fsa = sa;
3148  break;
3149  }
3150  }));
3151  /* *INDENT-ON* */
3152  }
3153 
3154  if (!fchild || !fsa)
3155  {
3156  r = clib_error_return (0, "Child SA not found");
3157  return r;
3158  }
3159  else
3160  {
3161  ikev2_delete_child_sa_internal (vm, fsa, fchild);
3162  }
3163 
3164  return 0;
3165 }
3166 
3167 clib_error_t *
3169 {
3170  clib_error_t *r;
3171  ikev2_main_t *km = &ikev2_main;
3173  ikev2_sa_t *fsa = 0;
3174  ikev2_main_per_thread_data_t *ftkm = 0;
3175 
3176  /* Search for the IKE SA */
3177  vec_foreach (tkm, km->per_thread_data)
3178  {
3179  ikev2_sa_t *sa;
3180  if (fsa)
3181  break;
3182  /* *INDENT-OFF* */
3183  pool_foreach (sa, tkm->sas, ({
3184  if (sa->ispi == ispi)
3185  {
3186  fsa = sa;
3187  ftkm = tkm;
3188  break;
3189  }
3190  }));
3191  /* *INDENT-ON* */
3192  }
3193 
3194  if (!fsa)
3195  {
3196  r = clib_error_return (0, "IKE SA not found");
3197  return r;
3198  }
3199 
3200 
3201  /* Create the Initiator notification for IKE SA removal */
3202  {
3203  ike_header_t *ike0;
3204  u32 bi0 = 0;
3205  int len;
3206 
3207  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3208 
3209 
3210  ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
3211  ike0->ispi = clib_host_to_net_u64 (fsa->ispi);
3212  ike0->rspi = clib_host_to_net_u64 (fsa->rspi);
3213  vec_resize (fsa->del, 1);
3214  fsa->del->protocol_id = IKEV2_PROTOCOL_IKE;
3215  fsa->del->spi = ispi;
3216  ike0->msgid = clib_host_to_net_u32 (fsa->last_init_msg_id + 1);
3217  fsa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3218  len = ikev2_generate_message (fsa, ike0, 0);
3219 
3220  ikev2_send_ike (vm, &fsa->iaddr, &fsa->raddr, bi0, len);
3221  }
3222 
3223 
3224  /* delete local SA */
3226  vec_foreach (c, fsa->childs)
3227  {
3228  ikev2_delete_tunnel_interface (km->vnet_main, fsa, c);
3229  ikev2_sa_del_child_sa (fsa, c);
3230  }
3231  ikev2_sa_free_all_vec (fsa);
3232  uword *p = hash_get (ftkm->sa_by_rspi, fsa->rspi);
3233  if (p)
3234  {
3235  hash_unset (ftkm->sa_by_rspi, fsa->rspi);
3236  pool_put (ftkm->sas, fsa);
3237  }
3238 
3239 
3240  return 0;
3241 }
3242 
3243 static void
3245  ikev2_child_sa_t * csa)
3246 {
3247  /* Create the Initiator request for create child SA */
3248  ike_header_t *ike0;
3249  u32 bi0 = 0;
3250  int len;
3251 
3252 
3253  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3254 
3255 
3256  ike0->version = IKE_VERSION_2;
3257  ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3258  ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
3259  ike0->ispi = clib_host_to_net_u64 (sa->ispi);
3260  ike0->rspi = clib_host_to_net_u64 (sa->rspi);
3261  ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
3262  sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3263 
3264  ikev2_rekey_t *rekey;
3265  vec_add2 (sa->rekey, rekey, 1);
3266  ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals);
3267 
3268  /*need new ispi */
3269  RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
3270  rekey->spi = proposals[0].spi;
3271  rekey->ispi = csa->i_proposals->spi;
3272  len = ikev2_generate_message (sa, ike0, proposals);
3273  ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
3274  vec_free (proposals);
3275 }
3276 
3277 clib_error_t *
3279 {
3280  clib_error_t *r;
3281  ikev2_main_t *km = &ikev2_main;
3283  ikev2_sa_t *fsa = 0;
3284  ikev2_child_sa_t *fchild = 0;
3285 
3286  /* Search for the child SA */
3287  vec_foreach (tkm, km->per_thread_data)
3288  {
3289  ikev2_sa_t *sa;
3290  if (fchild)
3291  break;
3292  /* *INDENT-OFF* */
3293  pool_foreach (sa, tkm->sas, ({
3294  fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3295  if (fchild)
3296  {
3297  fsa = sa;
3298  break;
3299  }
3300  }));
3301  /* *INDENT-ON* */
3302  }
3303 
3304  if (!fchild || !fsa)
3305  {
3306  r = clib_error_return (0, "Child SA not found");
3307  return r;
3308  }
3309  else
3310  {
3311  ikev2_rekey_child_sa_internal (vm, fsa, fchild);
3312  }
3313 
3314  return 0;
3315 }
3316 
3317 clib_error_t *
3319 {
3320  ikev2_main_t *km = &ikev2_main;
3322  int thread_id;
3323 
3324  clib_memset (km, 0, sizeof (ikev2_main_t));
3325  km->vnet_main = vnet_get_main ();
3326  km->vlib_main = vm;
3327 
3328  ikev2_crypto_init (km);
3329 
3331 
3332  vec_validate (km->per_thread_data, tm->n_vlib_mains - 1);
3333  for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
3334  {
3335  km->per_thread_data[thread_id].sa_by_rspi =
3336  hash_create (0, sizeof (uword));
3337  }
3338 
3339  km->sa_by_ispi = hash_create (0, sizeof (uword));
3340 
3341  udp_register_dst_port (vm, 500, ikev2_node.index, 1);
3342 
3344 
3345  return 0;
3346 }
3347 
3348 /* *INDENT-OFF* */
3350 {
3351  .runs_after = VLIB_INITS("ipsec_init"),
3352 };
3353 /* *INDENT-ON* */
3354 
3355 
3356 static u8
3358 {
3359  ikev2_main_t *km = &ikev2_main;
3360  ikev2_profile_t *p = 0;
3361  vlib_main_t *vm = km->vlib_main;
3362  f64 now = vlib_time_now (vm);
3363  u8 res = 0;
3364 
3365  if (sa->is_profile_index_set)
3366  p = pool_elt_at_index (km->profiles, sa->profile_index);
3367 
3368  if (sa->is_initiator && p && csa->time_to_expiration
3369  && now > csa->time_to_expiration)
3370  {
3371  if (!csa->is_expired || csa->rekey_retries > 0)
3372  {
3373  ikev2_rekey_child_sa_internal (vm, sa, csa);
3374  csa->time_to_expiration = now + p->handover;
3375  csa->is_expired = 1;
3376  if (csa->rekey_retries == 0)
3377  {
3378  csa->rekey_retries = 5;
3379  }
3380  else if (csa->rekey_retries > 0)
3381  {
3382  csa->rekey_retries--;
3383  clib_warning ("Rekeying Child SA 0x%x, retries left %d",
3384  csa->i_proposals->spi, csa->rekey_retries);
3385  if (csa->rekey_retries == 0)
3386  {
3387  csa->rekey_retries = -1;
3388  }
3389  }
3390  res |= 1;
3391  }
3392  else
3393  {
3394  csa->time_to_expiration = 0;
3395  ikev2_delete_child_sa_internal (vm, sa, csa);
3396  res |= 1;
3397  }
3398  }
3399 
3400  return res;
3401 }
3402 
3403 static void
3405 {
3406  ikev2_main_t *km = &ikev2_main;
3407  vlib_main_t *vm = km->vlib_main;
3409  ikev2_sa_t *fsa = 0;
3410  ikev2_profile_t *p = 0;
3411  ikev2_child_sa_t *fchild = 0;
3412  f64 now = vlib_time_now (vm);
3413  vlib_counter_t counts;
3414 
3415  /* Search for the SA and child SA */
3416  vec_foreach (tkm, km->per_thread_data)
3417  {
3418  ikev2_sa_t *sa;
3419  if (fchild)
3420  break;
3421  /* *INDENT-OFF* */
3422  pool_foreach (sa, tkm->sas, ({
3423  fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
3424  if (fchild)
3425  {
3426  fsa = sa;
3427  break;
3428  }
3429  }));
3430  /* *INDENT-ON* */
3431  }
3433  ipsec_sa->stat_index, &counts);
3434 
3435  if (fsa && fsa->is_profile_index_set)
3436  p = pool_elt_at_index (km->profiles, fsa->profile_index);
3437 
3438  if (fchild && p && p->lifetime_maxdata)
3439  {
3440  if (!fchild->is_expired && counts.bytes > p->lifetime_maxdata)
3441  {
3442  fchild->time_to_expiration = now;
3443  }
3444  }
3445 }
3446 
3448 
3449 static uword
3451  vlib_frame_t * f)
3452 {
3453  ikev2_main_t *km = &ikev2_main;
3454  ipsec_main_t *im = &ipsec_main;
3455 
3456  while (1)
3457  {
3458  u8 req_sent = 0;
3460  vlib_process_get_events (vm, NULL);
3461 
3462  /* process ike child sas */
3464  vec_foreach (tkm, km->per_thread_data)
3465  {
3466  ikev2_sa_t *sa;
3467  /* *INDENT-OFF* */
3468  pool_foreach (sa, tkm->sas, ({
3469  ikev2_child_sa_t *c;
3470  vec_foreach (c, sa->childs)
3471  {
3472  req_sent |= ikev2_mngr_process_child_sa(sa, c);
3473  }
3474  }));
3475  /* *INDENT-ON* */
3476  }
3477 
3478  /* process ipsec sas */
3479  ipsec_sa_t *sa;
3480  /* *INDENT-OFF* */
3481  pool_foreach (sa, im->sad, ({
3482  ikev2_mngr_process_ipsec_sa(sa);
3483  }));
3484  /* *INDENT-ON* */
3485 
3486  if (req_sent)
3487  {
3489  vlib_process_get_events (vm, NULL);
3490  req_sent = 0;
3491  }
3492 
3493  }
3494  return 0;
3495 }
3496 
3497 /* *INDENT-OFF* */
3499  .function = ikev2_mngr_process_fn,
3500  .type = VLIB_NODE_TYPE_PROCESS,
3501  .name =
3502  "ikev2-manager-process",
3503 };
3504 
3505 VLIB_PLUGIN_REGISTER () = {
3506  .version = VPP_BUILD_VER,
3507  .description = "Internet Key Exchange (IKEv2) Protocol",
3508 };
3509 /* *INDENT-ON* */
3510 
3511 /*
3512  * fd.io coding-style-patch-verification: ON
3513  *
3514  * Local Variables:
3515  * eval: (c-set-style "gnu")
3516  * End:
3517  */
ikev2_main_per_thread_data_t * per_thread_data
Definition: ikev2_priv.h:292
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:439
static int ikev2_retransmit_sa_init(ike_header_t *ike, ip4_address_t iaddr, ip4_address_t raddr)
Definition: ikev2.c:1974
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index, VLIB_BUFFER_IS_TRACED: trace this buffer.
Definition: buffer.h:124
u8 * dh_shared_key
Definition: ikev2_priv.h:211
ikev2_sa_t * sais
Definition: ikev2_priv.h:288
void ikev2_payload_add_nonce(ikev2_payload_chain_t *c, u8 *nonce)
static u8 * format_ikev2_trace(u8 *s, va_list *args)
Definition: ikev2.c:47
u8 * dh_private_key
Definition: ikev2_priv.h:212
ikev2_transform_type_t type
Definition: ikev2_priv.h:69
#define hash_set(h, key, value)
Definition: hash.h:255
#define IKEV2_PAYLOAD_NONCE
Definition: ikev2.h:99
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2852
ikev2_id_t r_id
Definition: ikev2_priv.h:235
ikev2_id_type_t type
Definition: ikev2_priv.h:127
#define CLIB_UNUSED(x)
Definition: clib.h:83
void ikev2_payload_add_notify(ikev2_payload_chain_t *c, u16 msg_type, u8 *data)
ikev2_transforms_set ike_ts
Definition: ikev2_priv.h:189
static int ikev2_delete_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:1660
static f64 vlib_process_wait_for_event_or_clock(vlib_main_t *vm, f64 dt)
Suspend a cooperative multi-tasking thread Waits for an event, or for the indicated number of seconds...
Definition: node_funcs.h:673
ikev2_transform_integ_type_t
Definition: ikev2.h:268
#define hash_unset(h, key)
Definition: hash.h:261
a
Definition: bitmap.h:538
static void ikev2_send_ike(vlib_main_t *vm, ip4_address_t *src, ip4_address_t *dst, u32 bi0, u32 len)
Definition: ikev2.c:2642
ip4_address_t src_address
Definition: ip4_packet.h:170
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2711
EVP_PKEY * pkey
Definition: ikev2_priv.h:281
ip_interface_address_t * if_address_pool
Pool of addresses that are assigned to interfaces.
Definition: lookup.h:143
void ikev2_payload_add_sa(ikev2_payload_chain_t *c, ikev2_sa_proposal_t *proposals)
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
static void ikev2_calc_keys(ikev2_sa_t *sa)
Definition: ikev2.c:434
ip46_address_t local_ip
Definition: ipsec_if.h:38
ikev2_sa_proposal_t * ikev2_parse_sa_payload(ike_payload_header_t *ikep)
u32 last_init_msg_id
Definition: ikev2_priv.h:252
static u32 ikev2_generate_message(ikev2_sa_t *sa, ike_header_t *ike, void *user)
Definition: ikev2.c:1693
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:120
#define IKEV2_PAYLOAD_NONE
Definition: ikev2.h:93
ikev2_profile_t * profiles
Definition: ikev2_priv.h:272
unsigned long u64
Definition: types.h:89
u8 v8
Definition: ikev2.h:27
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3168
#define clib_memcpy_fast(a, b, c)
Definition: string.h:81
ikev2_ts_t * ikev2_parse_ts_payload(ike_payload_header_t *ikep)
uword mhash_unset(mhash_t *h, void *key, uword *old_value)
Definition: mhash.c:346
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
static void ikev2_sa_free_child_sa(ikev2_child_sa_t *c)
Definition: ikev2.c:247
v8 * ikev2_calc_prf(ikev2_sa_transform_t *tr, v8 *key, v8 *data)
Definition: ikev2_crypto.c:257
static f64 vlib_time_now(vlib_main_t *vm)
Definition: main.h:279
static void ikev2_complete_sa_data(ikev2_sa_t *sa, ikev2_sa_t *sai)
Definition: ikev2.c:377
static vlib_node_registration_t ikev2_mngr_process_node
(constructor) VLIB_REGISTER_NODE (ikev2_mngr_process_node)
Definition: ikev2.c:3447
#define IKEV2_EXCHANGE_SA_INIT
Definition: ikev2.h:82
static void ikev2_delete_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3098
ikev2_transform_esn_type_t esn_type
Definition: ikev2_priv.h:77
u16 current_length
Nbytes between current data and the end of this buffer.
Definition: buffer.h:113
VLIB_PLUGIN_REGISTER()
#define IKEV2_PAYLOAD_VENDOR
Definition: ikev2.h:102
ikev2_state_t state
Definition: ikev2_priv.h:199
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:522
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:214
Combined counter to hold both packets and byte differences.
Definition: counter_types.h:26
vl_api_address_t src
Definition: gre.api:51
ikev2_transform_encr_type_t crypto_alg
Definition: ikev2_priv.h:118
#define vec_add2(V, P, N)
Add N elements to end of vector V, return pointer to new elements in P.
Definition: vec.h:560
int i
u8 * sk_pi
Definition: ikev2_priv.h:226
static void mhash_init_vec_string(mhash_t *h, uword n_value_bytes)
Definition: mhash.h:84
ip_lookup_main_t lookup_main
Definition: ip4.h:107
ip4_address_t ip4
Definition: ikev2_priv.h:113
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2923
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
u16 flags_and_fragment_offset
Definition: ip4_packet.h:151
void ikev2_payload_add_ke(ikev2_payload_chain_t *c, u16 dh_group, u8 *dh_data)
ikev2_next_t
Definition: ikev2.c:82
u8 data[128]
Definition: ipsec.api:251
static void ikev2_generate_sa_init_data(ikev2_sa_t *sa)
Definition: ikev2.c:324
#define IKEV2_NONCE_SIZE
Definition: ikev2.h:23
u8 initial_contact
Definition: ikev2_priv.h:201
ikev2_ts_t * tsi
Definition: ikev2_priv.h:166
#define IKEV2_PAYLOAD_TSR
Definition: ikev2.h:104
ikev2_auth_t r_auth
Definition: ikev2_priv.h:231
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:236
static void ikev2_delete_sa(ikev2_sa_t *sa)
Definition: ikev2.c:307
u8 * last_sa_init_res_packet_data
Definition: ikev2_priv.h:245
unsigned char u8
Definition: types.h:56
ikev2_notify_t * ikev2_parse_notify_payload(ike_payload_header_t *ikep)
ikev2_sa_transform_t * ikev2_sa_get_td_for_type(ikev2_sa_proposal_t *p, ikev2_transform_type_t type)
Definition: ikev2.c:194
ikev2_auth_t auth
Definition: ikev2_priv.h:183
double f64
Definition: types.h:142
ikev2_ts_t * tsr
Definition: ikev2_priv.h:167
vlib_node_registration_t ip4_lookup_node
(constructor) VLIB_REGISTER_NODE (ip4_lookup_node)
Definition: ip4_forward.c:101
static void ikev2_mngr_process_ipsec_sa(ipsec_sa_t *ipsec_sa)
Definition: ikev2.c:3404
ikev2_id_t rem_id
Definition: ikev2_priv.h:185
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
Definition: vec.h:598
ikev2_transform_dh_type_t
Definition: ikev2.h:318
int ikev2_encrypt_data(ikev2_sa_t *sa, v8 *src, u8 *dst)
Definition: ikev2_crypto.c:425
ikev2_child_sa_t * ikev2_sa_get_child(ikev2_sa_t *sa, u32 spi, ikev2_protocol_id_t prot_id, int by_initiator)
Definition: ikev2.c:211
format_function_t format_ip4_address
Definition: format.h:75
u32 next_index
Definition: ikev2.c:42
u32 last_msg_id
Definition: ikev2_priv.h:248
#define IKEV2_PAYLOAD_DELETE
Definition: ikev2.h:101
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:493
ikev2_sa_proposal_t * r_proposals
Definition: ikev2_priv.h:135
void ikev2_generate_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
Definition: ikev2_crypto.c:462
vl_api_interface_index_t sw_if_index
Definition: gre.api:50
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
static uword vlib_process_get_events(vlib_main_t *vm, uword **data_vector)
Return the first event type which has occurred and a vector of per-event data of that type...
Definition: node_funcs.h:516
ipsec_main_t ipsec_main
Definition: ipsec.c:28
EVP_PKEY * ikev2_load_cert_file(u8 *file)
Definition: ikev2_crypto.c:766
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2946
static ikev2_sa_transform_t * ikev2_find_transform_data(ikev2_sa_transform_t *t)
Definition: ikev2.c:90
ip4_address_t dst_address
Definition: ip4_packet.h:170
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:311
EVP_PKEY * ikev2_load_key_file(u8 *file)
Definition: ikev2_crypto.c:796
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:2742
void ikev2_parse_vendor_payload(ike_payload_header_t *ikep)
ip4_address_t start_addr
Definition: ikev2_priv.h:106
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84
vlib_frame_t * vlib_get_frame_to_node(vlib_main_t *vm, u32 to_node_index)
Definition: main.c:185
#define clib_error_return(e, args...)
Definition: error.h:99
static u32 ikev2_get_new_ike_header_buff(vlib_main_t *vm, ike_header_t **ike)
Definition: ikev2.c:2685
void ikev2_payload_add_id(ikev2_payload_chain_t *c, ikev2_id_t *id, u8 type)
#define IKEV2_PAYLOAD_NOTIFY
Definition: ikev2.h:100
static void ikev2_sa_match_ts(ikev2_sa_t *sa)
Definition: ikev2.c:1244
ikev2_sa_proposal_t * i_proposals
Definition: ikev2_priv.h:217
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2898
static void ikev2_sa_auth(ikev2_sa_t *sa)
Definition: ikev2.c:1311
#define vec_resize(V, N)
Resize a vector (no header, unspecified alignment) Add N elements to end of given vector V...
Definition: vec.h:242
ikev2_transform_integ_type_t integ_alg
Definition: ikev2_priv.h:119
unsigned int u32
Definition: types.h:88
ikev2_auth_t i_auth
Definition: ikev2_priv.h:230
#define ikev2_set_state(sa, v)
Definition: ikev2.c:35
#define ikev2_payload_destroy_chain(V)
Definition: ikev2_priv.h:329
ikev2_id_t loc_id
Definition: ikev2_priv.h:184
ikev2_sa_transform_t * transforms
Definition: ikev2_priv.h:96
#define IKEV2_EXCHANGE_CREATE_CHILD_SA
Definition: ikev2.h:84
u8 * sk_ar
Definition: ikev2_priv.h:223
u8 * r_dh_data
Definition: ikev2_priv.h:214
static void ikev2_initial_contact_cleanup(ikev2_sa_t *sa)
Definition: ikev2.c:778
ikev2_responder_t responder
Definition: ikev2_priv.h:188
vl_api_fib_path_type_t type
Definition: fib_types.api:123
static ikev2_profile_t * ikev2_profile_index_by_name(u8 *name)
Definition: ikev2.c:2628
#define hash_get(h, key)
Definition: hash.h:249
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2774
u8 * ikev2_calc_prfplus(ikev2_sa_transform_t *tr, u8 *key, u8 *seed, int len)
Definition: ikev2_crypto.c:287
static clib_error_t * ikev2_set_initiator_proposals(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_transforms_set *ts, ikev2_sa_proposal_t **proposals, int is_ike)
Definition: ikev2.c:2504
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
u32 sa_id
Definition: ipsec.api:95
ikev2_main_t ikev2_main
Definition: ikev2.c:29
void ikev2_cli_reference(void)
Definition: ikev2_cli.c:588
vlib_main_t * vlib_main
Definition: vnet.h:80
u8 * last_sa_init_req_packet_data
Definition: ikev2_priv.h:244
#define IKEV2_PAYLOAD_IDR
Definition: ikev2.h:97
static int ikev2_create_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:1478
#define IKEV2_PAYLOAD_SA
Definition: ikev2.h:94
ikev2_ts_t rem_ts
Definition: ikev2_priv.h:187
u8 * i_dh_data
Definition: ikev2_priv.h:213
uword mhash_set_mem(mhash_t *h, void *key, uword *new_value, uword *old_value)
Definition: mhash.c:264
unsigned short u16
Definition: types.h:57
ikev2_sa_proposal_t * i_proposals
Definition: ikev2_priv.h:134
void vlib_put_frame_to_node(vlib_main_t *vm, u32 to_node_index, vlib_frame_t *f)
Definition: main.c:194
u8 * r_nonce
Definition: ikev2_priv.h:207
#define IKEV2_HDR_FLAG_RESPONSE
Definition: ikev2.h:89
ip46_address_t remote_ip
Definition: ipsec_if.h:38
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
Definition: buffer.h:229
mhash_t profile_index_by_name
Definition: ikev2_priv.h:278
u16 end_port
Definition: ikev2_priv.h:105
ikev2_sa_transform_t * supported_transforms
Definition: ikev2_priv.h:275
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:286
ikev2_rekey_t * rekey
Definition: ikev2_priv.h:241
#define vec_dup(V)
Return copy of vector (no header, no alignment)
Definition: vec.h:375
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3128
static void ikev2_rekey_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3244
#define PREDICT_FALSE(x)
Definition: clib.h:112
#define vec_del1(v, i)
Delete the element at index I.
Definition: vec.h:804
#define IKEV2_PAYLOAD_FLAG_CRITICAL
Definition: ikev2.h:91
static void ikev2_sa_auth_init(ikev2_sa_t *sa)
Definition: ikev2.c:1434
ikev2_protocol_id_t
Definition: ikev2.h:107
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
Definition: buffer_node.h:218
vl_api_address_t dst
Definition: gre.api:52
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
Definition: node_funcs.h:338
ip4_address_t end_addr
Definition: ikev2_priv.h:107
u8 name[64]
Definition: memclnt.api:152
ip4_address_t iaddr
Definition: ikev2_priv.h:202
u8 * i_nonce
Definition: ikev2_priv.h:206
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2699
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1150
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2813
u8 len
Definition: ip_types.api:90
u8 * sk_ei
Definition: ikev2_priv.h:224
#define IKEV2_EXCHANGE_INFORMATIONAL
Definition: ikev2.h:85
void ikev2_payload_add_delete(ikev2_payload_chain_t *c, ikev2_delete_t *d)
#define IKEV2_HDR_FLAG_INITIATOR
Definition: ikev2.h:87
#define IKEV2_KEY_PAD
Definition: ikev2.h:25
static uword ikev2_mngr_process_fn(vlib_main_t *vm, vlib_node_runtime_t *rt, vlib_frame_t *f)
Definition: ikev2.c:3450
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3278
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_if.h:41
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:169
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:76
svmdb_client_t * c
u16 n_vectors
Definition: node.h:397
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:218
static void vlib_get_combined_counter(const vlib_combined_counter_main_t *cm, u32 index, vlib_counter_t *result)
Get the value of a combined counter, never called in the speed path Scrapes the entire set of per-thr...
Definition: counter.h:259
vlib_main_t * vm
Definition: buffer.c:323
static u8 * ikev2_decrypt_sk_payload(ikev2_sa_t *sa, ike_header_t *ike, u8 *payload)
Definition: ikev2.c:713
static void ikev2_sa_del_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:269
ikev2_auth_method_t method
Definition: ikev2_priv.h:55
ikev2_transform_encr_type_t
Definition: ikev2.h:227
ikev2_delete_t * del
Definition: ikev2_priv.h:238
ikev2_ts_t * tsi
Definition: ikev2_priv.h:138
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341
static void ikev2_process_auth_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:817
static uword ikev2_node_fn(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
Definition: ikev2.c:2088
ip4_address_t raddr
Definition: ikev2_priv.h:203
#define clib_warning(format, args...)
Definition: error.h:59
u8 * sk_er
Definition: ikev2_priv.h:225
static void ikev2_process_sa_init_resp(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:633
u8 is_initiator
Definition: ikev2_priv.h:251
#define ARRAY_LEN(x)
Definition: clib.h:63
#define IKEV2_PAYLOAD_KE
Definition: ikev2.h:95
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
Definition: main.c:456
ikev2_ts_t loc_ts
Definition: ikev2_priv.h:186
ikev2_sa_proposal_t * r_proposals
Definition: ikev2_priv.h:218
static u8 * ikev2_sa_generate_authmsg(ikev2_sa_t *sa, int is_responder)
Definition: ikev2.c:1189
static void ikev2_calc_child_keys(ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:511
u32 * if_address_pool_index_by_sw_if_index
Head of doubly linked list of interface addresses for each software interface.
Definition: lookup.h:150
#define hash_create(elts, value_bytes)
Definition: hash.h:696
void ikev2_payload_add_auth(ikev2_payload_chain_t *c, ikev2_auth_t *auth)
ikev2_protocol_id_t protocol_id
Definition: ikev2_priv.h:94
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
Definition: ipsec_sa.c:27
u8 protocol_id
Definition: ikev2_priv.h:102
u16 cached_next_index
Next frame index that vector arguments were last enqueued to last time this node ran.
Definition: node.h:515
#define ASSERT(truth)
u32 spi
Definition: ipsec.api:274
static uword * mhash_get(mhash_t *h, const void *key)
Definition: mhash.h:110
vnet_main_t * vnet_main
Definition: ikev2_priv.h:285
static void ikev2_process_informational_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:977
ipsec_integ_alg_t integ_alg
Definition: ipsec_if.h:46
ip_dscp_t tos
Definition: ip4_packet.h:141
void ikev2_sa_free_proposal_vector(ikev2_sa_proposal_t **v)
Definition: ikev2.c:227
ipsec_sa_t * sad
Definition: ipsec.h:97
#define IKEV2_PAYLOAD_AUTH
Definition: ikev2.h:98
IPv4 main type.
Definition: ip4.h:105
#define ikev2_payload_new_chain(V)
Definition: ikev2_priv.h:328
#define IKEV2_PAYLOAD_SK
Definition: ikev2.h:105
ikev2_sa_proposal_t * r_proposal
Definition: ikev2_priv.h:165
u8 * sk_ai
Definition: ikev2_priv.h:222
#define IKE_VERSION_2
Definition: ikev2.h:80
void ikev2_complete_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
Definition: ikev2_crypto.c:603
#define vec_append(v1, v2)
Append v2 after v1.
Definition: vec.h:818
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
Definition: buffer.h:248
static vlib_node_registration_t ikev2_node
(constructor) VLIB_REGISTER_NODE (ikev2_node)
Definition: ikev2.c:58
u16 dh_group
Definition: ikev2_priv.h:210
static u8 plaintext[]
Definition: aes_cbc.c:29
ikev2_sa_proposal_t * i_proposal
Definition: ikev2_priv.h:164
#define IKEV2_PAYLOAD_TSI
Definition: ikev2.h:103
EVP_PKEY * key
Definition: ikev2_priv.h:58
static int ikev2_retransmit_resp(ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:2044
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace_funcs.h:55
ikev2_transform_encr_type_t encr_type
Definition: ikev2_priv.h:73
struct _vlib_node_registration vlib_node_registration_t
u8 * last_res_packet_data
Definition: ikev2_priv.h:249
ikev2_transform_integ_type_t integ_type
Definition: ikev2_priv.h:75
static char * ikev2_error_strings[]
Definition: ikev2.c:76
static void ikev2_process_sa_init_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:558
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
u16 start_port
Definition: ikev2_priv.h:104
void ikev2_payload_chain_add_padding(ikev2_payload_chain_t *c, int bs)
u8 * sk_pr
Definition: ikev2_priv.h:227
VLIB buffer representation.
Definition: buffer.h:102
u64 uword
Definition: types.h:112
#define IKEV2_PAYLOAD_IDI
Definition: ikev2.h:96
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2873
ikev2_id_t i_id
Definition: ikev2_priv.h:234
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:244
typedef key
Definition: ipsec.api:247
static void ikev2_process_create_child_sa_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:1048
ikev2_ts_t * tsr
Definition: ikev2_priv.h:139
ikev2_child_sa_t * childs
Definition: ikev2_priv.h:256
ikev2_transform_prf_type_t prf_type
Definition: ikev2_priv.h:74
Linear Congruential Random Number Generator.
#define IKEV2_EXCHANGE_IKE_AUTH
Definition: ikev2.h:83
static int ikev2_ts_cmp(ikev2_ts_t *ts1, ikev2_ts_t *ts2)
Definition: ikev2.c:1232
#define vnet_buffer(b)
Definition: buffer.h:365
clib_error_t * ikev2_init(vlib_main_t *vm)
Definition: ikev2.c:3318
static u32 random_u32(u32 *seed)
32-bit random number generator
Definition: random.h:69
ikev2_error_t
Definition: ikev2.c:68
ip4_main_t ip4_main
Global ip4 main structure.
Definition: ip4_forward.c:1076
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:32
static u8 ikev2_mngr_process_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3357
uword * sa_by_ispi
Definition: ikev2_priv.h:290
#define vec_foreach(var, vec)
Vector iterator.
u8 unsupported_cp
Definition: ikev2_priv.h:200
u8 is_profile_index_set
Definition: ikev2_priv.h:253
static void ikev2_sa_free_all_child_sa(ikev2_child_sa_t **childs)
Definition: ikev2.c:260
u16 flags
Copy of main node flags.
Definition: node.h:509
static ikev2_sa_proposal_t * ikev2_select_proposal(ikev2_sa_proposal_t *proposals, ikev2_protocol_id_t prot_id)
Definition: ikev2.c:118
u32 profile_index
Definition: ikev2_priv.h:254
u32 id
Definition: udp.api:45
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
Definition: udp_local.c:468
u8 ip_version_and_header_length
Definition: ip4_packet.h:138
static void * ip_interface_address_get_address(ip_lookup_main_t *lm, ip_interface_address_t *a)
Definition: lookup.h:199
ikev2_transform_type_t
Definition: ikev2.h:203
ikev2_transforms_set esp_ts
Definition: ikev2_priv.h:190
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:302
void ikev2_crypto_init(ikev2_main_t *km)
Definition: ikev2_crypto.c:818
void ikev2_payload_add_ts(ikev2_payload_chain_t *c, ikev2_ts_t *ts, u8 type)
static u32 vlib_buffer_alloc(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Allocate buffers into supplied array.
Definition: buffer_funcs.h:612
vlib_main_t * vlib_main
Definition: ikev2_priv.h:284
v8 * ikev2_decrypt_data(ikev2_sa_t *sa, u8 *data, int len)
Definition: ikev2_crypto.c:373
static void ikev2_sa_free_all_vec(ikev2_sa_t *sa)
Definition: ikev2.c:276
#define VLIB_INITS(...)
Definition: init.h:344
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
Definition: buffer_funcs.h:85
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:247
u8 * ikev2_calc_sign(EVP_PKEY *pkey, u8 *data)
Definition: ikev2_crypto.c:732
v8 * ikev2_calc_integr(ikev2_sa_transform_t *tr, v8 *key, u8 *data, int len)
Definition: ikev2_crypto.c:329
u8 * format_ikev2_id_type(u8 *s, va_list *args)
Definition: defs.h:46
#define foreach_ikev2_error
Definition: ikev2.c:60
u32 sw_if_index
Definition: ikev2.c:43
void ikev2_payload_add_notify_2(ikev2_payload_chain_t *c, u16 msg_type, u8 *data, ikev2_notify_t *notify)
ikev2_delete_t * ikev2_parse_delete_payload(ike_payload_header_t *ikep)