FD.io VPP  v17.07-30-g839fa73
Vector Packet Processing
ikev2.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vppinfra/error.h>
20 #include <vnet/udp/udp.h>
21 #include <vnet/ipsec/ipsec.h>
22 #include <vnet/ipsec/ikev2.h>
23 #include <vnet/ipsec/ikev2_priv.h>
24 #include <openssl/sha.h>
25 
26 static int ikev2_delete_tunnel_interface (vnet_main_t * vnm,
27  ikev2_sa_t * sa,
28  ikev2_child_sa_t * child);
29 
30 #define ikev2_set_state(sa, v) do { \
31  (sa)->state = v; \
32  clib_warning("sa state changed to " #v); \
33  } while(0);
34 
35 typedef struct
36 {
37  u32 next_index;
38  u32 sw_if_index;
39 } ikev2_trace_t;
40 
41 static u8 *
42 format_ikev2_trace (u8 * s, va_list * args)
43 {
44  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
45  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
46  ikev2_trace_t *t = va_arg (*args, ikev2_trace_t *);
47 
48  s = format (s, "ikev2: sw_if_index %d, next index %d",
49  t->sw_if_index, t->next_index);
50  return s;
51 }
52 
53 static vlib_node_registration_t ikev2_node;
54 
55 #define foreach_ikev2_error \
56 _(PROCESSED, "IKEv2 packets processed") \
57 _(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \
58 _(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \
59 _(IKE_REQ_RETRANSMIT, "IKE request retransmit") \
60 _(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \
61 _(NOT_IKEV2, "Non IKEv2 packets received")
62 
63 typedef enum
64 {
65 #define _(sym,str) IKEV2_ERROR_##sym,
66  foreach_ikev2_error
67 #undef _
68  IKEV2_N_ERROR,
69 } ikev2_error_t;
70 
71 static char *ikev2_error_strings[] = {
72 #define _(sym,string) string,
73  foreach_ikev2_error
74 #undef _
75 };
76 
77 typedef enum
78 {
79  IKEV2_NEXT_IP4_LOOKUP,
80  IKEV2_NEXT_ERROR_DROP,
81  IKEV2_N_NEXT,
82 } ikev2_next_t;
83 
84 static ikev2_sa_transform_t *
85 ikev2_find_transform_data (ikev2_sa_transform_t * t)
86 {
87  ikev2_main_t *km = &ikev2_main;
88  ikev2_sa_transform_t *td;
89 
90  vec_foreach (td, km->supported_transforms)
91  {
92  if (td->type != t->type)
93  continue;
94 
95  if (td->transform_id != t->transform_id)
96  continue;
97 
98  if (td->type == IKEV2_TRANSFORM_TYPE_ENCR)
99  {
100  if (vec_len (t->attrs) != 4 || t->attrs[0] != 0x80
101  || t->attrs[1] != 14)
102  continue;
103 
104  if (((t->attrs[2] << 8 | t->attrs[3]) / 8) != td->key_len)
105  continue;
106  }
107  return td;
108  }
109  return 0;
110 }
111 
112 static ikev2_sa_proposal_t *
113 ikev2_select_proposal (ikev2_sa_proposal_t * proposals,
114  ikev2_protocol_id_t prot_id)
115 {
116  ikev2_sa_proposal_t *rv = 0;
117  ikev2_sa_proposal_t *proposal;
118  ikev2_sa_transform_t *transform, *new_t;
119  u8 mandatory_bitmap, optional_bitmap;
120 
121  if (prot_id == IKEV2_PROTOCOL_IKE)
122  {
123  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
124  (1 << IKEV2_TRANSFORM_TYPE_PRF) |
125  (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
126  optional_bitmap = mandatory_bitmap;
127  }
128  else if (prot_id == IKEV2_PROTOCOL_ESP)
129  {
130  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
131  (1 << IKEV2_TRANSFORM_TYPE_ESN);
132  optional_bitmap = mandatory_bitmap |
133  (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
134  }
135  else if (prot_id == IKEV2_PROTOCOL_AH)
136  {
137  mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) |
138  (1 << IKEV2_TRANSFORM_TYPE_ESN);
139  optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH);
140  }
141  else
142  return 0;
143 
144  vec_add2 (rv, proposal, 1);
145 
146  vec_foreach (proposal, proposals)
147  {
148  u8 bitmap = 0;
149  if (proposal->protocol_id != prot_id)
150  continue;
151 
152  vec_foreach (transform, proposal->transforms)
153  {
154  if ((1 << transform->type) & bitmap)
155  continue;
156 
157  if (ikev2_find_transform_data (transform))
158  {
159  bitmap |= 1 << transform->type;
160  vec_add2 (rv->transforms, new_t, 1);
161  clib_memcpy (new_t, transform, sizeof (*new_t));
162  new_t->attrs = vec_dup (transform->attrs);
163  }
164  }
165 
166  clib_warning ("bitmap is %x mandatory is %x optional is %x",
167  bitmap, mandatory_bitmap, optional_bitmap);
168 
169  if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
170  (bitmap & ~optional_bitmap) == 0)
171  {
172  rv->proposal_num = proposal->proposal_num;
173  rv->protocol_id = proposal->protocol_id;
174  RAND_bytes ((u8 *) & rv->spi, sizeof (rv->spi));
175  goto done;
176  }
177  else
178  {
179  vec_free (rv->transforms);
180  }
181  }
182 
183  vec_free (rv);
184 done:
185  return rv;
186 }
187 
188 ikev2_sa_transform_t *
189 ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p,
190  ikev2_transform_type_t type)
191 {
192  ikev2_sa_transform_t *t;
193 
194  if (!p)
195  return 0;
196 
197  vec_foreach (t, p->transforms)
198  {
199  if (t->type == type)
200  return ikev2_find_transform_data (t);
201  }
202  return 0;
203 }
204 
205 ikev2_child_sa_t *
206 ikev2_sa_get_child (ikev2_sa_t * sa, u32 spi, ikev2_protocol_id_t prot_id,
207  int by_initiator)
208 {
209  ikev2_child_sa_t *c;
210  vec_foreach (c, sa->childs)
211  {
212  ikev2_sa_proposal_t *proposal =
213  by_initiator ? &c->i_proposals[0] : &c->r_proposals[0];
214  if (proposal && proposal->spi == spi && proposal->protocol_id == prot_id)
215  return c;
216  }
217 
218  return 0;
219 }
220 
221 void
222 ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v)
223 {
224  ikev2_sa_proposal_t *p;
225  ikev2_sa_transform_t *t;
226 
227  if (!*v)
228  return;
229 
230  vec_foreach (p, *v)
231  {
232  vec_foreach (t, p->transforms)
233  {
234  vec_free (t->attrs);
235  }
236  vec_free (p->transforms);
237  }
238  vec_free (*v);
239 };
240 
241 static void
242 ikev2_sa_free_all_child_sa (ikev2_child_sa_t ** childs)
243 {
244  ikev2_child_sa_t *c;
245  vec_foreach (c, *childs)
246  {
247  ikev2_sa_free_proposal_vector (&c->r_proposals);
248  ikev2_sa_free_proposal_vector (&c->i_proposals);
249  vec_free (c->sk_ai);
250  vec_free (c->sk_ar);
251  vec_free (c->sk_ei);
252  vec_free (c->sk_er);
253  }
254 
255  vec_free (*childs);
256 }
257 
258 static void
259 ikev2_sa_del_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * child)
260 {
261  ikev2_sa_free_proposal_vector (&child->r_proposals);
262  ikev2_sa_free_proposal_vector (&child->i_proposals);
263  vec_free (child->sk_ai);
264  vec_free (child->sk_ar);
265  vec_free (child->sk_ei);
266  vec_free (child->sk_er);
267 
268  vec_del1 (sa->childs, child - sa->childs);
269 }
270 
271 static void
272 ikev2_sa_free_all_vec (ikev2_sa_t * sa)
273 {
274  vec_free (sa->i_nonce);
275  vec_free (sa->i_dh_data);
276  vec_free (sa->dh_shared_key);
277  vec_free (sa->dh_private_key);
278 
279  ikev2_sa_free_proposal_vector (&sa->r_proposals);
280  ikev2_sa_free_proposal_vector (&sa->i_proposals);
281 
282  vec_free (sa->sk_d);
283  vec_free (sa->sk_ai);
284  vec_free (sa->sk_ar);
285  vec_free (sa->sk_ei);
286  vec_free (sa->sk_er);
287  vec_free (sa->sk_pi);
288  vec_free (sa->sk_pr);
289 
290  vec_free (sa->i_id.data);
291  vec_free (sa->i_auth.data);
292  vec_free (sa->r_id.data);
293  vec_free (sa->r_auth.data);
294  if (sa->r_auth.key)
295  EVP_PKEY_free (sa->r_auth.key);
296 
297  vec_free (sa->del);
298 
299  ikev2_sa_free_all_child_sa (&sa->childs);
300 }
301 
302 static void
303 ikev2_delete_sa (ikev2_sa_t * sa)
304 {
305  ikev2_main_t *km = &ikev2_main;
306  u32 thread_index = vlib_get_thread_index ();
307  uword *p;
308 
309  ikev2_sa_free_all_vec (sa);
310 
311  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
312  if (p)
313  {
314  hash_unset (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
315  pool_put (km->per_thread_data[thread_index].sas, sa);
316  }
317 }
318 
319 static void
320 ikev2_generate_sa_init_data (ikev2_sa_t * sa)
321 {
322  ikev2_sa_transform_t *t = 0, *t2;
323  ikev2_main_t *km = &ikev2_main;
324 
325  if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
326  {
327  return;
328  }
329 
330  /* check if received DH group is on our list of supported groups */
331  vec_foreach (t2, km->supported_transforms)
332  {
333  if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
334  {
335  t = t2;
336  break;
337  }
338  }
339 
340  if (!t)
341  {
342  clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
343  vec_len (sa->i_dh_data));
344  sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
345  return;
346  }
347 
348  if (sa->is_initiator)
349  {
350  /* generate rspi */
351  RAND_bytes ((u8 *) & sa->ispi, 8);
352 
353  /* generate nonce */
354  sa->i_nonce = vec_new (u8, IKEV2_NONCE_SIZE);
355  RAND_bytes ((u8 *) sa->i_nonce, IKEV2_NONCE_SIZE);
356  }
357  else
358  {
359  /* generate rspi */
360  RAND_bytes ((u8 *) & sa->rspi, 8);
361 
362  /* generate nonce */
363  sa->r_nonce = vec_new (u8, IKEV2_NONCE_SIZE);
364  RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
365  }
366 
367  /* generate dh keys */
368  ikev2_generate_dh (sa, t);
369 
370 }
371 
372 static void
373 ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
374 {
375  ikev2_sa_transform_t *t = 0, *t2;
376  ikev2_main_t *km = &ikev2_main;
377 
378 
379  /*move some data to the new SA */
380 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
381  sa->i_nonce = _(sai->i_nonce);
382  sa->i_dh_data = _(sai->i_dh_data);
383  sa->dh_private_key = _(sai->dh_private_key);
384  sa->iaddr.as_u32 = sai->iaddr.as_u32;
385  sa->raddr.as_u32 = sai->raddr.as_u32;
386  sa->is_initiator = sai->is_initiator;
387  sa->profile = sai->profile;
388  sa->i_id.type = sai->i_id.type;
389  sa->i_id.data = _(sai->i_id.data);
390  sa->i_auth.method = sai->i_auth.method;
391  sa->i_auth.hex = sai->i_auth.hex;
392  sa->i_auth.data = _(sai->i_auth.data);
393  sa->i_auth.key = _(sai->i_auth.key);
394  sa->last_sa_init_req_packet_data = _(sai->last_sa_init_req_packet_data);
395  sa->childs = _(sai->childs);
396 #undef _
397 
398 
399  if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
400  {
401  return;
402  }
403 
404  /* check if received DH group is on our list of supported groups */
405  vec_foreach (t2, km->supported_transforms)
406  {
407  if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
408  {
409  t = t2;
410  break;
411  }
412  }
413 
414  if (!t)
415  {
416  clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
417  vec_len (sa->i_dh_data));
418  sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
419  return;
420  }
421 
422 
423  /* generate dh keys */
424  ikev2_complete_dh (sa, t);
425 
426 }
427 
428 static void
429 ikev2_calc_keys (ikev2_sa_t * sa)
430 {
431  u8 *tmp;
432  /* calculate SKEYSEED = prf(Ni | Nr, g^ir) */
433  u8 *skeyseed = 0;
434  u8 *s = 0;
435  ikev2_sa_transform_t *tr_encr, *tr_prf, *tr_integ;
436  tr_encr =
437  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
438  tr_prf =
439  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
440  tr_integ =
441  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
442 
443  vec_append (s, sa->i_nonce);
444  vec_append (s, sa->r_nonce);
445  skeyseed = ikev2_calc_prf (tr_prf, s, sa->dh_shared_key);
446 
447  /* Calculate S = Ni | Nr | SPIi | SPIr */
448  u64 *spi;
449  vec_add2 (s, tmp, 2 * sizeof (*spi));
450  spi = (u64 *) tmp;
451  spi[0] = clib_host_to_net_u64 (sa->ispi);
452  spi[1] = clib_host_to_net_u64 (sa->rspi);
453 
454  /* calculate PRFplus */
455  u8 *keymat;
456  int len = tr_prf->key_trunc + /* SK_d */
457  tr_integ->key_len * 2 + /* SK_ai, SK_ar */
458  tr_encr->key_len * 2 + /* SK_ei, SK_er */
459  tr_prf->key_len * 2; /* SK_pi, SK_pr */
460 
461  keymat = ikev2_calc_prfplus (tr_prf, skeyseed, s, len);
462  vec_free (skeyseed);
463  vec_free (s);
464 
465  int pos = 0;
466 
467  /* SK_d */
468  sa->sk_d = vec_new (u8, tr_prf->key_trunc);
469  clib_memcpy (sa->sk_d, keymat + pos, tr_prf->key_trunc);
470  pos += tr_prf->key_trunc;
471 
472  /* SK_ai */
473  sa->sk_ai = vec_new (u8, tr_integ->key_len);
474  clib_memcpy (sa->sk_ai, keymat + pos, tr_integ->key_len);
475  pos += tr_integ->key_len;
476 
477  /* SK_ar */
478  sa->sk_ar = vec_new (u8, tr_integ->key_len);
479  clib_memcpy (sa->sk_ar, keymat + pos, tr_integ->key_len);
480  pos += tr_integ->key_len;
481 
482  /* SK_ei */
483  sa->sk_ei = vec_new (u8, tr_encr->key_len);
484  clib_memcpy (sa->sk_ei, keymat + pos, tr_encr->key_len);
485  pos += tr_encr->key_len;
486 
487  /* SK_er */
488  sa->sk_er = vec_new (u8, tr_encr->key_len);
489  clib_memcpy (sa->sk_er, keymat + pos, tr_encr->key_len);
490  pos += tr_encr->key_len;
491 
492  /* SK_pi */
493  sa->sk_pi = vec_new (u8, tr_prf->key_len);
494  clib_memcpy (sa->sk_pi, keymat + pos, tr_prf->key_len);
495  pos += tr_prf->key_len;
496 
497  /* SK_pr */
498  sa->sk_pr = vec_new (u8, tr_prf->key_len);
499  clib_memcpy (sa->sk_pr, keymat + pos, tr_prf->key_len);
500  pos += tr_prf->key_len;
501 
502  vec_free (keymat);
503 }
504 
505 static void
506 ikev2_calc_child_keys (ikev2_sa_t * sa, ikev2_child_sa_t * child)
507 {
508  u8 *s = 0;
509  ikev2_sa_transform_t *tr_prf, *ctr_encr, *ctr_integ;
510  tr_prf =
511  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
512  ctr_encr =
513  ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
514  ctr_integ =
515  ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
516 
517  vec_append (s, sa->i_nonce);
518  vec_append (s, sa->r_nonce);
519  /* calculate PRFplus */
520  u8 *keymat;
521  int len = ctr_encr->key_len * 2 + ctr_integ->key_len * 2;
522 
523  keymat = ikev2_calc_prfplus (tr_prf, sa->sk_d, s, len);
524 
525  int pos = 0;
526 
527  /* SK_ei */
528  child->sk_ei = vec_new (u8, ctr_encr->key_len);
529  clib_memcpy (child->sk_ei, keymat + pos, ctr_encr->key_len);
530  pos += ctr_encr->key_len;
531 
532  /* SK_ai */
533  child->sk_ai = vec_new (u8, ctr_integ->key_len);
534  clib_memcpy (child->sk_ai, keymat + pos, ctr_integ->key_len);
535  pos += ctr_integ->key_len;
536 
537  /* SK_er */
538  child->sk_er = vec_new (u8, ctr_encr->key_len);
539  clib_memcpy (child->sk_er, keymat + pos, ctr_encr->key_len);
540  pos += ctr_encr->key_len;
541 
542  /* SK_ar */
543  child->sk_ar = vec_new (u8, ctr_integ->key_len);
544  clib_memcpy (child->sk_ar, keymat + pos, ctr_integ->key_len);
545  pos += ctr_integ->key_len;
546 
547  ASSERT (pos == len);
548 
549  vec_free (keymat);
550 }
551 
552 static void
553 ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa,
554  ike_header_t * ike)
555 {
556  int p = 0;
557  u32 len = clib_net_to_host_u32 (ike->length);
558  u8 payload = ike->nextpayload;
559 
560  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
561  "exchange %x flags %x msgid %x length %u",
562  clib_net_to_host_u64 (ike->ispi),
563  clib_net_to_host_u64 (ike->rspi),
564  payload, ike->version,
565  ike->exchange, ike->flags,
566  clib_net_to_host_u32 (ike->msgid), len);
567 
568  sa->ispi = clib_net_to_host_u64 (ike->ispi);
569 
570  /* store whole IKE payload - needed for PSK auth */
571  vec_free (sa->last_sa_init_req_packet_data);
572  vec_add (sa->last_sa_init_req_packet_data, ike, len);
573 
574  while (p < len && payload != IKEV2_PAYLOAD_NONE)
575  {
576  ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
577  u32 plen = clib_net_to_host_u16 (ikep->length);
578 
579  if (plen < sizeof (ike_payload_header_t))
580  return;
581 
582  if (payload == IKEV2_PAYLOAD_SA)
583  {
584  ikev2_sa_free_proposal_vector (&sa->i_proposals);
585  sa->i_proposals = ikev2_parse_sa_payload (ikep);
586  }
587  else if (payload == IKEV2_PAYLOAD_KE)
588  {
589  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
590  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
591  vec_free (sa->i_dh_data);
592  vec_add (sa->i_dh_data, ke->payload, plen - sizeof (*ke));
593  }
594  else if (payload == IKEV2_PAYLOAD_NONCE)
595  {
596  vec_free (sa->i_nonce);
597  vec_add (sa->i_nonce, ikep->payload, plen - sizeof (*ikep));
598  }
599  else if (payload == IKEV2_PAYLOAD_NOTIFY)
600  {
601  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
602  vec_free (n);
603  }
604  else if (payload == IKEV2_PAYLOAD_VENDOR)
605  {
606  ikev2_parse_vendor_payload (ikep);
607  }
608  else
609  {
610  clib_warning ("unknown payload %u flags %x length %u", payload,
611  ikep->flags, plen);
612  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
613  {
614  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
615  sa->unsupported_cp = payload;
616  return;
617  }
618  }
619 
620  payload = ikep->nextpayload;
621  p += plen;
622  }
623 
624  ikev2_set_state (sa, IKEV2_STATE_SA_INIT);
625 }
626 
627 static void
628 ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa,
629  ike_header_t * ike)
630 {
631  int p = 0;
632  u32 len = clib_net_to_host_u32 (ike->length);
633  u8 payload = ike->nextpayload;
634 
635  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
636  "exchange %x flags %x msgid %x length %u",
637  clib_net_to_host_u64 (ike->ispi),
638  clib_net_to_host_u64 (ike->rspi),
639  payload, ike->version,
640  ike->exchange, ike->flags,
641  clib_net_to_host_u32 (ike->msgid), len);
642 
643  sa->ispi = clib_net_to_host_u64 (ike->ispi);
644  sa->rspi = clib_net_to_host_u64 (ike->rspi);
645 
646  /* store whole IKE payload - needed for PSK auth */
647  vec_free (sa->last_sa_init_res_packet_data);
648  vec_add (sa->last_sa_init_res_packet_data, ike, len);
649 
650  while (p < len && payload != IKEV2_PAYLOAD_NONE)
651  {
652  ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
653  u32 plen = clib_net_to_host_u16 (ikep->length);
654 
655  if (plen < sizeof (ike_payload_header_t))
656  return;
657 
658  if (payload == IKEV2_PAYLOAD_SA)
659  {
660  ikev2_sa_free_proposal_vector (&sa->r_proposals);
661  sa->r_proposals = ikev2_parse_sa_payload (ikep);
662  if (sa->r_proposals)
663  {
664  ikev2_set_state (sa, IKEV2_STATE_SA_INIT);
665  ike->msgid =
666  clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1);
667  }
668  }
669  else if (payload == IKEV2_PAYLOAD_KE)
670  {
671  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
672  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
673  vec_free (sa->r_dh_data);
674  vec_add (sa->r_dh_data, ke->payload, plen - sizeof (*ke));
675  }
676  else if (payload == IKEV2_PAYLOAD_NONCE)
677  {
678  vec_free (sa->r_nonce);
679  vec_add (sa->r_nonce, ikep->payload, plen - sizeof (*ikep));
680  }
681  else if (payload == IKEV2_PAYLOAD_NOTIFY)
682  {
683  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
684  vec_free (n);
685  }
686  else if (payload == IKEV2_PAYLOAD_VENDOR)
687  {
688  ikev2_parse_vendor_payload (ikep);
689  }
690  else
691  {
692  clib_warning ("unknown payload %u flags %x length %u", payload,
693  ikep->flags, plen);
694  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
695  {
696  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
697  sa->unsupported_cp = payload;
698  return;
699  }
700  }
701 
702  payload = ikep->nextpayload;
703  p += plen;
704  }
705 }
706 
707 static u8 *
708 ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload)
709 {
710  int p = 0;
711  u8 last_payload = 0;
712  u8 *hmac = 0;
713  u32 len = clib_net_to_host_u32 (ike->length);
714  ike_payload_header_t *ikep = 0;
715  u32 plen = 0;
716  ikev2_sa_transform_t *tr_integ;
717  tr_integ =
718  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
719 
720  while (p < len &&
721  *payload != IKEV2_PAYLOAD_NONE && last_payload != IKEV2_PAYLOAD_SK)
722  {
723  ikep = (ike_payload_header_t *) & ike->payload[p];
724  plen = clib_net_to_host_u16 (ikep->length);
725 
726  if (plen < sizeof (*ikep))
727  return 0;
728 
729  if (*payload == IKEV2_PAYLOAD_SK)
730  {
731  clib_warning ("received IKEv2 payload SK, len %u", plen - 4);
732  last_payload = *payload;
733  }
734  else
735  {
736  clib_warning ("unknown payload %u flags %x length %u", payload,
737  ikep->flags, plen);
738  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
739  {
740  sa->unsupported_cp = *payload;
741  return 0;
742  }
743  }
744 
745  *payload = ikep->nextpayload;
746  p += plen;
747  }
748 
749  if (last_payload != IKEV2_PAYLOAD_SK)
750  {
751  clib_warning ("Last payload must be SK");
752  return 0;
753  }
754 
755  hmac =
756  ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ar : sa->sk_ai,
757  (u8 *) ike, len - tr_integ->key_trunc);
758 
759  plen = plen - sizeof (*ikep) - tr_integ->key_trunc;
760 
761  if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
762  {
763  clib_warning ("message integrity check failed");
764  vec_free (hmac);
765  return 0;
766  }
767  vec_free (hmac);
768 
769  return ikev2_decrypt_data (sa, ikep->payload, plen);
770 }
771 
772 static void
773 ikev2_initial_contact_cleanup (ikev2_sa_t * sa)
774 {
775  ikev2_main_t *km = &ikev2_main;
776  ikev2_sa_t *tmp;
777  u32 i, *delete = 0;
778  ikev2_child_sa_t *c;
779  u32 thread_index = vlib_get_thread_index ();
780 
781  if (!sa->initial_contact)
782  return;
783 
784  /* find old IKE SAs with the same authenticated identity */
785  /* *INDENT-OFF* */
786  pool_foreach (tmp, km->per_thread_data[thread_index].sas, ({
787  if (tmp->i_id.type != sa->i_id.type ||
788  vec_len(tmp->i_id.data) != vec_len(sa->i_id.data) ||
789  memcmp(sa->i_id.data, tmp->i_id.data, vec_len(sa->i_id.data)))
790  continue;
791 
792  if (sa->rspi != tmp->rspi)
793  vec_add1(delete, tmp - km->per_thread_data[thread_index].sas);
794  }));
795  /* *INDENT-ON* */
796 
797  for (i = 0; i < vec_len (delete); i++)
798  {
799  tmp =
800  pool_elt_at_index (km->per_thread_data[thread_index].sas, delete[i]);
801  vec_foreach (c,
802  tmp->childs) ikev2_delete_tunnel_interface (km->vnet_main,
803  tmp, c);
804  ikev2_delete_sa (tmp);
805  }
806 
807  vec_free (delete);
808  sa->initial_contact = 0;
809 }
810 
811 static void
812 ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
813 {
814  ikev2_child_sa_t *first_child_sa;
815  int p = 0;
816  u32 len = clib_net_to_host_u32 (ike->length);
817  u8 payload = ike->nextpayload;
818  u8 *plaintext = 0;
819 
820  ike_payload_header_t *ikep;
821  u32 plen;
822 
823  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
824  "exchange %x flags %x msgid %x length %u",
825  clib_net_to_host_u64 (ike->ispi),
826  clib_net_to_host_u64 (ike->rspi),
827  payload, ike->version,
828  ike->exchange, ike->flags,
829  clib_net_to_host_u32 (ike->msgid), len);
830 
831  ikev2_calc_keys (sa);
832 
833  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
834 
835  if (!plaintext)
836  {
837  if (sa->unsupported_cp)
838  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
839  goto cleanup_and_exit;
840  }
841 
842  /* select or create 1st child SA */
843  if (sa->is_initiator)
844  {
845  first_child_sa = &sa->childs[0];
846  }
847  else
848  {
849  ikev2_sa_free_all_child_sa (&sa->childs);
850  vec_add2 (sa->childs, first_child_sa, 1);
851  }
852 
853 
854  /* process encrypted payload */
855  p = 0;
856  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
857  {
858  ikep = (ike_payload_header_t *) & plaintext[p];
859  plen = clib_net_to_host_u16 (ikep->length);
860 
861  if (plen < sizeof (ike_payload_header_t))
862  goto cleanup_and_exit;
863 
864  if (payload == IKEV2_PAYLOAD_SA) /* 33 */
865  {
866  clib_warning ("received payload SA, len %u", plen - sizeof (*ikep));
867  if (sa->is_initiator)
868  {
869  ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals);
870  first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep);
871  }
872  else
873  {
874  ikev2_sa_free_proposal_vector (&first_child_sa->i_proposals);
875  first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep);
876  }
877  }
878  else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */
879  {
880  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
881 
882  sa->i_id.type = id->id_type;
883  vec_free (sa->i_id.data);
884  vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
885 
886  clib_warning ("received payload IDi, len %u id_type %u",
887  plen - sizeof (*id), id->id_type);
888  }
889  else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */
890  {
891  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
892 
893  sa->r_id.type = id->id_type;
894  vec_free (sa->r_id.data);
895  vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
896 
897  clib_warning ("received payload IDr len %u id_type %u",
898  plen - sizeof (*id), id->id_type);
899  }
900  else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */
901  {
902  ike_auth_payload_header_t *a = (ike_auth_payload_header_t *) ikep;
903 
904  if (sa->is_initiator)
905  {
906  sa->r_auth.method = a->auth_method;
907  vec_free (sa->r_auth.data);
908  vec_add (sa->r_auth.data, a->payload, plen - sizeof (*a));
909  }
910  else
911  {
912  sa->i_auth.method = a->auth_method;
913  vec_free (sa->i_auth.data);
914  vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a));
915  }
916 
917  clib_warning ("received payload AUTH, len %u auth_type %u",
918  plen - sizeof (*a), a->auth_method);
919  }
920  else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
921  {
922  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
923  if (n->msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
924  {
925  sa->initial_contact = 1;
926  }
927  vec_free (n);
928  }
929  else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
930  {
931  ikev2_parse_vendor_payload (ikep);
932  }
933  else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */
934  {
935  clib_warning ("received payload TSi, len %u",
936  plen - sizeof (*ikep));
937 
938  vec_free (first_child_sa->tsi);
939  first_child_sa->tsi = ikev2_parse_ts_payload (ikep);
940  }
941  else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */
942  {
943  clib_warning ("received payload TSr, len %u",
944  plen - sizeof (*ikep));
945 
946  vec_free (first_child_sa->tsr);
947  first_child_sa->tsr = ikev2_parse_ts_payload (ikep);
948  }
949  else
950  {
951  clib_warning ("unknown payload %u flags %x length %u data %u",
952  payload, ikep->flags, plen - 4,
953  format_hex_bytes, ikep->payload, plen - 4);
954 
955  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
956  {
957  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
958  sa->unsupported_cp = payload;
959  return;
960  }
961  }
962 
963  payload = ikep->nextpayload;
964  p += plen;
965  }
966 
967 cleanup_and_exit:
968  vec_free (plaintext);
969 }
970 
971 static void
972 ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa,
973  ike_header_t * ike)
974 {
975  int p = 0;
976  u32 len = clib_net_to_host_u32 (ike->length);
977  u8 payload = ike->nextpayload;
978  u8 *plaintext = 0;
979 
980  ike_payload_header_t *ikep;
981  u32 plen;
982 
983  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
984  "exchange %x flags %x msgid %x length %u",
985  clib_net_to_host_u64 (ike->ispi),
986  clib_net_to_host_u64 (ike->rspi),
987  payload, ike->version,
988  ike->exchange, ike->flags,
989  clib_net_to_host_u32 (ike->msgid), len);
990 
991  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
992 
993  if (!plaintext)
994  goto cleanup_and_exit;
995 
996  /* process encrypted payload */
997  p = 0;
998  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
999  {
1000  ikep = (ike_payload_header_t *) & plaintext[p];
1001  plen = clib_net_to_host_u16 (ikep->length);
1002 
1003  if (plen < sizeof (ike_payload_header_t))
1004  goto cleanup_and_exit;
1005 
1006  if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
1007  {
1008  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
1009  if (n->msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
1010  ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
1011  vec_free (n);
1012  }
1013  else if (payload == IKEV2_PAYLOAD_DELETE) /* 42 */
1014  {
1015  sa->del = ikev2_parse_delete_payload (ikep);
1016  }
1017  else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
1018  {
1019  ikev2_parse_vendor_payload (ikep);
1020  }
1021  else
1022  {
1023  clib_warning ("unknown payload %u flags %x length %u data %u",
1024  payload, ikep->flags, plen - 4,
1025  format_hex_bytes, ikep->payload, plen - 4);
1026 
1027  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1028  {
1029  sa->unsupported_cp = payload;
1030  return;
1031  }
1032  }
1033 
1034  payload = ikep->nextpayload;
1035  p += plen;
1036  }
1037 
1038 cleanup_and_exit:
1039  vec_free (plaintext);
1040 }
1041 
1042 static void
1043 ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa,
1044  ike_header_t * ike)
1045 {
1046  int p = 0;
1047  u32 len = clib_net_to_host_u32 (ike->length);
1048  u8 payload = ike->nextpayload;
1049  u8 *plaintext = 0;
1050  u8 rekeying = 0;
1051  u8 nonce[IKEV2_NONCE_SIZE];
1052 
1053  ike_payload_header_t *ikep;
1054  u32 plen;
1055  ikev2_notify_t *n = 0;
1056  ikev2_ts_t *tsi = 0;
1057  ikev2_ts_t *tsr = 0;
1058  ikev2_sa_proposal_t *proposal = 0;
1059  ikev2_child_sa_t *child_sa;
1060 
1061  clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
1062  "exchange %x flags %x msgid %x length %u",
1063  clib_net_to_host_u64 (ike->ispi),
1064  clib_net_to_host_u64 (ike->rspi),
1065  payload, ike->version,
1066  ike->exchange, ike->flags,
1067  clib_net_to_host_u32 (ike->msgid), len);
1068 
1069  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
1070 
1071  if (!plaintext)
1072  goto cleanup_and_exit;
1073 
1074  /* process encrypted payload */
1075  p = 0;
1076  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
1077  {
1078  ikep = (ike_payload_header_t *) & plaintext[p];
1079  plen = clib_net_to_host_u16 (ikep->length);
1080 
1081  if (plen < sizeof (ike_payload_header_t))
1082  goto cleanup_and_exit;
1083 
1084  else if (payload == IKEV2_PAYLOAD_SA)
1085  {
1086  proposal = ikev2_parse_sa_payload (ikep);
1087  }
1088  else if (payload == IKEV2_PAYLOAD_NOTIFY)
1089  {
1090  n = ikev2_parse_notify_payload (ikep);
1091  if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
1092  {
1093  rekeying = 1;
1094  }
1095  }
1096  else if (payload == IKEV2_PAYLOAD_DELETE)
1097  {
1098  sa->del = ikev2_parse_delete_payload (ikep);
1099  }
1100  else if (payload == IKEV2_PAYLOAD_VENDOR)
1101  {
1102  ikev2_parse_vendor_payload (ikep);
1103  }
1104  else if (payload == IKEV2_PAYLOAD_NONCE)
1105  {
1106  clib_memcpy (nonce, ikep->payload, plen - sizeof (*ikep));
1107  }
1108  else if (payload == IKEV2_PAYLOAD_TSI)
1109  {
1110  tsi = ikev2_parse_ts_payload (ikep);
1111  }
1112  else if (payload == IKEV2_PAYLOAD_TSR)
1113  {
1114  tsr = ikev2_parse_ts_payload (ikep);
1115  }
1116  else
1117  {
1118  clib_warning ("unknown payload %u flags %x length %u data %u",
1119  payload, ikep->flags, plen - 4,
1120  format_hex_bytes, ikep->payload, plen - 4);
1121 
1122  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1123  {
1124  sa->unsupported_cp = payload;
1125  return;
1126  }
1127  }
1128 
1129  payload = ikep->nextpayload;
1130  p += plen;
1131  }
1132 
1133  if (sa->is_initiator && proposal->protocol_id == IKEV2_PROTOCOL_ESP)
1134  {
1135  ikev2_rekey_t *rekey = &sa->rekey[0];
1136  rekey->protocol_id = proposal->protocol_id;
1137  rekey->i_proposal =
1138  ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
1139  rekey->i_proposal->spi = rekey->spi;
1140  rekey->r_proposal = proposal;
1141  rekey->tsi = tsi;
1142  rekey->tsr = tsr;
1143  /* update Nr */
1144  vec_free (sa->r_nonce);
1145  vec_add (sa->r_nonce, nonce, IKEV2_NONCE_SIZE);
1146  child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1);
1147  if (child_sa)
1148  {
1149  child_sa->rekey_retries = 0;
1150  }
1151  }
1152  else if (rekeying)
1153  {
1154  ikev2_rekey_t *rekey;
1155  child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
1156  if (!child_sa)
1157  {
1158  clib_warning ("child SA spi %lx not found", n->spi);
1159  goto cleanup_and_exit;
1160  }
1161  vec_add2 (sa->rekey, rekey, 1);
1162  rekey->protocol_id = n->protocol_id;
1163  rekey->spi = n->spi;
1164  rekey->i_proposal = proposal;
1165  rekey->r_proposal =
1166  ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
1167  rekey->tsi = tsi;
1168  rekey->tsr = tsr;
1169  /* update Ni */
1170  vec_free (sa->i_nonce);
1171  vec_add (sa->i_nonce, nonce, IKEV2_NONCE_SIZE);
1172  /* generate new Nr */
1173  vec_free (sa->r_nonce);
1174  sa->r_nonce = vec_new (u8, IKEV2_NONCE_SIZE);
1175  RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
1176  }
1177 
1178 cleanup_and_exit:
1179  vec_free (plaintext);
1180  vec_free (n);
1181 }
1182 
1183 static u8 *
1184 ikev2_sa_generate_authmsg (ikev2_sa_t * sa, int is_responder)
1185 {
1186  u8 *authmsg = 0;
1187  u8 *data;
1188  u8 *nonce;
1189  ikev2_id_t *id;
1190  u8 *key;
1191  u8 *packet_data;
1192  ikev2_sa_transform_t *tr_prf;
1193 
1194  tr_prf =
1195  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1196 
1197  if (is_responder)
1198  {
1199  id = &sa->r_id;
1200  key = sa->sk_pr;
1201  nonce = sa->i_nonce;
1202  packet_data = sa->last_sa_init_res_packet_data;
1203  }
1204  else
1205  {
1206  id = &sa->i_id;
1207  key = sa->sk_pi;
1208  nonce = sa->r_nonce;
1209  packet_data = sa->last_sa_init_req_packet_data;
1210  }
1211 
1212  data = vec_new (u8, 4);
1213  data[0] = id->type;
1214  vec_append (data, id->data);
1215 
1216  u8 *id_hash = ikev2_calc_prf (tr_prf, key, data);
1217  vec_append (authmsg, packet_data);
1218  vec_append (authmsg, nonce);
1219  vec_append (authmsg, id_hash);
1220  vec_free (id_hash);
1221  vec_free (data);
1222 
1223  return authmsg;
1224 }
1225 
1226 static int
1227 ikev2_ts_cmp (ikev2_ts_t * ts1, ikev2_ts_t * ts2)
1228 {
1229  if (ts1->ts_type == ts2->ts_type && ts1->protocol_id == ts2->protocol_id &&
1230  ts1->start_port == ts2->start_port && ts1->end_port == ts2->end_port &&
1231  ts1->start_addr.as_u32 == ts2->start_addr.as_u32 &&
1232  ts1->end_addr.as_u32 == ts2->end_addr.as_u32)
1233  return 1;
1234 
1235  return 0;
1236 }
1237 
1238 static void
1239 ikev2_sa_match_ts (ikev2_sa_t * sa)
1240 {
1241  ikev2_main_t *km = &ikev2_main;
1242  ikev2_profile_t *p;
1243  ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0;
1244  ikev2_id_t *id;
1245 
1246  /* *INDENT-OFF* */
1247  pool_foreach (p, km->profiles, ({
1248 
1249  if (sa->is_initiator)
1250  {
1251  p_tsi = &p->loc_ts;
1252  p_tsr = &p->rem_ts;
1253  id = &sa->r_id;
1254  }
1255  else
1256  {
1257  p_tsi = &p->rem_ts;
1258  p_tsr = &p->loc_ts;
1259  id = &sa->i_id;
1260  }
1261 
1262  /* check id */
1263  if (p->rem_id.type != id->type ||
1264  vec_len(p->rem_id.data) != vec_len(id->data) ||
1265  memcmp(p->rem_id.data, id->data, vec_len(p->rem_id.data)))
1266  continue;
1267 
1268  vec_foreach(ts, sa->childs[0].tsi)
1269  {
1270  if (ikev2_ts_cmp(p_tsi, ts))
1271  {
1272  tsi = vec_dup(ts);
1273  break;
1274  }
1275  }
1276 
1277  vec_foreach(ts, sa->childs[0].tsr)
1278  {
1279  if (ikev2_ts_cmp(p_tsr, ts))
1280  {
1281  tsr = vec_dup(ts);
1282  break;
1283  }
1284  }
1285 
1286  break;
1287  }));
1288  /* *INDENT-ON* */
1289 
1290  if (tsi && tsr)
1291  {
1292  vec_free (sa->childs[0].tsi);
1293  vec_free (sa->childs[0].tsr);
1294  sa->childs[0].tsi = tsi;
1295  sa->childs[0].tsr = tsr;
1296  }
1297  else
1298  {
1299  vec_free (tsi);
1300  vec_free (tsr);
1301  ikev2_set_state (sa, IKEV2_STATE_TS_UNACCEPTABLE);
1302  }
1303 }
1304 
1305 static void
1306 ikev2_sa_auth (ikev2_sa_t * sa)
1307 {
1308  ikev2_main_t *km = &ikev2_main;
1309  ikev2_profile_t *p, *sel_p = 0;
1310  u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1311  ikev2_sa_transform_t *tr_prf;
1312 
1313  tr_prf =
1314  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1315 
1316  /* only shared key and rsa signature */
1317  if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1318  sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1319  {
1320  clib_warning ("unsupported authentication method %u",
1321  sa->i_auth.method);
1322  ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
1323  return;
1324  }
1325 
1326  key_pad = format (0, "%s", IKEV2_KEY_PAD);
1327  authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator);
1328 
1329  ikev2_id_t *sa_id;
1330  ikev2_auth_t *sa_auth;
1331 
1332  if (sa->is_initiator)
1333  {
1334  sa_id = &sa->r_id;
1335  sa_auth = &sa->r_auth;
1336  }
1337  else
1338  {
1339  sa_id = &sa->i_id;
1340  sa_auth = &sa->i_auth;
1341  }
1342 
1343  /* *INDENT-OFF* */
1344  pool_foreach (p, km->profiles, ({
1345 
1346  /* check id */
1347  if (p->rem_id.type != sa_id->type ||
1348  vec_len(p->rem_id.data) != vec_len(sa_id->data) ||
1349  memcmp(p->rem_id.data, sa_id->data, vec_len(p->rem_id.data)))
1350  continue;
1351 
1352  if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1353  {
1354  if (!p->auth.data ||
1355  p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1356  continue;
1357 
1358  psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
1359  auth = ikev2_calc_prf(tr_prf, psk, authmsg);
1360 
1361  if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
1362  {
1363  ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1364  vec_free(auth);
1365  sel_p = p;
1366  break;
1367  }
1368 
1369  }
1370  else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG)
1371  {
1372  if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
1373  continue;
1374 
1375  if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1)
1376  {
1377  ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1378  sel_p = p;
1379  break;
1380  }
1381  }
1382 
1383  vec_free(auth);
1384  vec_free(psk);
1385  }));
1386  /* *INDENT-ON* */
1387 
1388  vec_free (authmsg);
1389 
1390  if (sa->state == IKEV2_STATE_AUTHENTICATED)
1391  {
1392  if (!sa->is_initiator)
1393  {
1394  vec_free (sa->r_id.data);
1395  sa->r_id.data = vec_dup (sel_p->loc_id.data);
1396  sa->r_id.type = sel_p->loc_id.type;
1397 
1398  /* generate our auth data */
1399  authmsg = ikev2_sa_generate_authmsg (sa, 1);
1400  if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1401  {
1402  sa->r_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
1403  sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1404  }
1405  else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1406  {
1407  sa->r_auth.data = ikev2_calc_sign (km->pkey, authmsg);
1408  sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1409  }
1410  vec_free (authmsg);
1411 
1412  /* select transforms for 1st child sa */
1413  ikev2_sa_free_proposal_vector (&sa->childs[0].r_proposals);
1414  sa->childs[0].r_proposals =
1415  ikev2_select_proposal (sa->childs[0].i_proposals,
1416  IKEV2_PROTOCOL_ESP);
1417  }
1418  }
1419  else
1420  {
1421  ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
1422  }
1423  vec_free (psk);
1424  vec_free (key_pad);
1425 }
1426 
1427 
1428 static void
1429 ikev2_sa_auth_init (ikev2_sa_t * sa)
1430 {
1431  ikev2_main_t *km = &ikev2_main;
1432  u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
1433  ikev2_sa_transform_t *tr_prf;
1434 
1435  tr_prf =
1436  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1437 
1438  /* only shared key and rsa signature */
1439  if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1440  sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1441  {
1442  clib_warning ("unsupported authentication method %u",
1443  sa->i_auth.method);
1444  ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
1445  return;
1446  }
1447 
1448  key_pad = format (0, "%s", IKEV2_KEY_PAD);
1449  authmsg = ikev2_sa_generate_authmsg (sa, 0);
1450  psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad);
1451  auth = ikev2_calc_prf (tr_prf, psk, authmsg);
1452 
1453 
1454  if (sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1455  {
1456  sa->i_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
1457  sa->i_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1458  }
1459  else if (sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1460  {
1461  sa->i_auth.data = ikev2_calc_sign (km->pkey, authmsg);
1462  sa->i_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1463  }
1464 
1465  vec_free (psk);
1466  vec_free (key_pad);
1467  vec_free (auth);
1468  vec_free (authmsg);
1469 }
1470 
1471 
1472 static int
1473 ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
1474  ikev2_child_sa_t * child)
1475 {
1476  ipsec_add_del_tunnel_args_t a;
1477  ikev2_sa_transform_t *tr;
1478  ikev2_sa_proposal_t *proposals;
1479  u8 encr_type = 0;
1480 
1481  if (!child->r_proposals)
1482  {
1483  ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
1484  return 1;
1485  }
1486 
1487  memset (&a, 0, sizeof (a));
1488  a.is_add = 1;
1489  if (sa->is_initiator)
1490  {
1491  a.local_ip.as_u32 = sa->iaddr.as_u32;
1492  a.remote_ip.as_u32 = sa->raddr.as_u32;
1493  proposals = child->i_proposals;
1494  a.local_spi = child->r_proposals[0].spi;
1495  a.remote_spi = child->i_proposals[0].spi;
1496  }
1497  else
1498  {
1499  a.local_ip.as_u32 = sa->raddr.as_u32;
1500  a.remote_ip.as_u32 = sa->iaddr.as_u32;
1501  proposals = child->r_proposals;
1502  a.local_spi = child->i_proposals[0].spi;
1503  a.remote_spi = child->r_proposals[0].spi;
1504  }
1505  a.anti_replay = 1;
1506 
1507  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN);
1508  if (tr)
1509  a.esn = tr->esn_type;
1510  else
1511  a.esn = 0;
1512 
1513  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ENCR);
1514  if (tr)
1515  {
1516  if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC && tr->key_len)
1517  {
1518  switch (tr->key_len)
1519  {
1520  case 16:
1521  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128;
1522  break;
1523  case 24:
1524  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192;
1525  break;
1526  case 32:
1527  encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256;
1528  break;
1529  default:
1530  ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
1531  return 1;
1532  break;
1533  }
1534  }
1535  else
1536  {
1537  ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
1538  return 1;
1539  }
1540  }
1541  else
1542  {
1543  ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
1544  return 1;
1545  }
1546 
1547  tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG);
1548  if (tr)
1549  {
1550  if (tr->integ_type != IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96)
1551  {
1552  ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
1553  return 1;
1554  }
1555  }
1556  else
1557  {
1558  ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
1559  return 1;
1560  }
1561 
1562  ikev2_calc_child_keys (sa, child);
1563 
1564  u8 *loc_ckey, *rem_ckey, *loc_ikey, *rem_ikey;
1565  if (sa->is_initiator)
1566  {
1567  loc_ikey = child->sk_ai;
1568  rem_ikey = child->sk_ar;
1569  loc_ckey = child->sk_ei;
1570  rem_ckey = child->sk_er;
1571  }
1572  else
1573  {
1574  loc_ikey = child->sk_ar;
1575  rem_ikey = child->sk_ai;
1576  loc_ckey = child->sk_er;
1577  rem_ckey = child->sk_ei;
1578  }
1579 
1580  a.integ_alg = IPSEC_INTEG_ALG_SHA1_96;
1581  a.local_integ_key_len = vec_len (loc_ikey);
1582  clib_memcpy (a.local_integ_key, loc_ikey, a.local_integ_key_len);
1583  a.remote_integ_key_len = vec_len (rem_ikey);
1584  clib_memcpy (a.remote_integ_key, rem_ikey, a.remote_integ_key_len);
1585 
1586  a.crypto_alg = encr_type;
1587  a.local_crypto_key_len = vec_len (loc_ckey);
1588  clib_memcpy (a.local_crypto_key, loc_ckey, a.local_crypto_key_len);
1589  a.remote_crypto_key_len = vec_len (rem_ckey);
1590  clib_memcpy (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len);
1591 
1592  if (sa->profile && sa->profile->lifetime)
1593  {
1594  child->time_to_expiration = vlib_time_now (vnm->vlib_main)
1595  + sa->profile->lifetime;
1596  if (sa->profile->lifetime_jitter)
1597  {
1598  child->time_to_expiration +=
1599  1 + (rand () % sa->profile->lifetime_jitter);
1600  }
1601  }
1602 
1603  ipsec_add_del_tunnel_if (&a);
1604 
1605  return 0;
1606 }
1607 
1608 static int
1609 ikev2_delete_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
1610  ikev2_child_sa_t * child)
1611 {
1612  ipsec_add_del_tunnel_args_t a;
1613 
1614  if (sa->is_initiator)
1615  {
1616  if (!vec_len (child->i_proposals))
1617  return 0;
1618 
1619  a.is_add = 0;
1620  a.local_ip.as_u32 = sa->iaddr.as_u32;
1621  a.remote_ip.as_u32 = sa->raddr.as_u32;
1622  a.local_spi = child->r_proposals[0].spi;
1623  a.remote_spi = child->i_proposals[0].spi;
1624  }
1625  else
1626  {
1627  if (!vec_len (child->r_proposals))
1628  return 0;
1629 
1630  a.is_add = 0;
1631  a.local_ip.as_u32 = sa->raddr.as_u32;
1632  a.remote_ip.as_u32 = sa->iaddr.as_u32;
1633  a.local_spi = child->i_proposals[0].spi;
1634  a.remote_spi = child->r_proposals[0].spi;
1635  }
1636 
1637  ipsec_add_del_tunnel_if (&a);
1638  return 0;
1639 }
1640 
1641 static u32
1642 ikev2_generate_message (ikev2_sa_t * sa, ike_header_t * ike, void *user)
1643 {
1644  v8 *integ = 0;
1645  ike_payload_header_t *ph;
1646  u16 plen;
1647  u32 tlen = 0;
1648 
1649  ikev2_sa_transform_t *tr_encr, *tr_integ;
1650  tr_encr =
1651  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
1652  tr_integ =
1653  ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
1654 
1655  ikev2_payload_chain_t *chain = 0;
1656  ikev2_payload_new_chain (chain);
1657 
1658  if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
1659  {
1660  if (sa->r_proposals == 0)
1661  {
1662  ikev2_payload_add_notify (chain,
1663  IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1664  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
1665  }
1666  else if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
1667  {
1668  u8 *data = vec_new (u8, 2);
1669  ikev2_sa_transform_t *tr_dh;
1670  tr_dh =
1671  ikev2_sa_get_td_for_type (sa->r_proposals,
1672  IKEV2_TRANSFORM_TYPE_DH);
1673  ASSERT (tr_dh && tr_dh->dh_type);
1674 
1675  data[0] = (tr_dh->dh_type >> 8) & 0xff;
1676  data[1] = (tr_dh->dh_type) & 0xff;
1677 
1678  ikev2_payload_add_notify (chain,
1679  IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD,
1680  data);
1681  vec_free (data);
1682  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
1683  }
1684  else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
1685  {
1686  u8 *data = vec_new (u8, 1);
1687 
1688  data[0] = sa->unsupported_cp;
1689  ikev2_payload_add_notify (chain,
1690  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1691  data);
1692  vec_free (data);
1693  }
1694  else
1695  {
1696  ike->rspi = clib_host_to_net_u64 (sa->rspi);
1697  ikev2_payload_add_sa (chain, sa->r_proposals);
1698  ikev2_payload_add_ke (chain, sa->dh_group, sa->r_dh_data);
1699  ikev2_payload_add_nonce (chain, sa->r_nonce);
1700  }
1701  }
1702  else if (ike->exchange == IKEV2_EXCHANGE_IKE_AUTH)
1703  {
1704  if (sa->state == IKEV2_STATE_AUTHENTICATED)
1705  {
1706  ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
1707  ikev2_payload_add_auth (chain, &sa->r_auth);
1708  ikev2_payload_add_sa (chain, sa->childs[0].r_proposals);
1709  ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
1710  ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
1711  }
1712  else if (sa->state == IKEV2_STATE_AUTH_FAILED)
1713  {
1714  ikev2_payload_add_notify (chain,
1715  IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED,
1716  0);
1717  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
1718  }
1719  else if (sa->state == IKEV2_STATE_TS_UNACCEPTABLE)
1720  {
1721  ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_TS_UNACCEPTABLE,
1722  0);
1723  ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
1724  ikev2_payload_add_auth (chain, &sa->r_auth);
1725  }
1726  else if (sa->state == IKEV2_STATE_NO_PROPOSAL_CHOSEN)
1727  {
1728  ikev2_payload_add_notify (chain,
1729  IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
1730  ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
1731  ikev2_payload_add_auth (chain, &sa->r_auth);
1732  ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
1733  ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
1734  }
1735  else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
1736  {
1737  u8 *data = vec_new (u8, 1);
1738 
1739  data[0] = sa->unsupported_cp;
1740  ikev2_payload_add_notify (chain,
1741  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1742  data);
1743  vec_free (data);
1744  }
1745  else if (sa->state == IKEV2_STATE_SA_INIT)
1746  {
1747  ikev2_payload_add_id (chain, &sa->i_id, IKEV2_PAYLOAD_IDI);
1748  ikev2_payload_add_auth (chain, &sa->i_auth);
1749  ikev2_payload_add_sa (chain, sa->childs[0].i_proposals);
1750  ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
1751  ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
1752  }
1753  else
1754  {
1755  ikev2_set_state (sa, IKEV2_STATE_DELETED);
1756  goto done;
1757  }
1758  }
1759  else if (ike->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
1760  {
1761  /* if pending delete */
1762  if (sa->del)
1763  {
1764  if (sa->del[0].protocol_id == IKEV2_PROTOCOL_IKE)
1765  {
1766  if (sa->is_initiator)
1767  ikev2_payload_add_delete (chain, sa->del);
1768 
1769  /* The response to a request that deletes the IKE SA is an empty
1770  INFORMATIONAL response. */
1771  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
1772  }
1773  /* The response to a request that deletes ESP or AH SAs will contain
1774  delete payloads for the paired SAs going in the other direction. */
1775  else
1776  {
1777  ikev2_payload_add_delete (chain, sa->del);
1778  }
1779  vec_free (sa->del);
1780  sa->del = 0;
1781  }
1782  /* received N(AUTHENTICATION_FAILED) */
1783  else if (sa->state == IKEV2_STATE_AUTH_FAILED)
1784  {
1785  ikev2_set_state (sa, IKEV2_STATE_DELETED);
1786  goto done;
1787  }
1788  /* received unsupported critical payload */
1789  else if (sa->unsupported_cp)
1790  {
1791  u8 *data = vec_new (u8, 1);
1792 
1793  data[0] = sa->unsupported_cp;
1794  ikev2_payload_add_notify (chain,
1795  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1796  data);
1797  vec_free (data);
1798  sa->unsupported_cp = 0;
1799  }
1800  /* else send empty response */
1801  }
1802  else if (ike->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
1803  {
1804  if (sa->is_initiator)
1805  {
1806 
1807  ikev2_sa_proposal_t *proposals = (ikev2_sa_proposal_t *) user;
1808  ikev2_notify_t notify;
1809  u8 *data = vec_new (u8, 4);
1810  memset (&notify, 0, sizeof (notify));
1811  notify.protocol_id = IKEV2_PROTOCOL_ESP;
1812  notify.spi = sa->childs[0].i_proposals->spi;
1813  *(u32 *) data = clib_host_to_net_u32 (notify.spi);
1814 
1815  ikev2_payload_add_sa (chain, proposals);
1816  ikev2_payload_add_nonce (chain, sa->i_nonce);
1817  ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
1818  ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
1819  ikev2_payload_add_notify_2 (chain, IKEV2_NOTIFY_MSG_REKEY_SA, data,
1820  &notify);
1821 
1822  vec_free (data);
1823  }
1824  else
1825  {
1826  if (sa->rekey)
1827  {
1828  ikev2_payload_add_sa (chain, sa->rekey[0].r_proposal);
1829  ikev2_payload_add_nonce (chain, sa->r_nonce);
1830  ikev2_payload_add_ts (chain, sa->rekey[0].tsi,
1831  IKEV2_PAYLOAD_TSI);
1832  ikev2_payload_add_ts (chain, sa->rekey[0].tsr,
1833  IKEV2_PAYLOAD_TSR);
1834  vec_del1 (sa->rekey, 0);
1835  }
1836  else if (sa->unsupported_cp)
1837  {
1838  u8 *data = vec_new (u8, 1);
1839 
1840  data[0] = sa->unsupported_cp;
1841  ikev2_payload_add_notify (chain,
1842  IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
1843  data);
1844  vec_free (data);
1845  sa->unsupported_cp = 0;
1846  }
1847  else
1848  {
1849  ikev2_payload_add_notify (chain,
1850  IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
1851  0);
1852  }
1853  }
1854  }
1855 
1856  /* IKEv2 header */
1857  ike->version = IKE_VERSION_2;
1858  ike->nextpayload = IKEV2_PAYLOAD_SK;
1859  tlen = sizeof (*ike);
1860  if (sa->is_initiator)
1861  {
1862  ike->flags = IKEV2_HDR_FLAG_INITIATOR;
1863  sa->last_init_msg_id = clib_net_to_host_u32 (ike->msgid);
1864  }
1865  else
1866  {
1867  ike->flags = IKEV2_HDR_FLAG_RESPONSE;
1868  }
1869 
1870 
1871  if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
1872  {
1873  tlen += vec_len (chain->data);
1874  ike->nextpayload = chain->first_payload_type;
1875  ike->length = clib_host_to_net_u32 (tlen);
1876  clib_memcpy (ike->payload, chain->data, vec_len (chain->data));
1877 
1878  /* store whole IKE payload - needed for PSK auth */
1879  vec_free (sa->last_sa_init_res_packet_data);
1880  vec_add (sa->last_sa_init_res_packet_data, ike, tlen);
1881  }
1882  else
1883  {
1884 
1885  ikev2_payload_chain_add_padding (chain, tr_encr->block_size);
1886 
1887  /* SK payload */
1888  plen = sizeof (*ph);
1889  ph = (ike_payload_header_t *) & ike->payload[0];
1890  ph->nextpayload = chain->first_payload_type;
1891  ph->flags = 0;
1892  int enc_len = ikev2_encrypt_data (sa, chain->data, ph->payload);
1893  plen += enc_len;
1894 
1895  /* add space for hmac */
1896  plen += tr_integ->key_trunc;
1897  tlen += plen;
1898 
1899  /* payload and total length */
1900  ph->length = clib_host_to_net_u16 (plen);
1901  ike->length = clib_host_to_net_u32 (tlen);
1902 
1903  /* calc integrity data for whole packet except hash itself */
1904  integ =
1905  ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ai : sa->sk_ar,
1906  (u8 *) ike, tlen - tr_integ->key_trunc);
1907 
1908  clib_memcpy (ike->payload + tlen - tr_integ->key_trunc - sizeof (*ike),
1909  integ, tr_integ->key_trunc);
1910 
1911  /* store whole IKE payload - needed for retransmit */
1912  vec_free (sa->last_res_packet_data);
1913  vec_add (sa->last_res_packet_data, ike, tlen);
1914  }
1915 
1916 done:
1917  ikev2_payload_destroy_chain (chain);
1918  vec_free (integ);
1919  return tlen;
1920 }
1921 
1922 static int
1923 ikev2_retransmit_sa_init (ike_header_t * ike,
1924  ip4_address_t iaddr, ip4_address_t raddr)
1925 {
1926  ikev2_main_t *km = &ikev2_main;
1927  ikev2_sa_t *sa;
1928  u32 thread_index = vlib_get_thread_index ();
1929 
1930  /* *INDENT-OFF* */
1931  pool_foreach (sa, km->per_thread_data[thread_index].sas, ({
1932  if (sa->ispi == clib_net_to_host_u64(ike->ispi) &&
1933  sa->iaddr.as_u32 == iaddr.as_u32 &&
1934  sa->raddr.as_u32 == raddr.as_u32)
1935  {
1936  int p = 0;
1937  u32 len = clib_net_to_host_u32(ike->length);
1938  u8 payload = ike->nextpayload;
1939 
1940  while (p < len && payload!= IKEV2_PAYLOAD_NONE) {
1941  ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
1942  u32 plen = clib_net_to_host_u16(ikep->length);
1943 
1944  if (plen < sizeof(ike_payload_header_t))
1945  return -1;
1946 
1947  if (payload == IKEV2_PAYLOAD_NONCE)
1948  {
1949  if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep)))
1950  {
1951  /* req is retransmit */
1952  if (sa->state == IKEV2_STATE_SA_INIT)
1953  {
1954  ike_header_t * tmp;
1955  tmp = (ike_header_t*)sa->last_sa_init_res_packet_data;
1956  ike->ispi = tmp->ispi;
1957  ike->rspi = tmp->rspi;
1958  ike->nextpayload = tmp->nextpayload;
1959  ike->version = tmp->version;
1960  ike->exchange = tmp->exchange;
1961  ike->flags = tmp->flags;
1962  ike->msgid = tmp->msgid;
1963  ike->length = tmp->length;
1964  clib_memcpy(ike->payload, tmp->payload,
1965  clib_net_to_host_u32(tmp->length) - sizeof(*ike));
1966  clib_warning("IKE_SA_INIT retransmit from %U to %U",
1967  format_ip4_address, &raddr,
1968  format_ip4_address, &iaddr);
1969  return 1;
1970  }
1971  /* else ignore req */
1972  else
1973  {
1974  clib_warning("IKE_SA_INIT ignore from %U to %U",
1975  format_ip4_address, &raddr,
1976  format_ip4_address, &iaddr);
1977  return -1;
1978  }
1979  }
1980  }
1981  payload = ikep->nextpayload;
1982  p+=plen;
1983  }
1984  }
1985  }));
1986  /* *INDENT-ON* */
1987 
1988  /* req is not retransmit */
1989  return 0;
1990 }
1991 
1992 static int
1993 ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
1994 {
1995  u32 msg_id = clib_net_to_host_u32 (ike->msgid);
1996 
1997  /* new req */
1998  if (msg_id > sa->last_msg_id)
1999  {
2000  sa->last_msg_id = msg_id;
2001  return 0;
2002  }
2003  /* retransmitted req */
2004  else if (msg_id == sa->last_msg_id)
2005  {
2006  ike_header_t *tmp;
2007  tmp = (ike_header_t *) sa->last_res_packet_data;
2008  ike->ispi = tmp->ispi;
2009  ike->rspi = tmp->rspi;
2010  ike->nextpayload = tmp->nextpayload;
2011  ike->version = tmp->version;
2012  ike->exchange = tmp->exchange;
2013  ike->flags = tmp->flags;
2014  ike->msgid = tmp->msgid;
2015  ike->length = tmp->length;
2016  clib_memcpy (ike->payload, tmp->payload,
2017  clib_net_to_host_u32 (tmp->length) - sizeof (*ike));
2018  clib_warning ("IKE msgid %u retransmit from %U to %U",
2019  msg_id,
2020  format_ip4_address, &sa->raddr,
2021  format_ip4_address, &sa->iaddr);
2022  return 1;
2023  }
2024  /* old req ignore */
2025  else
2026  {
2027  clib_warning ("IKE msgid %u req ignore from %U to %U",
2028  msg_id,
2029  format_ip4_address, &sa->raddr,
2030  format_ip4_address, &sa->iaddr);
2031  return -1;
2032  }
2033 }
2034 
2035 static uword
2036 ikev2_node_fn (vlib_main_t * vm,
2037  vlib_node_runtime_t * node, vlib_frame_t * frame)
2038 {
2039  u32 n_left_from, *from, *to_next;
2040  ikev2_next_t next_index;
2041  ikev2_main_t *km = &ikev2_main;
2042  u32 thread_index = vlib_get_thread_index ();
2043 
2044  from = vlib_frame_vector_args (frame);
2045  n_left_from = frame->n_vectors;
2046  next_index = node->cached_next_index;
2047 
2048  while (n_left_from > 0)
2049  {
2050  u32 n_left_to_next;
2051 
2052  vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2053 
2054  while (n_left_from > 0 && n_left_to_next > 0)
2055  {
2056  u32 bi0;
2057  vlib_buffer_t *b0;
2058  u32 next0 = IKEV2_NEXT_ERROR_DROP;
2059  u32 sw_if_index0;
2060  ip4_header_t *ip40;
2061  udp_header_t *udp0;
2062  ike_header_t *ike0;
2063  ikev2_sa_t *sa0 = 0;
2064  ikev2_sa_t sa; /* temporary store for SA */
2065  int len = 0;
2066  int r;
2067 
2068  /* speculatively enqueue b0 to the current next frame */
2069  bi0 = from[0];
2070  to_next[0] = bi0;
2071  from += 1;
2072  to_next += 1;
2073  n_left_from -= 1;
2074  n_left_to_next -= 1;
2075 
2076  b0 = vlib_get_buffer (vm, bi0);
2077  ike0 = vlib_buffer_get_current (b0);
2078  vlib_buffer_advance (b0, -sizeof (*udp0));
2079  udp0 = vlib_buffer_get_current (b0);
2080  vlib_buffer_advance (b0, -sizeof (*ip40));
2081  ip40 = vlib_buffer_get_current (b0);
2082 
2083  if (ike0->version != IKE_VERSION_2)
2084  {
2085  vlib_node_increment_counter (vm, ikev2_node.index,
2086  IKEV2_ERROR_NOT_IKEV2, 1);
2087  goto dispatch0;
2088  }
2089 
2090  if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
2091  {
2092  sa0 = &sa;
2093  memset (sa0, 0, sizeof (*sa0));
2094 
2095  if (ike0->flags & IKEV2_HDR_FLAG_INITIATOR)
2096  {
2097  if (ike0->rspi == 0)
2098  {
2099  sa0->raddr.as_u32 = ip40->dst_address.as_u32;
2100  sa0->iaddr.as_u32 = ip40->src_address.as_u32;
2101 
2102  r = ikev2_retransmit_sa_init (ike0, sa0->iaddr,
2103  sa0->raddr);
2104  if (r == 1)
2105  {
2106  vlib_node_increment_counter (vm, ikev2_node.index,
2107  IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT,
2108  1);
2109  len = clib_net_to_host_u32 (ike0->length);
2110  goto dispatch0;
2111  }
2112  else if (r == -1)
2113  {
2114  vlib_node_increment_counter (vm, ikev2_node.index,
2115  IKEV2_ERROR_IKE_SA_INIT_IGNORE,
2116  1);
2117  goto dispatch0;
2118  }
2119 
2120  ikev2_process_sa_init_req (vm, sa0, ike0);
2121 
2122  if (sa0->state == IKEV2_STATE_SA_INIT)
2123  {
2124  ikev2_sa_free_proposal_vector (&sa0->r_proposals);
2125  sa0->r_proposals =
2126  ikev2_select_proposal (sa0->i_proposals,
2127  IKEV2_PROTOCOL_IKE);
2128  ikev2_generate_sa_init_data (sa0);
2129  }
2130 
2131  if (sa0->state == IKEV2_STATE_SA_INIT
2132  || sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE)
2133  {
2134  len = ikev2_generate_message (sa0, ike0, 0);
2135  }
2136 
2137  if (sa0->state == IKEV2_STATE_SA_INIT)
2138  {
2139  /* add SA to the pool */
2140  pool_get (km->per_thread_data[thread_index].sas,
2141  sa0);
2142  clib_memcpy (sa0, &sa, sizeof (*sa0));
2143  hash_set (km->
2144  per_thread_data[thread_index].sa_by_rspi,
2145  sa0->rspi,
2146  sa0 -
2147  km->per_thread_data[thread_index].sas);
2148  }
2149  else
2150  {
2151  ikev2_sa_free_all_vec (sa0);
2152  }
2153  }
2154  }
2155  else
2156  {
2157  ikev2_process_sa_init_resp (vm, sa0, ike0);
2158 
2159  if (sa0->state == IKEV2_STATE_SA_INIT)
2160  {
2161  ike0->exchange = IKEV2_EXCHANGE_IKE_AUTH;
2162  uword *p = hash_get (km->sa_by_ispi, ike0->ispi);
2163  if (p)
2164  {
2165  ikev2_sa_t *sai =
2166  pool_elt_at_index (km->sais, p[0]);
2167 
2168  ikev2_complete_sa_data (sa0, sai);
2169  ikev2_calc_keys (sa0);
2170  ikev2_sa_auth_init (sa0);
2171  len = ikev2_generate_message (sa0, ike0, 0);
2172  }
2173  }
2174 
2175  if (sa0->state == IKEV2_STATE_SA_INIT)
2176  {
2177  /* add SA to the pool */
2178  pool_get (km->per_thread_data[thread_index].sas, sa0);
2179  clib_memcpy (sa0, &sa, sizeof (*sa0));
2180  hash_set (km->per_thread_data[thread_index].sa_by_rspi,
2181  sa0->rspi,
2182  sa0 - km->per_thread_data[thread_index].sas);
2183  }
2184  else
2185  {
2186  ikev2_sa_free_all_vec (sa0);
2187  }
2188  }
2189  }
2190  else if (ike0->exchange == IKEV2_EXCHANGE_IKE_AUTH)
2191  {
2192  uword *p;
2193  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2194  clib_net_to_host_u64 (ike0->rspi));
2195  if (p)
2196  {
2197  sa0 =
2198  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2199  p[0]);
2200 
2201  r = ikev2_retransmit_resp (sa0, ike0);
2202  if (r == 1)
2203  {
2204  vlib_node_increment_counter (vm, ikev2_node.index,
2205  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2206  1);
2207  len = clib_net_to_host_u32 (ike0->length);
2208  goto dispatch0;
2209  }
2210  else if (r == -1)
2211  {
2212  vlib_node_increment_counter (vm, ikev2_node.index,
2213  IKEV2_ERROR_IKE_REQ_IGNORE,
2214  1);
2215  goto dispatch0;
2216  }
2217 
2218  ikev2_process_auth_req (vm, sa0, ike0);
2219  ikev2_sa_auth (sa0);
2220  if (sa0->state == IKEV2_STATE_AUTHENTICATED)
2221  {
2222  ikev2_initial_contact_cleanup (sa0);
2223  ikev2_sa_match_ts (sa0);
2224  if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE)
2225  ikev2_create_tunnel_interface (km->vnet_main, sa0,
2226  &sa0->childs[0]);
2227  }
2228 
2229  if (sa0->is_initiator)
2230  {
2231  uword *p = hash_get (km->sa_by_ispi, ike0->ispi);
2232  if (p)
2233  {
2234  ikev2_sa_t *sai =
2235  pool_elt_at_index (km->sais, p[0]);
2236  hash_unset (km->sa_by_ispi, sai->ispi);
2237  ikev2_sa_free_all_vec (sai);
2238  pool_put (km->sais, sai);
2239  }
2240  }
2241  else
2242  {
2243  len = ikev2_generate_message (sa0, ike0, 0);
2244  }
2245  }
2246  }
2247  else if (ike0->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
2248  {
2249  uword *p;
2250  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2251  clib_net_to_host_u64 (ike0->rspi));
2252  if (p)
2253  {
2254  sa0 =
2255  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2256  p[0]);
2257 
2258  r = ikev2_retransmit_resp (sa0, ike0);
2259  if (r == 1)
2260  {
2261  vlib_node_increment_counter (vm, ikev2_node.index,
2262  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2263  1);
2264  len = clib_net_to_host_u32 (ike0->length);
2265  goto dispatch0;
2266  }
2267  else if (r == -1)
2268  {
2269  vlib_node_increment_counter (vm, ikev2_node.index,
2270  IKEV2_ERROR_IKE_REQ_IGNORE,
2271  1);
2272  goto dispatch0;
2273  }
2274 
2275  ikev2_process_informational_req (vm, sa0, ike0);
2276  if (sa0->del)
2277  {
2278  if (sa0->del[0].protocol_id != IKEV2_PROTOCOL_IKE)
2279  {
2280  ikev2_delete_t *d, *tmp, *resp = 0;
2281  vec_foreach (d, sa0->del)
2282  {
2283  ikev2_child_sa_t *ch_sa;
2284  ch_sa = ikev2_sa_get_child (sa0, d->spi,
2285  d->protocol_id,
2286  !sa0->is_initiator);
2287  if (ch_sa)
2288  {
2289  ikev2_delete_tunnel_interface (km->vnet_main,
2290  sa0, ch_sa);
2291  if (!sa0->is_initiator)
2292  {
2293  vec_add2 (resp, tmp, 1);
2294  tmp->protocol_id = d->protocol_id;
2295  tmp->spi = ch_sa->r_proposals[0].spi;
2296  }
2297  ikev2_sa_del_child_sa (sa0, ch_sa);
2298  }
2299  }
2300  if (!sa0->is_initiator)
2301  {
2302  vec_free (sa0->del);
2303  sa0->del = resp;
2304  }
2305  }
2306  }
2307  if (!sa0->is_initiator)
2308  {
2309  len = ikev2_generate_message (sa0, ike0, 0);
2310  }
2311  }
2312  }
2313  else if (ike0->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
2314  {
2315  uword *p;
2316  p = hash_get (km->per_thread_data[thread_index].sa_by_rspi,
2317  clib_net_to_host_u64 (ike0->rspi));
2318  if (p)
2319  {
2320  sa0 =
2321  pool_elt_at_index (km->per_thread_data[thread_index].sas,
2322  p[0]);
2323 
2324  r = ikev2_retransmit_resp (sa0, ike0);
2325  if (r == 1)
2326  {
2327  vlib_node_increment_counter (vm, ikev2_node.index,
2328  IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2329  1);
2330  len = clib_net_to_host_u32 (ike0->length);
2331  goto dispatch0;
2332  }
2333  else if (r == -1)
2334  {
2335  vlib_node_increment_counter (vm, ikev2_node.index,
2336  IKEV2_ERROR_IKE_REQ_IGNORE,
2337  1);
2338  goto dispatch0;
2339  }
2340 
2341  ikev2_process_create_child_sa_req (vm, sa0, ike0);
2342  if (sa0->rekey)
2343  {
2344  if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
2345  {
2346  ikev2_child_sa_t *child;
2347  vec_add2 (sa0->childs, child, 1);
2348  child->r_proposals = sa0->rekey[0].r_proposal;
2349  child->i_proposals = sa0->rekey[0].i_proposal;
2350  child->tsi = sa0->rekey[0].tsi;
2351  child->tsr = sa0->rekey[0].tsr;
2352  ikev2_create_tunnel_interface (km->vnet_main, sa0,
2353  child);
2354  }
2355  if (sa0->is_initiator)
2356  {
2357  vec_del1 (sa0->rekey, 0);
2358  }
2359  else
2360  {
2361  len = ikev2_generate_message (sa0, ike0, 0);
2362  }
2363  }
2364  }
2365  }
2366  else
2367  {
2368  clib_warning ("IKEv2 exchange %u packet received from %U to %U",
2369  ike0->exchange,
2370  format_ip4_address, ip40->src_address.as_u8,
2371  format_ip4_address, ip40->dst_address.as_u8);
2372  }
2373 
2374  dispatch0:
2375  /* if we are sending packet back, rewrite headers */
2376  if (len)
2377  {
2378  next0 = IKEV2_NEXT_IP4_LOOKUP;
2379  if (sa0->is_initiator)
2380  {
2381  ip40->dst_address.as_u32 = sa0->raddr.as_u32;
2382  ip40->src_address.as_u32 = sa0->iaddr.as_u32;
2383  }
2384  else
2385  {
2386  ip40->dst_address.as_u32 = sa0->iaddr.as_u32;
2387  ip40->src_address.as_u32 = sa0->raddr.as_u32;
2388  }
2389  udp0->length =
2390  clib_host_to_net_u16 (len + sizeof (udp_header_t));
2391  udp0->checksum = 0;
2392  b0->current_length =
2393  len + sizeof (ip4_header_t) + sizeof (udp_header_t);
2394  ip40->length = clib_host_to_net_u16 (b0->current_length);
2395  ip40->checksum = ip4_header_checksum (ip40);
2396  }
2397  /* delete sa */
2398  if (sa0 && (sa0->state == IKEV2_STATE_DELETED ||
2399  sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE))
2400  {
2401  ikev2_child_sa_t *c;
2402 
2403  vec_foreach (c, sa0->childs)
2404  ikev2_delete_tunnel_interface (km->vnet_main, sa0, c);
2405 
2406  ikev2_delete_sa (sa0);
2407  }
2408  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2409 
2410  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2411  && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2412  {
2413  ikev2_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
2414  t->sw_if_index = sw_if_index0;
2415  t->next_index = next0;
2416  }
2417 
2418  vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
2419  n_left_to_next, bi0, next0);
2420  }
2421 
2422  vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2423  }
2424 
2425  vlib_node_increment_counter (vm, ikev2_node.index,
2426  IKEV2_ERROR_PROCESSED, frame->n_vectors);
2427  return frame->n_vectors;
2428 }
2429 
2430 /* *INDENT-OFF* */
2431 VLIB_REGISTER_NODE (ikev2_node,static) = {
2432  .function = ikev2_node_fn,
2433  .name = "ikev2",
2434  .vector_size = sizeof (u32),
2435  .format_trace = format_ikev2_trace,
2436  .type = VLIB_NODE_TYPE_INTERNAL,
2437 
2438  .n_errors = ARRAY_LEN(ikev2_error_strings),
2439  .error_strings = ikev2_error_strings,
2440 
2441  .n_next_nodes = IKEV2_N_NEXT,
2442 
2443  .next_nodes = {
2444  [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
2445  [IKEV2_NEXT_ERROR_DROP] = "error-drop",
2446  },
2447 };
2448 /* *INDENT-ON* */
2449 
2450 
2451 static clib_error_t *
2452 ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
2453  ikev2_transforms_set * ts,
2454  ikev2_sa_proposal_t ** proposals, int is_ike)
2455 {
2456  clib_error_t *r;
2457  ikev2_main_t *km = &ikev2_main;
2458  ikev2_sa_proposal_t *proposal;
2459  vec_add2 (*proposals, proposal, 1);
2460  ikev2_sa_transform_t *td;
2461  int error;
2462 
2463  /* Encryption */
2464  error = 1;
2465  vec_foreach (td, km->supported_transforms)
2466  {
2467  if (td->type == IKEV2_TRANSFORM_TYPE_ENCR
2468  && td->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC
2469  && td->key_len == ts->crypto_key_size / 8)
2470  {
2471  u16 attr[2];
2472  attr[0] = clib_host_to_net_u16 (14 | (1 << 15));
2473  attr[1] = clib_host_to_net_u16 (td->key_len << 3);
2474  vec_add (td->attrs, (u8 *) attr, 4);
2475  vec_add1 (proposal->transforms, *td);
2476  td->attrs = 0;
2477 
2478  error = 0;
2479  break;
2480  }
2481  }
2482  if (error)
2483  {
2484  r = clib_error_return (0, "Unsupported algorithm");
2485  return r;
2486  }
2487 
2488  /* Integrity */
2489  error = 1;
2490  vec_foreach (td, km->supported_transforms)
2491  {
2492  if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
2493  && td->integ_type == IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96)
2494  {
2495  vec_add1 (proposal->transforms, *td);
2496  error = 0;
2497  break;
2498  }
2499  }
2500  if (error)
2501  {
2502  r = clib_error_return (0, "Unsupported algorithm");
2503  return r;
2504  }
2505 
2506  /* PRF */
2507  if (is_ike)
2508  {
2509  error = 1;
2510  vec_foreach (td, km->supported_transforms)
2511  {
2512  if (td->type == IKEV2_TRANSFORM_TYPE_PRF
2513  && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA1)
2514  {
2515  vec_add1 (proposal->transforms, *td);
2516  error = 0;
2517  break;
2518  }
2519  }
2520  if (error)
2521  {
2522  r = clib_error_return (0, "Unsupported algorithm");
2523  return r;
2524  }
2525  }
2526 
2527  /* DH */
2528  error = 1;
2529  vec_foreach (td, km->supported_transforms)
2530  {
2531  if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
2532  {
2533  vec_add1 (proposal->transforms, *td);
2534  if (is_ike)
2535  {
2536  sa->dh_group = td->dh_type;
2537  }
2538  error = 0;
2539  break;
2540  }
2541  }
2542  if (error)
2543  {
2544  r = clib_error_return (0, "Unsupported algorithm");
2545  return r;
2546  }
2547 
2548  if (!is_ike)
2549  {
2550  error = 1;
2551  vec_foreach (td, km->supported_transforms)
2552  {
2553  if (td->type == IKEV2_TRANSFORM_TYPE_ESN)
2554  {
2555  vec_add1 (proposal->transforms, *td);
2556  error = 0;
2557  break;
2558  }
2559  }
2560  if (error)
2561  {
2562  r = clib_error_return (0, "Unsupported algorithm");
2563  return r;
2564  }
2565  }
2566 
2567 
2568  return 0;
2569 }
2570 
2571 static ikev2_profile_t *
2572 ikev2_profile_index_by_name (u8 * name)
2573 {
2574  ikev2_main_t *km = &ikev2_main;
2575  uword *p;
2576 
2577  p = mhash_get (&km->profile_index_by_name, name);
2578  if (!p)
2579  return 0;
2580 
2581  return pool_elt_at_index (km->profiles, p[0]);
2582 }
2583 
2584 
2585 static void
2586 ikev2_send_ike (vlib_main_t * vm, ip4_address_t * src, ip4_address_t * dst,
2587  u32 bi0, u32 len)
2588 {
2589  ip4_header_t *ip40;
2590  udp_header_t *udp0;
2591  vlib_buffer_t *b0;
2592  vlib_frame_t *f;
2593  u32 *to_next;
2594 
2595  b0 = vlib_get_buffer (vm, bi0);
2596  vlib_buffer_advance (b0, -sizeof (udp_header_t));
2597  udp0 = vlib_buffer_get_current (b0);
2598  vlib_buffer_advance (b0, -sizeof (ip4_header_t));
2599  ip40 = vlib_buffer_get_current (b0);
2600 
2601 
2602  ip40->ip_version_and_header_length = 0x45;
2603  ip40->tos = 0;
2604  ip40->fragment_id = 0;
2605  ip40->flags_and_fragment_offset = 0;
2606  ip40->ttl = 0xff;
2607  ip40->protocol = IP_PROTOCOL_UDP;
2608  ip40->dst_address.as_u32 = dst->as_u32;
2609  ip40->src_address.as_u32 = src->as_u32;
2610  udp0->dst_port = clib_host_to_net_u16 (500);
2611  udp0->src_port = clib_host_to_net_u16 (500);
2612  udp0->length = clib_host_to_net_u16 (len + sizeof (udp_header_t));
2613  udp0->checksum = 0;
2614  b0->current_length = len + sizeof (ip4_header_t) + sizeof (udp_header_t);
2615  ip40->length = clib_host_to_net_u16 (b0->current_length);
2616  ip40->checksum = ip4_header_checksum (ip40);
2617 
2618 
2619  /* send the request */
2620  f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
2621  to_next = vlib_frame_vector_args (f);
2622  to_next[0] = bi0;
2623  f->n_vectors = 1;
2624  vlib_put_frame_to_node (vm, ip4_lookup_node.index, f);
2625 
2626 }
2627 
2628 static u32
2629 ikev2_get_new_ike_header_buff (vlib_main_t * vm, ike_header_t ** ike)
2630 {
2631  u32 bi0;
2632  if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
2633  {
2634  *ike = 0;
2635  return 0;
2636  }
2637  vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
2638  *ike = vlib_buffer_get_current (b0);
2639  return bi0;
2640 }
2641 
2642 clib_error_t *
2643 ikev2_set_local_key (vlib_main_t * vm, u8 * file)
2644 {
2645  ikev2_main_t *km = &ikev2_main;
2646 
2647  km->pkey = ikev2_load_key_file (file);
2648  if (km->pkey == NULL)
2649  return clib_error_return (0, "load key '%s' failed", file);
2650 
2651  return 0;
2652 }
2653 
2654 clib_error_t *
2655 ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add)
2656 {
2657  ikev2_main_t *km = &ikev2_main;
2658  ikev2_profile_t *p;
2659 
2660  if (is_add)
2661  {
2662  if (ikev2_profile_index_by_name (name))
2663  return clib_error_return (0, "policy %v already exists", name);
2664 
2665  pool_get (km->profiles, p);
2666  memset (p, 0, sizeof (*p));
2667  p->name = vec_dup (name);
2668  p->responder.sw_if_index = ~0;
2669  uword index = p - km->profiles;
2670  mhash_set_mem (&km->profile_index_by_name, name, &index, 0);
2671  }
2672  else
2673  {
2674  p = ikev2_profile_index_by_name (name);
2675  if (!p)
2676  return clib_error_return (0, "policy %v does not exists", name);
2677 
2678  vec_free (p->name);
2679  pool_put (km->profiles, p);
2680  mhash_unset (&km->profile_index_by_name, name, 0);
2681  }
2682  return 0;
2683 }
2684 
2685 clib_error_t *
2686 ikev2_set_profile_auth (vlib_main_t * vm, u8 * name, u8 auth_method,
2687  u8 * auth_data, u8 data_hex_format)
2688 {
2689  ikev2_profile_t *p;
2690  clib_error_t *r;
2691 
2692  p = ikev2_profile_index_by_name (name);
2693 
2694  if (!p)
2695  {
2696  r = clib_error_return (0, "unknown profile %v", name);
2697  return r;
2698  }
2699  vec_free (p->auth.data);
2700  p->auth.method = auth_method;
2701  p->auth.data = vec_dup (auth_data);
2702  p->auth.hex = data_hex_format;
2703 
2704  if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG)
2705  {
2706  vec_add1 (p->auth.data, 0);
2707  if (p->auth.key)
2708  EVP_PKEY_free (p->auth.key);
2709  p->auth.key = ikev2_load_cert_file (auth_data);
2710  if (p->auth.key == NULL)
2711  return clib_error_return (0, "load cert '%s' failed", auth_data);
2712  }
2713 
2714  return 0;
2715 }
2716 
2717 clib_error_t *
2718 ikev2_set_profile_id (vlib_main_t * vm, u8 * name, u8 id_type, u8 * data,
2719  int is_local)
2720 {
2721  ikev2_profile_t *p;
2722  clib_error_t *r;
2723 
2724  if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR
2725  && id_type < IKEV2_ID_TYPE_ID_KEY_ID)
2726  {
2727  r = clib_error_return (0, "unsupported identity type %U",
2728  format_ikev2_id_type, id_type);
2729  return r;
2730  }
2731 
2732  p = ikev2_profile_index_by_name (name);
2733 
2734  if (!p)
2735  {
2736  r = clib_error_return (0, "unknown profile %v", name);
2737  return r;
2738  }
2739 
2740  if (is_local)
2741  {
2742  vec_free (p->loc_id.data);
2743  p->loc_id.type = id_type;
2744  p->loc_id.data = vec_dup (data);
2745  }
2746  else
2747  {
2748  vec_free (p->rem_id.data);
2749  p->rem_id.type = id_type;
2750  p->rem_id.data = vec_dup (data);
2751  }
2752 
2753  return 0;
2754 }
2755 
2756 clib_error_t *
2757 ikev2_set_profile_ts (vlib_main_t * vm, u8 * name, u8 protocol_id,
2758  u16 start_port, u16 end_port, ip4_address_t start_addr,
2759  ip4_address_t end_addr, int is_local)
2760 {
2761  ikev2_profile_t *p;
2762  clib_error_t *r;
2763 
2764  p = ikev2_profile_index_by_name (name);
2765 
2766  if (!p)
2767  {
2768  r = clib_error_return (0, "unknown profile %v", name);
2769  return r;
2770  }
2771 
2772  if (is_local)
2773  {
2774  p->loc_ts.start_addr.as_u32 = start_addr.as_u32;
2775  p->loc_ts.end_addr.as_u32 = end_addr.as_u32;
2776  p->loc_ts.start_port = start_port;
2777  p->loc_ts.end_port = end_port;
2778  p->loc_ts.protocol_id = protocol_id;
2779  p->loc_ts.ts_type = 7;
2780  }
2781  else
2782  {
2783  p->rem_ts.start_addr.as_u32 = start_addr.as_u32;
2784  p->rem_ts.end_addr.as_u32 = end_addr.as_u32;
2785  p->rem_ts.start_port = start_port;
2786  p->rem_ts.end_port = end_port;
2787  p->rem_ts.protocol_id = protocol_id;
2788  p->rem_ts.ts_type = 7;
2789  }
2790 
2791  return 0;
2792 }
2793 
2794 
2795 clib_error_t *
2796 ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
2797  u32 sw_if_index, ip4_address_t ip4)
2798 {
2799  ikev2_profile_t *p;
2800  clib_error_t *r;
2801 
2802  p = ikev2_profile_index_by_name (name);
2803 
2804  if (!p)
2805  {
2806  r = clib_error_return (0, "unknown profile %v", name);
2807  return r;
2808  }
2809 
2810  p->responder.sw_if_index = sw_if_index;
2811  p->responder.ip4 = ip4;
2812 
2813  return 0;
2814 }
2815 
2816 clib_error_t *
2817 ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
2818  ikev2_transform_encr_type_t crypto_alg,
2819  ikev2_transform_integ_type_t integ_alg,
2820  ikev2_transform_dh_type_t dh_type,
2821  u32 crypto_key_size)
2822 {
2823  ikev2_profile_t *p;
2824  clib_error_t *r;
2825 
2826  p = ikev2_profile_index_by_name (name);
2827 
2828  if (!p)
2829  {
2830  r = clib_error_return (0, "unknown profile %v", name);
2831  return r;
2832  }
2833 
2834  p->ike_ts.crypto_alg = crypto_alg;
2835  p->ike_ts.integ_alg = integ_alg;
2836  p->ike_ts.dh_type = dh_type;
2837  p->ike_ts.crypto_key_size = crypto_key_size;
2838  return 0;
2839 }
2840 
2841 clib_error_t *
2842 ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name,
2843  ikev2_transform_encr_type_t crypto_alg,
2844  ikev2_transform_integ_type_t integ_alg,
2845  ikev2_transform_dh_type_t dh_type,
2846  u32 crypto_key_size)
2847 {
2848  ikev2_profile_t *p;
2849  clib_error_t *r;
2850 
2851  p = ikev2_profile_index_by_name (name);
2852 
2853  if (!p)
2854  {
2855  r = clib_error_return (0, "unknown profile %v", name);
2856  return r;
2857  }
2858 
2859  p->esp_ts.crypto_alg = crypto_alg;
2860  p->esp_ts.integ_alg = integ_alg;
2861  p->esp_ts.dh_type = dh_type;
2862  p->esp_ts.crypto_key_size = crypto_key_size;
2863  return 0;
2864 }
2865 
2866 clib_error_t *
2867 ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name,
2868  u64 lifetime, u32 jitter, u32 handover,
2869  u64 maxdata)
2870 {
2871  ikev2_profile_t *p;
2872  clib_error_t *r;
2873 
2874  p = ikev2_profile_index_by_name (name);
2875 
2876  if (!p)
2877  {
2878  r = clib_error_return (0, "unknown profile %v", name);
2879  return r;
2880  }
2881 
2882  p->lifetime = lifetime;
2883  p->lifetime_jitter = jitter;
2884  p->handover = handover;
2885  p->lifetime_maxdata = maxdata;
2886  return 0;
2887 }
2888 
2889 clib_error_t *
2890 ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
2891 {
2892  ikev2_profile_t *p;
2893  clib_error_t *r;
2894  ip4_main_t *im = &ip4_main;
2895  ikev2_main_t *km = &ikev2_main;
2896 
2897  p = ikev2_profile_index_by_name (name);
2898 
2899  if (!p)
2900  {
2901  r = clib_error_return (0, "unknown profile %v", name);
2902  return r;
2903  }
2904 
2905  if (p->responder.sw_if_index == ~0 || p->responder.ip4.data_u32 == 0)
2906  {
2907  r = clib_error_return (0, "responder not set for profile %v", name);
2908  return r;
2909  }
2910 
2911 
2912  /* Create the Initiator Request */
2913  {
2914  ike_header_t *ike0;
2915  u32 bi0 = 0;
2916  ip_lookup_main_t *lm = &im->lookup_main;
2917  u32 if_add_index0;
2918  int len = sizeof (ike_header_t);
2919 
2920  /* Get own iface IP */
2921  if_add_index0 =
2922  lm->if_address_pool_index_by_sw_if_index[p->responder.sw_if_index];
2923  ip_interface_address_t *if_add =
2924  pool_elt_at_index (lm->if_address_pool, if_add_index0);
2925  ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add);
2926 
2927  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
2928 
2929  /* Prepare the SA and the IKE payload */
2930  ikev2_sa_t sa;
2931  memset (&sa, 0, sizeof (ikev2_sa_t));
2932  ikev2_payload_chain_t *chain = 0;
2933  ikev2_payload_new_chain (chain);
2934 
2935  /* Build the IKE proposal payload */
2936  ikev2_sa_proposal_t *proposals = 0;
2937  ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
2938  proposals[0].proposal_num = 1;
2939  proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
2940 
2941  /* Add and then cleanup proposal data */
2942  ikev2_payload_add_sa (chain, proposals);
2943  ikev2_sa_free_proposal_vector (&proposals);
2944 
2945  sa.is_initiator = 1;
2946  sa.profile = p;
2947  sa.state = IKEV2_STATE_SA_INIT;
2948  ikev2_generate_sa_init_data (&sa);
2949  ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
2950  ikev2_payload_add_nonce (chain, sa.i_nonce);
2951 
2952  /* Build the child SA proposal */
2953  vec_resize (sa.childs, 1);
2954  ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
2955  &sa.childs[0].i_proposals, 0);
2956  sa.childs[0].i_proposals[0].proposal_num = 1;
2957  sa.childs[0].i_proposals[0].protocol_id = IKEV2_PROTOCOL_ESP;
2958  RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
2959  sizeof (sa.childs[0].i_proposals[0].spi));
2960 
2961 
2962 
2963  /* Add NAT detection notification messages (mandatory) */
2964  u8 nat_detection_source[8 + 8 + 4 + 2];
2965  u8 *nat_detection_sha1 = vec_new (u8, 20);
2966 
2967  u64 tmpspi = clib_host_to_net_u64 (sa.ispi);
2968  clib_memcpy (&nat_detection_source[0], &tmpspi, sizeof (tmpspi));
2969  tmpspi = clib_host_to_net_u64 (sa.rspi);
2970  clib_memcpy (&nat_detection_source[8], &tmpspi, sizeof (tmpspi));
2971  u16 tmpport = clib_host_to_net_u16 (500);
2972  clib_memcpy (&nat_detection_source[8 + 8 + 4], &tmpport,
2973  sizeof (tmpport));
2974  u32 tmpip = clib_host_to_net_u32 (if_ip->as_u32);
2975  clib_memcpy (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
2976  SHA1 (nat_detection_source, sizeof (nat_detection_source),
2977  nat_detection_sha1);
2978  ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
2979  nat_detection_sha1);
2980  tmpip = clib_host_to_net_u32 (p->responder.ip4.as_u32);
2981  clib_memcpy (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
2982  SHA1 (nat_detection_source, sizeof (nat_detection_source),
2983  nat_detection_sha1);
2984  ikev2_payload_add_notify (chain,
2985  IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
2986  nat_detection_sha1);
2987  vec_free (nat_detection_sha1);
2988 
2989  u8 *sig_hash_algo = vec_new (u8, 8);
2990  u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
2991  clib_memcpy (sig_hash_algo, &tmpsig, sizeof (tmpsig));
2992  ikev2_payload_add_notify (chain,
2993  IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
2994  sig_hash_algo);
2995  vec_free (sig_hash_algo);
2996 
2997 
2998  /* Buffer update and bolierplate */
2999  len += vec_len (chain->data);
3000  ike0->nextpayload = chain->first_payload_type;
3001  ike0->length = clib_host_to_net_u32 (len);
3002  clib_memcpy (ike0->payload, chain->data, vec_len (chain->data));
3003  ikev2_payload_destroy_chain (chain);
3004 
3005  ike0->version = IKE_VERSION_2;
3006  ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3007  ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
3008  ike0->ispi = sa.ispi;
3009 
3010  /* store whole IKE payload - needed for PSK auth */
3011  vec_free (sa.last_sa_init_req_packet_data);
3012  vec_add (sa.last_sa_init_req_packet_data, ike0, len);
3013 
3014  /* add data to the SA then add it to the pool */
3015  sa.iaddr.as_u32 = if_ip->as_u32;
3016  sa.raddr.as_u32 = p->responder.ip4.as_u32;
3017  sa.i_id.type = p->loc_id.type;
3018  sa.i_id.data = vec_dup (p->loc_id.data);
3019  sa.i_auth.method = p->auth.method;
3020  sa.i_auth.hex = p->auth.hex;
3021  sa.i_auth.data = vec_dup (p->auth.data);
3022  sa.i_auth.key = vec_dup (p->auth.key);
3023  vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
3024  vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
3025 
3026  /* add SA to the pool */
3027  ikev2_sa_t *sa0 = 0;
3028  pool_get (km->sais, sa0);
3029  clib_memcpy (sa0, &sa, sizeof (*sa0));
3030  hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
3031 
3032  ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len);
3033 
3034  }
3035 
3036  return 0;
3037 }
3038 
3039 static void
3040 ikev2_delete_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa,
3041  ikev2_child_sa_t * csa)
3042 {
3043  /* Create the Initiator notification for child SA removal */
3044  ikev2_main_t *km = &ikev2_main;
3045  ike_header_t *ike0;
3046  u32 bi0 = 0;
3047  int len;
3048 
3049  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3050 
3051 
3052  ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
3053  ike0->ispi = clib_host_to_net_u64 (sa->ispi);
3054  ike0->rspi = clib_host_to_net_u64 (sa->rspi);
3055  vec_resize (sa->del, 1);
3056  sa->del->protocol_id = IKEV2_PROTOCOL_ESP;
3057  sa->del->spi = csa->i_proposals->spi;
3058  ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
3059  sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3060  len = ikev2_generate_message (sa, ike0, 0);
3061 
3062  ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
3063 
3064  /* delete local child SA */
3065  ikev2_delete_tunnel_interface (km->vnet_main, sa, csa);
3066  ikev2_sa_del_child_sa (sa, csa);
3067 }
3068 
3069 clib_error_t *
3070 ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi)
3071 {
3072  clib_error_t *r;
3073  ikev2_main_t *km = &ikev2_main;
3074  ikev2_main_per_thread_data_t *tkm;
3075  ikev2_sa_t *fsa = 0;
3076  ikev2_child_sa_t *fchild = 0;
3077 
3078  /* Search for the child SA */
3079  vec_foreach (tkm, km->per_thread_data)
3080  {
3081  ikev2_sa_t *sa;
3082  if (fchild)
3083  break;
3084  /* *INDENT-OFF* */
3085  pool_foreach (sa, tkm->sas, ({
3086  fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3087  if (fchild)
3088  {
3089  fsa = sa;
3090  break;
3091  }
3092  }));
3093  /* *INDENT-ON* */
3094  }
3095 
3096  if (!fchild || !fsa)
3097  {
3098  r = clib_error_return (0, "Child SA not found");
3099  return r;
3100  }
3101  else
3102  {
3103  ikev2_delete_child_sa_internal (vm, fsa, fchild);
3104  }
3105 
3106  return 0;
3107 }
3108 
3109 clib_error_t *
3110 ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi)
3111 {
3112  clib_error_t *r;
3113  ikev2_main_t *km = &ikev2_main;
3114  ikev2_main_per_thread_data_t *tkm;
3115  ikev2_sa_t *fsa = 0;
3116  ikev2_main_per_thread_data_t *ftkm = 0;
3117 
3118  /* Search for the IKE SA */
3119  vec_foreach (tkm, km->per_thread_data)
3120  {
3121  ikev2_sa_t *sa;
3122  if (fsa)
3123  break;
3124  /* *INDENT-OFF* */
3125  pool_foreach (sa, tkm->sas, ({
3126  if (sa->ispi == ispi)
3127  {
3128  fsa = sa;
3129  ftkm = tkm;
3130  break;
3131  }
3132  }));
3133  /* *INDENT-ON* */
3134  }
3135 
3136  if (!fsa)
3137  {
3138  r = clib_error_return (0, "IKE SA not found");
3139  return r;
3140  }
3141 
3142 
3143  /* Create the Initiator notification for IKE SA removal */
3144  {
3145  ike_header_t *ike0;
3146  u32 bi0 = 0;
3147  int len;
3148 
3149  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3150 
3151 
3152  ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
3153  ike0->ispi = clib_host_to_net_u64 (fsa->ispi);
3154  ike0->rspi = clib_host_to_net_u64 (fsa->rspi);
3155  vec_resize (fsa->del, 1);
3156  fsa->del->protocol_id = IKEV2_PROTOCOL_IKE;
3157  fsa->del->spi = ispi;
3158  ike0->msgid = clib_host_to_net_u32 (fsa->last_init_msg_id + 1);
3159  fsa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3160  len = ikev2_generate_message (fsa, ike0, 0);
3161 
3162  ikev2_send_ike (vm, &fsa->iaddr, &fsa->raddr, bi0, len);
3163  }
3164 
3165 
3166  /* delete local SA */
3167  ikev2_child_sa_t *c;
3168  vec_foreach (c, fsa->childs)
3169  {
3170  ikev2_delete_tunnel_interface (km->vnet_main, fsa, c);
3171  ikev2_sa_del_child_sa (fsa, c);
3172  }
3173  ikev2_sa_free_all_vec (fsa);
3174  uword *p = hash_get (ftkm->sa_by_rspi, fsa->rspi);
3175  if (p)
3176  {
3177  hash_unset (ftkm->sa_by_rspi, fsa->rspi);
3178  pool_put (ftkm->sas, fsa);
3179  }
3180 
3181 
3182  return 0;
3183 }
3184 
3185 static void
3186 ikev2_rekey_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa,
3187  ikev2_child_sa_t * csa)
3188 {
3189  /* Create the Initiator request for create child SA */
3190  ike_header_t *ike0;
3191  u32 bi0 = 0;
3192  int len;
3193 
3194 
3195  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
3196 
3197 
3198  ike0->version = IKE_VERSION_2;
3199  ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3200  ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
3201  ike0->ispi = clib_host_to_net_u64 (sa->ispi);
3202  ike0->rspi = clib_host_to_net_u64 (sa->rspi);
3203  ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
3204  sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
3205 
3206  ikev2_rekey_t *rekey;
3207  vec_add2 (sa->rekey, rekey, 1);
3208  ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals);
3209 
3210  /*need new ispi */
3211  RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
3212  rekey->spi = proposals[0].spi;
3213  rekey->ispi = csa->i_proposals->spi;
3214  len = ikev2_generate_message (sa, ike0, proposals);
3215  ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
3216  vec_free (proposals);
3217 }
3218 
3219 clib_error_t *
3220 ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi)
3221 {
3222  clib_error_t *r;
3223  ikev2_main_t *km = &ikev2_main;
3224  ikev2_main_per_thread_data_t *tkm;
3225  ikev2_sa_t *fsa = 0;
3226  ikev2_child_sa_t *fchild = 0;
3227 
3228  /* Search for the child SA */
3229  vec_foreach (tkm, km->per_thread_data)
3230  {
3231  ikev2_sa_t *sa;
3232  if (fchild)
3233  break;
3234  /* *INDENT-OFF* */
3235  pool_foreach (sa, tkm->sas, ({
3236  fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3237  if (fchild)
3238  {
3239  fsa = sa;
3240  break;
3241  }
3242  }));
3243  /* *INDENT-ON* */
3244  }
3245 
3246  if (!fchild || !fsa)
3247  {
3248  r = clib_error_return (0, "Child SA not found");
3249  return r;
3250  }
3251  else
3252  {
3253  ikev2_rekey_child_sa_internal (vm, fsa, fchild);
3254  }
3255 
3256  return 0;
3257 }
3258 
3259 clib_error_t *
3260 ikev2_init (vlib_main_t * vm)
3261 {
3262  ikev2_main_t *km = &ikev2_main;
3263  clib_error_t *error;
3264  vlib_thread_main_t *tm = vlib_get_thread_main ();
3265  int thread_id;
3266 
3267  memset (km, 0, sizeof (ikev2_main_t));
3268  km->vnet_main = vnet_get_main ();
3269  km->vlib_main = vm;
3270 
3271  ikev2_crypto_init (km);
3272 
3273  mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword));
3274 
3275  vec_validate (km->per_thread_data, tm->n_vlib_mains - 1);
3276  for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
3277  {
3278  km->per_thread_data[thread_id].sa_by_rspi =
3279  hash_create (0, sizeof (uword));
3280  }
3281 
3282  km->sa_by_ispi = hash_create (0, sizeof (uword));
3283 
3284 
3285  if ((error = vlib_call_init_function (vm, ikev2_cli_init)))
3286  return error;
3287 
3288  udp_register_dst_port (vm, 500, ikev2_node.index, 1);
3289 
3290  return 0;
3291 }
3292 
3293 
3294 static u8
3295 ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
3296 {
3297  ikev2_main_t *km = &ikev2_main;
3298  vlib_main_t *vm = km->vlib_main;
3299  f64 now = vlib_time_now (vm);
3300  u8 res = 0;
3301 
3302  if (sa->is_initiator && sa->profile && csa->time_to_expiration
3303  && now > csa->time_to_expiration)
3304  {
3305  if (!csa->is_expired || csa->rekey_retries > 0)
3306  {
3307  ikev2_rekey_child_sa_internal (vm, sa, csa);
3308  csa->time_to_expiration = now + sa->profile->handover;
3309  csa->is_expired = 1;
3310  if (csa->rekey_retries == 0)
3311  {
3312  csa->rekey_retries = 5;
3313  }
3314  else if (csa->rekey_retries > 0)
3315  {
3316  csa->rekey_retries--;
3317  clib_warning ("Rekeing Child SA 0x%x, retries left %d",
3318  csa->i_proposals->spi, csa->rekey_retries);
3319  if (csa->rekey_retries == 0)
3320  {
3321  csa->rekey_retries = -1;
3322  }
3323  }
3324  res |= 1;
3325  }
3326  else
3327  {
3328  csa->time_to_expiration = 0;
3329  ikev2_delete_child_sa_internal (vm, sa, csa);
3330  res |= 1;
3331  }
3332  }
3333 
3334  return res;
3335 }
3336 
3337 static void
3338 ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
3339 {
3340  ikev2_main_t *km = &ikev2_main;
3341  vlib_main_t *vm = km->vlib_main;
3342  ikev2_main_per_thread_data_t *tkm;
3343  ikev2_sa_t *fsa = 0;
3344  ikev2_child_sa_t *fchild = 0;
3345  f64 now = vlib_time_now (vm);
3346 
3347  /* Search for the SA and child SA */
3348  vec_foreach (tkm, km->per_thread_data)
3349  {
3350  ikev2_sa_t *sa;
3351  if (fchild)
3352  break;
3353  /* *INDENT-OFF* */
3354  pool_foreach (sa, tkm->sas, ({
3355  fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
3356  if (fchild)
3357  {
3358  fsa = sa;
3359  break;
3360  }
3361  }));
3362  /* *INDENT-ON* */
3363  }
3364 
3365  if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
3366  {
3367  if (!fchild->is_expired
3368  && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
3369  {
3370  fchild->time_to_expiration = now;
3371  }
3372  }
3373 }
3374 
3375 static vlib_node_registration_t ikev2_mngr_process_node;
3376 
3377 static uword
3378 ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
3379  vlib_frame_t * f)
3380 {
3381  ikev2_main_t *km = &ikev2_main;
3382  ipsec_main_t *im = &ipsec_main;
3383 
3384  while (1)
3385  {
3386  u8 req_sent = 0;
3387  vlib_process_wait_for_event_or_clock (vm, 1);
3388  vlib_process_get_events (vm, NULL);
3389 
3390  /* process ike child sas */
3391  ikev2_main_per_thread_data_t *tkm;
3392  vec_foreach (tkm, km->per_thread_data)
3393  {
3394  ikev2_sa_t *sa;
3395  /* *INDENT-OFF* */
3396  pool_foreach (sa, tkm->sas, ({
3397  ikev2_child_sa_t *c;
3398  vec_foreach (c, sa->childs)
3399  {
3400  req_sent |= ikev2_mngr_process_child_sa(sa, c);
3401  }
3402  }));
3403  /* *INDENT-ON* */
3404  }
3405 
3406  /* process ipsec sas */
3407  ipsec_sa_t *sa;
3408  /* *INDENT-OFF* */
3409  pool_foreach (sa, im->sad, ({
3410  ikev2_mngr_process_ipsec_sa(sa);
3411  }));
3412  /* *INDENT-ON* */
3413 
3414  if (req_sent)
3415  {
3416  vlib_process_wait_for_event_or_clock (vm, 5);
3417  vlib_process_get_events (vm, NULL);
3418  req_sent = 0;
3419  }
3420 
3421  }
3422  return 0;
3423 }
3424 
3425 /* *INDENT-OFF* */
3426 VLIB_REGISTER_NODE (ikev2_mngr_process_node, static) = {
3427  .function = ikev2_mngr_process_fn,
3428  .type = VLIB_NODE_TYPE_PROCESS,
3429  .name =
3430  "ikev2-manager-process",
3431 };
3432 
3433 /* *INDENT-ON* */
3434 
3435 /*
3436  * fd.io coding-style-patch-verification: ON
3437  *
3438  * Local Variables:
3439  * eval: (c-set-style "gnu")
3440  * End:
3441  */
ikev2_main_t::per_thread_data
ikev2_main_per_thread_data_t * per_thread_data
Definition: ikev2_priv.h:291
ikev2_payload_chain_t
Definition: ikev2_priv.h:318
vec_validate
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:436
ikev2_retransmit_sa_init
static int ikev2_retransmit_sa_init(ike_header_t *ike, ip4_address_t iaddr, ip4_address_t raddr)
Definition: ikev2.c:1923
ikev2_auth_t
Definition: ikev2_priv.h:53
ip_interface_address_t
Definition: lookup.h:88
ikev2_sa_t::dh_shared_key
u8 * dh_shared_key
Definition: ikev2_priv.h:211
ikev2_main_t::sais
ikev2_sa_t * sais
Definition: ikev2_priv.h:287
vlib_get_frame_to_node
vlib_frame_t * vlib_get_frame_to_node(vlib_main_t *vm, u32 to_node_index)
Definition: main.c:187
ikev2_profile_t
Definition: ikev2_priv.h:178
ikev2_payload_add_nonce
void ikev2_payload_add_nonce(ikev2_payload_chain_t *c, u8 *nonce)
Definition: ikev2_payload.c:239
format_ikev2_trace
static u8 * format_ikev2_trace(u8 *s, va_list *args)
Definition: ikev2.c:42
ikev2_sa_t::dh_private_key
u8 * dh_private_key
Definition: ikev2_priv.h:212
ikev2_sa_transform_t::type
ikev2_transform_type_t type
Definition: ikev2_priv.h:69
hash_set
#define hash_set(h, key, value)
Definition: hash.h:254
ikev2_notify_t::msg_type
u16 msg_type
Definition: ikev2_priv.h:172
i
sll srl srl sll sra u16x4 i
Definition: vector_sse2.h:337
IKEV2_PAYLOAD_NONCE
#define IKEV2_PAYLOAD_NONCE
Definition: ikev2.h:99
ikev2_set_profile_responder
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2796
IKEV2_STATE_SA_INIT
Definition: ikev2_priv.h:44
ikev2_sa_t::r_id
ikev2_id_t r_id
Definition: ikev2_priv.h:235
ikev2_id_t::type
ikev2_id_type_t type
Definition: ikev2_priv.h:127
CLIB_UNUSED
#define CLIB_UNUSED(x)
Definition: clib.h:79
ikev2_payload_add_notify
void ikev2_payload_add_notify(ikev2_payload_chain_t *c, u16 msg_type, u8 *data)
Definition: ikev2_payload.c:134
ikev2_profile_t::ike_ts
ikev2_transforms_set ike_ts
Definition: ikev2_priv.h:189
ikev2_delete_tunnel_interface
static int ikev2_delete_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:1609
ikev2_profile_t::lifetime
u64 lifetime
Definition: ikev2_priv.h:191
vlib_process_wait_for_event_or_clock
static f64 vlib_process_wait_for_event_or_clock(vlib_main_t *vm, f64 dt)
Suspend a cooperative multi-tasking thread Waits for an event, or for the indicated number of seconds...
Definition: node_funcs.h:699
ikev2_transform_integ_type_t
ikev2_transform_integ_type_t
Definition: ikev2.h:267
hash_unset
#define hash_unset(h, key)
Definition: hash.h:260
a
a
Definition: bitmap.h:516
ikev2_send_ike
static void ikev2_send_ike(vlib_main_t *vm, ip4_address_t *src, ip4_address_t *dst, u32 bi0, u32 len)
Definition: ikev2.c:2586
ip4_header_t::src_address
ip4_address_t src_address
Definition: ip4_packet.h:164
ip4_header_t::ttl
u8 ttl
Definition: ip4_packet.h:151
ikev2_add_del_profile
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2655
ikev2_main_t::pkey
EVP_PKEY * pkey
Definition: ikev2_priv.h:280
ip_lookup_main_t::if_address_pool
ip_interface_address_t * if_address_pool
Pool of addresses that are assigned to interfaces.
Definition: lookup.h:122
ikev2_payload_add_sa
void ikev2_payload_add_sa(ikev2_payload_chain_t *c, ikev2_sa_proposal_t *proposals)
Definition: ikev2_payload.c:162
vnet_get_main
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
ikev2_calc_keys
static void ikev2_calc_keys(ikev2_sa_t *sa)
Definition: ikev2.c:429
ikev2_parse_sa_payload
ikev2_sa_proposal_t * ikev2_parse_sa_payload(ike_payload_header_t *ikep)
Definition: ikev2_payload.c:343
ikev2_child_sa_t
Definition: ikev2_priv.h:131
ikev2_sa_t::last_init_msg_id
u32 last_init_msg_id
Definition: ikev2_priv.h:252
ikev2_generate_message
static u32 ikev2_generate_message(ikev2_sa_t *sa, ike_header_t *ike, void *user)
Definition: ikev2.c:1642
ikev2_transforms_set::dh_type
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:120
IKEV2_PAYLOAD_NONE
#define IKEV2_PAYLOAD_NONE
Definition: ikev2.h:93
ikev2_main_t::profiles
ikev2_profile_t * profiles
Definition: ikev2_priv.h:271
ikev2_id_t
Definition: ikev2_priv.h:125
v8
u8 v8
Definition: ikev2.h:27
ikev2_initiate_delete_ike_sa
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3110
ikev2_sa_transform_t::block_size
u16 block_size
Definition: ikev2_priv.h:82
ikev2_parse_ts_payload
ikev2_ts_t * ikev2_parse_ts_payload(ike_payload_header_t *ikep)
Definition: ikev2_payload.c:428
NULL
#define NULL
Definition: clib.h:55
ikev2_ts_t
Definition: ikev2_priv.h:99
mhash_unset
uword mhash_unset(mhash_t *h, void *key, uword *old_value)
Definition: mhash.c:353
ikev2_calc_prf
v8 * ikev2_calc_prf(ikev2_sa_transform_t *tr, v8 *key, v8 *data)
Definition: ikev2_crypto.c:256
vlib_time_now
static f64 vlib_time_now(vlib_main_t *vm)
Definition: main.h:192
ikev2_complete_sa_data
static void ikev2_complete_sa_data(ikev2_sa_t *sa, ikev2_sa_t *sai)
Definition: ikev2.c:373
ikev2_rekey_t::protocol_id
u8 protocol_id
Definition: ikev2_priv.h:161
vlib_put_next_frame
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
Definition: main.c:459
ikev2_mngr_process_node
static vlib_node_registration_t ikev2_mngr_process_node
(constructor) VLIB_REGISTER_NODE (ikev2_mngr_process_node)
Definition: ikev2.c:3375
IKEV2_EXCHANGE_SA_INIT
#define IKEV2_EXCHANGE_SA_INIT
Definition: ikev2.h:82
ikev2_delete_child_sa_internal
static void ikev2_delete_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3040
ikev2_sa_transform_t::esn_type
ikev2_transform_esn_type_t esn_type
Definition: ikev2_priv.h:77
ikev2_sa_proposal_t::spi
u32 spi
Definition: ikev2_priv.h:95
IKEV2_PAYLOAD_VENDOR
#define IKEV2_PAYLOAD_VENDOR
Definition: ikev2.h:102
ikev2_sa_t::state
ikev2_state_t state
Definition: ikev2_priv.h:199
vec_add1
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:522
ipsec_add_del_tunnel_args_t::remote_integ_key
u8 remote_integ_key[128]
Definition: ipsec.h:162
ipsec_add_del_tunnel_args_t::remote_crypto_key
u8 remote_crypto_key[128]
Definition: ipsec.h:157
ikev2_transforms_set::crypto_key_size
u32 crypto_key_size
Definition: ikev2_priv.h:121
ikev2_transforms_set::crypto_alg
ikev2_transform_encr_type_t crypto_alg
Definition: ikev2_priv.h:118
vlib_thread_main_t
Definition: threads.h:253
vlib_node_registration_t
struct _vlib_node_registration vlib_node_registration_t
vec_add2
#define vec_add2(V, P, N)
Add N elements to end of vector V, return pointer to new elements in P.
Definition: vec.h:561
ikev2_sa_t::sk_pi
u8 * sk_pi
Definition: ikev2_priv.h:226
mhash_init_vec_string
static void mhash_init_vec_string(mhash_t *h, uword n_value_bytes)
Definition: mhash.h:84
ikev2_main
ikev2_main_t ikev2_main
Definition: ikev2_priv.h:295
ip4_main_t::lookup_main
ip_lookup_main_t lookup_main
Definition: ip4.h:85
ikev2_responder_t::ip4
ip4_address_t ip4
Definition: ikev2_priv.h:113
ikev2_set_profile_sa_lifetime
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2867
format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:419
ip4_header_t::flags_and_fragment_offset
u16 flags_and_fragment_offset
Definition: ip4_packet.h:145
ikev2_payload_add_ke
void ikev2_payload_add_ke(ikev2_payload_chain_t *c, u16 dh_group, u8 *dh_data)
Definition: ikev2_payload.c:228
ikev2_profile_t::lifetime_maxdata
u64 lifetime_maxdata
Definition: ikev2_priv.h:192
ikev2_next_t
ikev2_next_t
Definition: ikev2.c:77
ikev2_generate_sa_init_data
static void ikev2_generate_sa_init_data(ikev2_sa_t *sa)
Definition: ikev2.c:320
IKEV2_NONCE_SIZE
#define IKEV2_NONCE_SIZE
Definition: ikev2.h:23
ikev2_sa_t::initial_contact
u8 initial_contact
Definition: ikev2_priv.h:201
ikev2_rekey_t::tsi
ikev2_ts_t * tsi
Definition: ikev2_priv.h:166
IKEV2_STATE_NO_PROPOSAL_CHOSEN
Definition: ikev2_priv.h:50
IKEV2_PAYLOAD_TSR
#define IKEV2_PAYLOAD_TSR
Definition: ikev2.h:104
ikev2_sa_t::r_auth
ikev2_auth_t r_auth
Definition: ikev2_priv.h:231
udp_header_t
Definition: udp_packet.h:43
pool_get
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:200
ikev2_delete_sa
static void ikev2_delete_sa(ikev2_sa_t *sa)
Definition: ikev2.c:303
ip4_header_t::fragment_id
u16 fragment_id
Definition: ip4_packet.h:141
ikev2_auth_t::hex
u8 hex
Definition: ikev2_priv.h:57
ikev2_sa_t::last_sa_init_res_packet_data
u8 * last_sa_init_res_packet_data
Definition: ikev2_priv.h:245
vlib_frame_t
Definition: node.h:333
ikev2_parse_notify_payload
ikev2_notify_t * ikev2_parse_notify_payload(ike_payload_header_t *ikep)
Definition: ikev2_payload.c:454
ikev2_sa_t::profile
ikev2_profile_t * profile
Definition: ikev2_priv.h:253
ikev2_sa_get_td_for_type
ikev2_sa_transform_t * ikev2_sa_get_td_for_type(ikev2_sa_proposal_t *p, ikev2_transform_type_t type)
Definition: ikev2.c:189
ikev2_profile_t::auth
ikev2_auth_t auth
Definition: ikev2_priv.h:183
ikev2_rekey_t::tsr
ikev2_ts_t * tsr
Definition: ikev2_priv.h:167
ip4_lookup_node
vlib_node_registration_t ip4_lookup_node
(constructor) VLIB_REGISTER_NODE (ip4_lookup_node)
Definition: ip4_forward.c:479
ikev2_mngr_process_ipsec_sa
static void ikev2_mngr_process_ipsec_sa(ipsec_sa_t *ipsec_sa)
Definition: ikev2.c:3338
ikev2_profile_t::rem_id
ikev2_id_t rem_id
Definition: ikev2_priv.h:185
ikev2_sa_t::sk_d
u8 * sk_d
Definition: ikev2_priv.h:221
vec_add
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
Definition: vec.h:599
ikev2_transform_dh_type_t
ikev2_transform_dh_type_t
Definition: ikev2.h:317
ikev2_encrypt_data
int ikev2_encrypt_data(ikev2_sa_t *sa, v8 *src, u8 *dst)
Definition: ikev2_crypto.c:373
vlib_node_runtime_t
Definition: node.h:413
ikev2_main_t
Definition: ikev2_priv.h:268
ikev2_sa_get_child
ikev2_child_sa_t * ikev2_sa_get_child(ikev2_sa_t *sa, u32 spi, ikev2_protocol_id_t prot_id, int by_initiator)
Definition: ikev2.c:206
format_ip4_address
format_function_t format_ip4_address
Definition: format.h:79
ikev2_trace_t::next_index
u32 next_index
Definition: ikev2.c:37
udp_header_t::src_port
u16 src_port
Definition: udp_packet.h:46
ikev2_child_sa_t::is_expired
u8 is_expired
Definition: ikev2_priv.h:149
ikev2_sa_t::last_msg_id
u32 last_msg_id
Definition: ikev2_priv.h:248
ikev2_ts_t::ts_type
u8 ts_type
Definition: ikev2_priv.h:101
ipsec_add_del_tunnel_args_t::remote_spi
u32 remote_spi
Definition: ipsec.h:152
IKEV2_PAYLOAD_DELETE
#define IKEV2_PAYLOAD_DELETE
Definition: ikev2.h:101
pool_foreach
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:376
ikev2_child_sa_t::r_proposals
ikev2_sa_proposal_t * r_proposals
Definition: ikev2_priv.h:135
ikev2_generate_dh
void ikev2_generate_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
Definition: ikev2_crypto.c:401
ipsec_add_del_tunnel_args_t::remote_integ_key_len
u8 remote_integ_key_len
Definition: ipsec.h:161
ikev2_payload_chain_t::first_payload_type
u8 first_payload_type
Definition: ikev2_priv.h:320
ikev2_profile_t::lifetime_jitter
u32 lifetime_jitter
Definition: ikev2_priv.h:193
vlib_process_get_events
static uword vlib_process_get_events(vlib_main_t *vm, uword **data_vector)
Return the first event type which has occurred and a vector of per-event data of that type...
Definition: node_funcs.h:542
ikev2_load_cert_file
EVP_PKEY * ikev2_load_cert_file(u8 *file)
Definition: ikev2_crypto.c:612
ipsec_add_del_tunnel_args_t::local_spi
u32 local_spi
Definition: ipsec.h:151
ikev2_initiate_sa_init
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2890
ikev2_sa_transform_t::transform_id
u16 transform_id
Definition: ikev2_priv.h:72
ikev2_find_transform_data
static ikev2_sa_transform_t * ikev2_find_transform_data(ikev2_sa_transform_t *t)
Definition: ikev2.c:85
ip4_header_t::dst_address
ip4_address_t dst_address
Definition: ip4_packet.h:164
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.h:282
vec_new
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:310
ikev2_load_key_file
EVP_PKEY * ikev2_load_key_file(u8 *file)
Definition: ikev2_crypto.c:642
ikev2_set_profile_auth
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:2686
ikev2_parse_vendor_payload
void ikev2_parse_vendor_payload(ike_payload_header_t *ikep)
Definition: ikev2_payload.c:495
ikev2_ts_t::start_addr
ip4_address_t start_addr
Definition: ikev2_priv.h:106
ipsec_add_del_tunnel_args_t::remote_ip
ip4_address_t remote_ip
Definition: ipsec.h:150
ikev2_delete_t::protocol_id
u8 protocol_id
Definition: ikev2_priv.h:155
format_hex_bytes
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
ikev2_get_new_ike_header_buff
static u32 ikev2_get_new_ike_header_buff(vlib_main_t *vm, ike_header_t **ike)
Definition: ikev2.c:2629
ikev2_payload_add_id
void ikev2_payload_add_id(ikev2_payload_chain_t *c, ikev2_id_t *id, u8 type)
Definition: ikev2_payload.c:247
IKEV2_PAYLOAD_NOTIFY
#define IKEV2_PAYLOAD_NOTIFY
Definition: ikev2.h:100
ikev2_trace_t
Definition: ikev2.c:35
ikev2_sa_match_ts
static void ikev2_sa_match_ts(ikev2_sa_t *sa)
Definition: ikev2.c:1239
u64
unsigned long u64
Definition: types.h:89
ikev2_sa_t::i_proposals
ikev2_sa_proposal_t * i_proposals
Definition: ikev2_priv.h:217
ikev2_set_profile_esp_transforms
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2842
ikev2_sa_auth
static void ikev2_sa_auth(ikev2_sa_t *sa)
Definition: ikev2.c:1306
ikev2_main_per_thread_data_t::sas
ikev2_sa_t * sas
Definition: ikev2_priv.h:262
vec_resize
#define vec_resize(V, N)
Resize a vector (no header, unspecified alignment) Add N elements to end of given vector V...
Definition: vec.h:241
ikev2_transforms_set::integ_alg
ikev2_transform_integ_type_t integ_alg
Definition: ikev2_priv.h:119
ikev2_id_t::data
u8 * data
Definition: ikev2_priv.h:128
ikev2_sa_t::i_auth
ikev2_auth_t i_auth
Definition: ikev2_priv.h:230
ikev2_child_sa_t::sk_er
u8 * sk_er
Definition: ikev2_priv.h:145
vlib_call_init_function
#define vlib_call_init_function(vm, x)
Definition: init.h:162
ip4_address_t::data_u32
u32 data_u32
Definition: ip4_packet.h:52
ikev2_sa_proposal_t::proposal_num
u8 proposal_num
Definition: ikev2_priv.h:93
ikev2_set_state
#define ikev2_set_state(sa, v)
Definition: ikev2.c:30
ikev2_payload_destroy_chain
#define ikev2_payload_destroy_chain(V)
Definition: ikev2_priv.h:326
ikev2_transforms_set
Definition: ikev2_priv.h:116
ipsec_main_t
Definition: ipsec.h:243
ikev2_profile_t::loc_id
ikev2_id_t loc_id
Definition: ikev2_priv.h:184
ikev2_sa_proposal_t::transforms
ikev2_sa_transform_t * transforms
Definition: ikev2_priv.h:96
IKEV2_EXCHANGE_CREATE_CHILD_SA
#define IKEV2_EXCHANGE_CREATE_CHILD_SA
Definition: ikev2.h:84
ikev2_sa_t::sk_ar
u8 * sk_ar
Definition: ikev2_priv.h:223
ikev2_child_sa_t::sk_ar
u8 * sk_ar
Definition: ikev2_priv.h:143
ikev2_sa_t::r_dh_data
u8 * r_dh_data
Definition: ikev2_priv.h:214
ikev2_initial_contact_cleanup
static void ikev2_initial_contact_cleanup(ikev2_sa_t *sa)
Definition: ikev2.c:773
ikev2_profile_t::responder
ikev2_responder_t responder
Definition: ikev2_priv.h:188
ip4_address_t
Definition: ip4_packet.h:49
ikev2_profile_index_by_name
static ikev2_profile_t * ikev2_profile_index_by_name(u8 *name)
Definition: ikev2.c:2572
hash_get
#define hash_get(h, key)
Definition: hash.h:248
ikev2_set_profile_id
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2718
ikev2_calc_prfplus
u8 * ikev2_calc_prfplus(ikev2_sa_transform_t *tr, u8 *key, u8 *seed, int len)
Definition: ikev2_crypto.c:275
ikev2_set_initiator_proposals
static clib_error_t * ikev2_set_initiator_proposals(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_transforms_set *ts, ikev2_sa_proposal_t **proposals, int is_ike)
Definition: ikev2.c:2452
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:397
vnet_main_t::vlib_main
vlib_main_t * vlib_main
Definition: vnet.h:78
ikev2_sa_t::last_sa_init_req_packet_data
u8 * last_sa_init_req_packet_data
Definition: ikev2_priv.h:244
vlib_buffer_t::current_length
u16 current_length
Nbytes between current data and the end of this buffer.
Definition: buffer.h:71
IKEV2_PAYLOAD_IDR
#define IKEV2_PAYLOAD_IDR
Definition: ikev2.h:97
ikev2_create_tunnel_interface
static int ikev2_create_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:1473
IKEV2_PAYLOAD_SA
#define IKEV2_PAYLOAD_SA
Definition: ikev2.h:94
ikev2_profile_t::rem_ts
ikev2_ts_t rem_ts
Definition: ikev2_priv.h:187
ikev2_sa_t::i_dh_data
u8 * i_dh_data
Definition: ikev2_priv.h:213
mhash_set_mem
uword mhash_set_mem(mhash_t *h, void *key, uword *new_value, uword *old_value)
Definition: mhash.c:271
v
#define v
Definition: acl.c:320
ikev2_child_sa_t::i_proposals
ikev2_sa_proposal_t * i_proposals
Definition: ikev2_priv.h:134
ikev2_sa_t::r_nonce
u8 * r_nonce
Definition: ikev2_priv.h:207
IKEV2_HDR_FLAG_RESPONSE
#define IKEV2_HDR_FLAG_RESPONSE
Definition: ikev2.h:89
vlib_buffer_get_current
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
Definition: buffer.h:188
ikev2_main_t::profile_index_by_name
mhash_t profile_index_by_name
Definition: ikev2_priv.h:277
ikev2_ts_t::end_port
u16 end_port
Definition: ikev2_priv.h:105
ikev2_main_t::supported_transforms
ikev2_sa_transform_t * supported_transforms
Definition: ikev2_priv.h:274
ikev2_main_per_thread_data_t::sa_by_rspi
uword * sa_by_rspi
Definition: ikev2_priv.h:265
ipsec_add_del_tunnel_args_t::local_crypto_key_len
u8 local_crypto_key_len
Definition: ipsec.h:154
pool_put
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:241
ikev2_sa_t::rekey
ikev2_rekey_t * rekey
Definition: ikev2_priv.h:241
vec_dup
#define vec_dup(V)
Return copy of vector (no header, no alignment)
Definition: vec.h:374
ikev2_initiate_delete_child_sa
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3070
ikev2_rekey_child_sa_internal
static void ikev2_rekey_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3186
PREDICT_FALSE
#define PREDICT_FALSE(x)
Definition: clib.h:97
vec_del1
#define vec_del1(v, i)
Delete the element at index I.
Definition: vec.h:805
IKEV2_PAYLOAD_FLAG_CRITICAL
#define IKEV2_PAYLOAD_FLAG_CRITICAL
Definition: ikev2.h:91
ip4_header_t::tos
u8 tos
Definition: ip4_packet.h:135
ikev2_sa_auth_init
static void ikev2_sa_auth_init(ikev2_sa_t *sa)
Definition: ikev2.c:1429
ikev2_sa_transform_t
Definition: ikev2_priv.h:67
ipsec_sa_t
Definition: ipsec.h:100
ikev2_protocol_id_t
ikev2_protocol_id_t
Definition: ikev2.h:107
ikev2_auth_t::data
u8 * data
Definition: ikev2_priv.h:56
ipsec_add_del_tunnel_args_t::local_integ_key_len
u8 local_integ_key_len
Definition: ipsec.h:159
vlib_validate_buffer_enqueue_x1
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
Definition: buffer_node.h:216
vlib_get_next_frame
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
Definition: node_funcs.h:366
ikev2_ts_t::end_addr
ip4_address_t end_addr
Definition: ikev2_priv.h:107
ikev2_sa_t::rspi
u64 rspi
Definition: ikev2_priv.h:205
ikev2_sa_t::iaddr
ip4_address_t iaddr
Definition: ikev2_priv.h:202
ikev2_sa_t::i_nonce
u8 * i_nonce
Definition: ikev2_priv.h:206
ikev2_set_local_key
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2643
vlib_node_increment_counter
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1131
ikev2_set_profile_ts
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2757
ikev2_sa_t::sk_ei
u8 * sk_ei
Definition: ikev2_priv.h:224
IKEV2_EXCHANGE_INFORMATIONAL
#define IKEV2_EXCHANGE_INFORMATIONAL
Definition: ikev2.h:85
ikev2_payload_add_delete
void ikev2_payload_add_delete(ikev2_payload_chain_t *c, ikev2_delete_t *d)
Definition: ikev2_payload.c:259
ip4_header_t::length
u16 length
Definition: ip4_packet.h:138
IKEV2_HDR_FLAG_INITIATOR
#define IKEV2_HDR_FLAG_INITIATOR
Definition: ikev2.h:87
IKEV2_KEY_PAD
#define IKEV2_KEY_PAD
Definition: ikev2.h:25
ikev2_mngr_process_fn
static uword ikev2_mngr_process_fn(vlib_main_t *vm, vlib_node_runtime_t *rt, vlib_frame_t *f)
Definition: ikev2.c:3378
ikev2_initiate_rekey_child_sa
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3220
ipsec_add_del_tunnel_args_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:153
ip4_header_t::checksum
u16 checksum
Definition: ip4_packet.h:157
ikev2_sa_transform_t::dh_type
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:76
c
svmdb_client_t * c
Definition: vpp_get_metrics.c:49
vlib_frame_t::n_vectors
u16 n_vectors
Definition: node.h:345
ikev2_sa_t
Definition: ikev2_priv.h:197
vlib_get_thread_index
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:185
ipsec_add_del_tunnel_args_t
Definition: ipsec.h:145
ipsec_add_del_tunnel_args_t::remote_crypto_key_len
u8 remote_crypto_key_len
Definition: ipsec.h:156
ikev2_decrypt_sk_payload
static u8 * ikev2_decrypt_sk_payload(ikev2_sa_t *sa, ike_header_t *ike, u8 *payload)
Definition: ikev2.c:708
ikev2_sa_del_child_sa
static void ikev2_sa_del_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:259
ikev2_auth_t::method
ikev2_auth_method_t method
Definition: ikev2_priv.h:55
ikev2_transform_encr_type_t
ikev2_transform_encr_type_t
Definition: ikev2.h:226
ikev2_sa_t::del
ikev2_delete_t * del
Definition: ikev2_priv.h:238
ikev2_child_sa_t::tsi
ikev2_ts_t * tsi
Definition: ikev2_priv.h:138
udp_header_t::dst_port
u16 dst_port
Definition: udp_packet.h:46
vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:340
IKEV2_STATE_AUTH_FAILED
Definition: ikev2_priv.h:46
ikev2_process_auth_req
static void ikev2_process_auth_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:812
ikev2_node_fn
static uword ikev2_node_fn(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
Definition: ikev2.c:2036
IKEV2_STATE_NOTIFY_AND_DELETE
Definition: ikev2_priv.h:48
ikev2_sa_t::raddr
ip4_address_t raddr
Definition: ikev2_priv.h:203
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
VLIB_BUFFER_IS_TRACED
#define VLIB_BUFFER_IS_TRACED
Definition: buffer.h:85
vlib_buffer_t
Definition: buffer.h:61
clib_memcpy
#define clib_memcpy(a, b, c)
Definition: string.h:69
ip_lookup_main_t
Definition: lookup.h:119
ikev2_child_sa_t::sk_ei
u8 * sk_ei
Definition: ikev2_priv.h:144
ikev2_sa_t::sk_er
u8 * sk_er
Definition: ikev2_priv.h:225
ikev2_process_sa_init_resp
static void ikev2_process_sa_init_resp(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:628
ikev2_sa_t::is_initiator
u8 is_initiator
Definition: ikev2_priv.h:251
ARRAY_LEN
#define ARRAY_LEN(x)
Definition: clib.h:59
IKEV2_PAYLOAD_KE
#define IKEV2_PAYLOAD_KE
Definition: ikev2.h:95
ikev2_profile_t::loc_ts
ikev2_ts_t loc_ts
Definition: ikev2_priv.h:186
ikev2_priv.h
ikev2_sa_t::r_proposals
ikev2_sa_proposal_t * r_proposals
Definition: ikev2_priv.h:218
IKEV2_STATE_AUTHENTICATED
Definition: ikev2_priv.h:47
ikev2_sa_generate_authmsg
static u8 * ikev2_sa_generate_authmsg(ikev2_sa_t *sa, int is_responder)
Definition: ikev2.c:1184
ikev2_child_sa_t::rekey_retries
i8 rekey_retries
Definition: ikev2_priv.h:150
ikev2_calc_child_keys
static void ikev2_calc_child_keys(ikev2_sa_t *sa, ikev2_child_sa_t *child)
Definition: ikev2.c:506
ip_lookup_main_t::if_address_pool_index_by_sw_if_index
u32 * if_address_pool_index_by_sw_if_index
Head of doubly linked list of interface addresses for each software interface.
Definition: lookup.h:129
vnet_main_t
Definition: vnet.h:51
ip4_header_t::protocol
u8 protocol
Definition: ip4_packet.h:154
hash_create
#define hash_create(elts, value_bytes)
Definition: hash.h:658
ikev2_payload_add_auth
void ikev2_payload_add_auth(ikev2_payload_chain_t *c, ikev2_auth_t *auth)
Definition: ikev2_payload.c:290
ikev2_sa_proposal_t::protocol_id
ikev2_protocol_id_t protocol_id
Definition: ikev2_priv.h:94
ikev2_ts_t::protocol_id
u8 protocol_id
Definition: ikev2_priv.h:102
vlib_node_runtime_t::cached_next_index
u16 cached_next_index
Next frame index that vector arguments were last enqueued to last time this node ran.
Definition: node.h:460
ipsec_add_del_tunnel_args_t::local_crypto_key
u8 local_crypto_key[128]
Definition: ipsec.h:155
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
u32
unsigned int u32
Definition: types.h:88
mhash_get
static uword * mhash_get(mhash_t *h, const void *key)
Definition: mhash.h:110
ikev2_main_t::vnet_main
vnet_main_t * vnet_main
Definition: ikev2_priv.h:284
ikev2_process_informational_req
static void ikev2_process_informational_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:972
ipsec_add_del_tunnel_args_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:158
ipsec_add_del_tunnel_args_t::local_ip
ip4_address_t local_ip
Definition: ipsec.h:150
vlib_thread_main_t::n_vlib_mains
u32 n_vlib_mains
Definition: threads.h:272
ikev2_sa_free_proposal_vector
void ikev2_sa_free_proposal_vector(ikev2_sa_proposal_t **v)
Definition: ikev2.c:222
ipsec_add_del_tunnel_args_t::esn
u8 esn
Definition: ipsec.h:148
ipsec_main_t::sad
ipsec_sa_t * sad
Definition: ipsec.h:247
IKEV2_PAYLOAD_AUTH
#define IKEV2_PAYLOAD_AUTH
Definition: ikev2.h:98
ip4_main_t
IPv4 main type.
Definition: ip4.h:83
ikev2_payload_new_chain
#define ikev2_payload_new_chain(V)
Definition: ikev2_priv.h:325
ikev2_main_per_thread_data_t
Definition: ikev2_priv.h:259
IKEV2_PAYLOAD_SK
#define IKEV2_PAYLOAD_SK
Definition: ikev2.h:105
ikev2_rekey_t
Definition: ikev2_priv.h:159
ikev2_rekey_t::r_proposal
ikev2_sa_proposal_t * r_proposal
Definition: ikev2_priv.h:165
ikev2_sa_t::sk_ai
u8 * sk_ai
Definition: ikev2_priv.h:222
IKE_VERSION_2
#define IKE_VERSION_2
Definition: ikev2.h:80
ikev2_complete_dh
void ikev2_complete_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
Definition: ikev2_crypto.c:509
vec_append
#define vec_append(v1, v2)
Append v2 after v1.
Definition: vec.h:819
ip4_address_t::as_u8
u8 as_u8[4]
Definition: ip4_packet.h:54
vlib_buffer_advance
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
Definition: buffer.h:201
VLIB_NODE_FLAG_TRACE
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:260
ikev2_profile_t::handover
u32 handover
Definition: ikev2_priv.h:194
ikev2_sa_proposal_t
Definition: ikev2_priv.h:91
ikev2_rekey_t::spi
u32 spi
Definition: ikev2_priv.h:162
ikev2_node
static vlib_node_registration_t ikev2_node
(constructor) VLIB_REGISTER_NODE (ikev2_node)
Definition: ikev2.c:53
ikev2_sa_t::dh_group
u16 dh_group
Definition: ikev2_priv.h:210
ikev2_delete_t::spi
u32 spi
Definition: ikev2_priv.h:156
ikev2_child_sa_t::sk_ai
u8 * sk_ai
Definition: ikev2_priv.h:142
ikev2_notify_t::protocol_id
u8 protocol_id
Definition: ikev2_priv.h:173
ikev2_rekey_t::i_proposal
ikev2_sa_proposal_t * i_proposal
Definition: ikev2_priv.h:164
IKEV2_PAYLOAD_TSI
#define IKEV2_PAYLOAD_TSI
Definition: ikev2.h:103
ikev2_auth_t::key
EVP_PKEY * key
Definition: ikev2_priv.h:58
ikev2_retransmit_resp
static int ikev2_retransmit_resp(ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:1993
uword
u64 uword
Definition: types.h:112
vlib_add_trace
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace_funcs.h:55
clib_error_t
Definition: clib_error.h:21
ikev2_payload_chain_t::data
u8 * data
Definition: ikev2_priv.h:322
ikev2_sa_transform_t::encr_type
ikev2_transform_encr_type_t encr_type
Definition: ikev2_priv.h:73
ikev2_sa_t::last_res_packet_data
u8 * last_res_packet_data
Definition: ikev2_priv.h:249
udp_header_t::checksum
u16 checksum
Definition: udp_packet.h:53
ikev2_sa_transform_t::attrs
u8 * attrs
Definition: ikev2_priv.h:79
ikev2_sa_transform_t::integ_type
ikev2_transform_integ_type_t integ_type
Definition: ikev2_priv.h:75
ikev2_error_strings
static char * ikev2_error_strings[]
Definition: ikev2.c:71
u16
unsigned short u16
Definition: types.h:57
ikev2_delete_t
Definition: ikev2_priv.h:153
ikev2_sa_transform_t::key_len
u16 key_len
Definition: ikev2_priv.h:80
ikev2_process_sa_init_req
static void ikev2_process_sa_init_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:553
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
f64
double f64
Definition: types.h:142
ikev2_ts_t::start_port
u16 start_port
Definition: ikev2_priv.h:104
u8
unsigned char u8
Definition: types.h:56
ikev2_payload_chain_add_padding
void ikev2_payload_chain_add_padding(ikev2_payload_chain_t *c, int bs)
Definition: ikev2_payload.c:334
ikev2_sa_t::sk_pr
u8 * sk_pr
Definition: ikev2_priv.h:227
vlib_main_t
Definition: main.h:59
IKEV2_PAYLOAD_IDI
#define IKEV2_PAYLOAD_IDI
Definition: ikev2.h:96
ikev2_set_profile_ike_transforms
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2817
vlib_node_t
Definition: node.h:216
ikev2_sa_t::i_id
ikev2_id_t i_id
Definition: ikev2_priv.h:234
vlib_frame_vector_args
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:269
ikev2_process_create_child_sa_req
static void ikev2_process_create_child_sa_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike)
Definition: ikev2.c:1043
ikev2_child_sa_t::tsr
ikev2_ts_t * tsr
Definition: ikev2_priv.h:139
ikev2_sa_t::childs
ikev2_child_sa_t * childs
Definition: ikev2_priv.h:255
ikev2_sa_transform_t::prf_type
ikev2_transform_prf_type_t prf_type
Definition: ikev2_priv.h:74
ikev2_profile_t::name
u8 * name
Definition: ikev2_priv.h:180
IKEV2_EXCHANGE_IKE_AUTH
#define IKEV2_EXCHANGE_IKE_AUTH
Definition: ikev2.h:83
ikev2_notify_t
Definition: ikev2_priv.h:170
ikev2_rekey_t::ispi
u32 ispi
Definition: ikev2_priv.h:163
ikev2_ts_cmp
static int ikev2_ts_cmp(ikev2_ts_t *ts1, ikev2_ts_t *ts2)
Definition: ikev2.c:1227
vnet_buffer
#define vnet_buffer(b)
Definition: buffer.h:303
ikev2_init
clib_error_t * ikev2_init(vlib_main_t *vm)
Definition: ikev2.c:3260
ipsec_add_del_tunnel_args_t::is_add
u8 is_add
Definition: ipsec.h:147
ikev2_error_t
ikev2_error_t
Definition: ikev2.c:63
VLIB_REGISTER_NODE
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:144
ip4_main
ip4_main_t ip4_main
Global ip4 main structure.
Definition: ip4_forward.c:1168
ikev2_cli_init
clib_error_t * ikev2_cli_init(vlib_main_t *vm)
Definition: ikev2_cli.c:589
vlib_get_thread_main
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:32
ikev2_mngr_process_child_sa
static u8 ikev2_mngr_process_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *csa)
Definition: ikev2.c:3295
ikev2_main_t::sa_by_ispi
uword * sa_by_ispi
Definition: ikev2_priv.h:289
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:184
udp_header_t::length
u16 length
Definition: udp_packet.h:49
ikev2_sa_t::unsupported_cp
u8 unsupported_cp
Definition: ikev2_priv.h:200
ikev2_responder_t::sw_if_index
u32 sw_if_index
Definition: ikev2_priv.h:112
ikev2_sa_t::ispi
u64 ispi
Definition: ikev2_priv.h:204
ikev2_sa_free_all_child_sa
static void ikev2_sa_free_all_child_sa(ikev2_child_sa_t **childs)
Definition: ikev2.c:242
vlib_node_runtime_t::flags
u16 flags
Copy of main node flags.
Definition: node.h:454
ipsec_add_del_tunnel_if
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:105
ikev2_select_proposal
static ikev2_sa_proposal_t * ikev2_select_proposal(ikev2_sa_proposal_t *proposals, ikev2_protocol_id_t prot_id)
Definition: ikev2.c:113
ikev2_child_sa_t::time_to_expiration
f64 time_to_expiration
Definition: ikev2_priv.h:148
udp_register_dst_port
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
Definition: udp_local.c:488
vlib_put_frame_to_node
void vlib_put_frame_to_node(vlib_main_t *vm, u32 to_node_index, vlib_frame_t *f)
Definition: main.c:196
IKEV2_STATE_DELETED
Definition: ikev2_priv.h:45
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:56
ip4_header_t::ip_version_and_header_length
u8 ip_version_and_header_length
Definition: ip4_packet.h:132
ip_interface_address_get_address
static void * ip_interface_address_get_address(ip_lookup_main_t *lm, ip_interface_address_t *a)
Definition: lookup.h:172
ikev2_transform_type_t
ikev2_transform_type_t
Definition: ikev2.h:203
ikev2_notify_t::spi
u32 spi
Definition: ikev2_priv.h:174
ikev2_profile_t::esp_ts
ikev2_transforms_set esp_ts
Definition: ikev2_priv.h:190
ikev2_crypto_init
void ikev2_crypto_init(ikev2_main_t *km)
Definition: ikev2_crypto.c:664
vlib_buffer_t::flags
u32 flags
buffer flags: VLIB_BUFFER_IS_TRACED: trace this buffer.
Definition: buffer.h:74
ipsec_add_del_tunnel_args_t::anti_replay
u8 anti_replay
Definition: ipsec.h:149
ikev2_payload_add_ts
void ikev2_payload_add_ts(ikev2_payload_chain_t *c, ikev2_ts_t *ts, u8 type)
Definition: ikev2_payload.c:303
vlib_buffer_alloc
static u32 vlib_buffer_alloc(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Allocate buffers into supplied array.
Definition: buffer_funcs.h:245
ip4_header_t
Definition: ip4_packet.h:126
ikev2_main_t::vlib_main
vlib_main_t * vlib_main
Definition: ikev2_priv.h:283
ikev2_decrypt_data
v8 * ikev2_decrypt_data(ikev2_sa_t *sa, u8 *data, int len)
Definition: ikev2_crypto.c:340
ikev2_sa_free_all_vec
static void ikev2_sa_free_all_vec(ikev2_sa_t *sa)
Definition: ikev2.c:272
IKEV2_STATE_TS_UNACCEPTABLE
Definition: ikev2_priv.h:49
vlib_get_buffer
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
Definition: buffer_funcs.h:57
ip4_header_checksum
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:239
ikev2_calc_sign
u8 * ikev2_calc_sign(EVP_PKEY *pkey, u8 *data)
Definition: ikev2_crypto.c:594
ikev2_calc_integr
v8 * ikev2_calc_integr(ikev2_sa_transform_t *tr, v8 *key, u8 *data, int len)
Definition: ikev2_crypto.c:317
format_ikev2_id_type
u8 * format_ikev2_id_type(u8 *s, va_list *args)
VLIB_RX
Definition: defs.h:46
foreach_ikev2_error
#define foreach_ikev2_error
Definition: ikev2.c:55
ipsec_add_del_tunnel_args_t::local_integ_key
u8 local_integ_key[128]
Definition: ipsec.h:160
ikev2_sa_transform_t::key_trunc
u16 key_trunc
Definition: ikev2_priv.h:81
ikev2_trace_t::sw_if_index
u32 sw_if_index
Definition: ikev2.c:38
ikev2_payload_add_notify_2
void ikev2_payload_add_notify_2(ikev2_payload_chain_t *c, u16 msg_type, u8 *data, ikev2_notify_t *notify)
Definition: ikev2_payload.c:140
ikev2_parse_delete_payload
ikev2_delete_t * ikev2_parse_delete_payload(ike_payload_header_t *ikep)
Definition: ikev2_payload.c:513