From f40a354daba1141a60dbb10b862672ea11270de8 Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Wed, 24 Jan 2024 16:31:47 +0200 Subject: ikev2: dump state and profile name in CLI and API Type: improvement Change-Id: Ide4b45da99e3a67376281f6438997f3148be08e5 Signed-off-by: Denys Haryachyy --- src/plugins/ikev2/ikev2.api | 23 ++++++++ src/plugins/ikev2/ikev2_api.c | 116 ++++++++++++++++++++++++++++++++++++++ src/plugins/ikev2/ikev2_cli.c | 7 +++ src/plugins/ikev2/ikev2_test.c | 74 +++++++++++++++++++++++- src/plugins/ikev2/ikev2_types.api | 37 ++++++++++++ test/test_ikev2.py | 89 +++++++++++++++++++++++++++++ 6 files changed, 344 insertions(+), 2 deletions(-) diff --git a/src/plugins/ikev2/ikev2.api b/src/plugins/ikev2/ikev2.api index ff9ed72e888..58b7fc05d9e 100644 --- a/src/plugins/ikev2/ikev2.api +++ b/src/plugins/ikev2/ikev2.api @@ -76,6 +76,16 @@ define ikev2_sa_dump option status = "in_progress"; }; +/** \brief Dump all SAs + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define ikev2_sa_v2_dump +{ + u32 client_index; + u32 context; +}; + /** \brief Details about IKE SA @param context - sender context, to match reply w/ request @param retval - return code @@ -90,6 +100,19 @@ define ikev2_sa_details option status = "in_progress"; }; +/** \brief Details about IKE SA + @param context - sender context, to match reply w/ request + @param retval - return code + @param sa - SA data +*/ +define ikev2_sa_v2_details +{ + u32 context; + i32 retval; + + vl_api_ikev2_sa_v2_t sa; +}; + /** \brief Dump child SA of specific SA @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/plugins/ikev2/ikev2_api.c b/src/plugins/ikev2/ikev2_api.c index 6485b6d85c1..975212d4f92 100644 --- a/src/plugins/ikev2/ikev2_api.c +++ b/src/plugins/ikev2/ikev2_api.c @@ -207,6 +207,32 @@ ikev2_copy_stats (vl_api_ikev2_sa_stats_t *dst, const ikev2_stats_t *src) dst->n_sa_auth_req = src->n_sa_auth_req; } +static vl_api_ikev2_state_t +ikev2_state_encode (ikev2_state_t state) +{ + switch (state) + { + case IKEV2_STATE_UNKNOWN: + return UNKNOWN; + case IKEV2_STATE_SA_INIT: + return SA_INIT; + case IKEV2_STATE_DELETED: + return DELETED; + case IKEV2_STATE_AUTH_FAILED: + return AUTH_FAILED; + case IKEV2_STATE_AUTHENTICATED: + return AUTHENTICATED; + case IKEV2_STATE_NOTIFY_AND_DELETE: + return NOTIFY_AND_DELETE; + case IKEV2_STATE_TS_UNACCEPTABLE: + return TS_UNACCEPTABLE; + case IKEV2_STATE_NO_PROPOSAL_CHOSEN: + return NO_PROPOSAL_CHOSEN; + } + + return UNKNOWN; +} + static void send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index) { @@ -293,6 +319,96 @@ vl_api_ikev2_sa_dump_t_handler (vl_api_ikev2_sa_dump_t * mp) } } +static void +send_sa_v2 (ikev2_sa_t *sa, vl_api_ikev2_sa_v2_dump_t *mp, u32 api_sa_index) +{ + ikev2_main_t *km = &ikev2_main; + vl_api_ikev2_sa_v2_details_t *rmp = 0; + int rv = 0; + ikev2_sa_transform_t *tr; + ikev2_profile_t *p; + p = pool_elt_at_index (km->profiles, sa->profile_index); + + REPLY_MACRO2_ZERO (VL_API_IKEV2_SA_V2_DETAILS, { + vl_api_ikev2_sa_v2_t *rsa = &rmp->sa; + vl_api_ikev2_keys_t *k = &rsa->keys; + + int size_data = sizeof (rsa->profile_name) - 1; + if (vec_len (p->name) < size_data) + size_data = vec_len (p->name); + clib_memcpy (rsa->profile_name, p->name, size_data); + + rsa->state = ikev2_state_encode (sa->state); + + rsa->sa_index = api_sa_index; + ip_address_encode2 (&sa->iaddr, &rsa->iaddr); + ip_address_encode2 (&sa->raddr, &rsa->raddr); + rsa->ispi = sa->ispi; + rsa->rspi = sa->rspi; + cp_id (&rsa->i_id, &sa->i_id); + cp_id (&rsa->r_id, &sa->r_id); + + tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); + if (tr) + cp_sa_transform (&rsa->encryption, tr); + + tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); + if (tr) + cp_sa_transform (&rsa->prf, tr); + + tr = + ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); + if (tr) + cp_sa_transform (&rsa->integrity, tr); + + tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); + if (tr) + cp_sa_transform (&rsa->dh, tr); + + k->sk_d_len = vec_len (sa->sk_d); + clib_memcpy (&k->sk_d, sa->sk_d, k->sk_d_len); + + k->sk_ai_len = vec_len (sa->sk_ai); + clib_memcpy (&k->sk_ai, sa->sk_ai, k->sk_ai_len); + + k->sk_ar_len = vec_len (sa->sk_ar); + clib_memcpy (&k->sk_ar, sa->sk_ar, k->sk_ar_len); + + k->sk_ei_len = vec_len (sa->sk_ei); + clib_memcpy (&k->sk_ei, sa->sk_ei, k->sk_ei_len); + + k->sk_er_len = vec_len (sa->sk_er); + clib_memcpy (&k->sk_er, sa->sk_er, k->sk_er_len); + + k->sk_pi_len = vec_len (sa->sk_pi); + clib_memcpy (&k->sk_pi, sa->sk_pi, k->sk_pi_len); + + k->sk_pr_len = vec_len (sa->sk_pr); + clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len); + + ikev2_copy_stats (&rsa->stats, &sa->stats); + + vl_api_ikev2_sa_v2_t_endian (rsa); + }); +} + +static void +vl_api_ikev2_sa_v2_dump_t_handler (vl_api_ikev2_sa_v2_dump_t *mp) +{ + ikev2_main_t *km = &ikev2_main; + ikev2_main_per_thread_data_t *tkm; + ikev2_sa_t *sa; + + vec_foreach (tkm, km->per_thread_data) + { + pool_foreach (sa, tkm->sas) + { + u32 api_sa_index = + ikev2_encode_sa_index (sa - tkm->sas, tkm - km->per_thread_data); + send_sa_v2 (sa, mp, api_sa_index); + } + } +} static void send_child_sa (ikev2_child_sa_t * child, diff --git a/src/plugins/ikev2/ikev2_cli.c b/src/plugins/ikev2/ikev2_cli.c index 285a8993311..e5516f834f4 100644 --- a/src/plugins/ikev2/ikev2_cli.c +++ b/src/plugins/ikev2/ikev2_cli.c @@ -136,6 +136,11 @@ format_ikev2_sa (u8 * s, va_list * va) ikev2_child_sa_t *child; u32 indent = 1; + ikev2_main_t *km = &ikev2_main; + ikev2_profile_t *p; + + p = pool_elt_at_index (km->profiles, sa->profile_index); + s = format (s, "iip %U ispi %lx rip %U rspi %lx", format_ip_address, &sa->iaddr, sa->ispi, format_ip_address, &sa->raddr, sa->rspi); @@ -156,6 +161,8 @@ format_ikev2_sa (u8 * s, va_list * va) tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); s = format (s, "%U", format_ikev2_sa_transform, tr); + s = format (s, "\n profile: %v", p->name); + if (sa->state <= IKEV2_STATE_NO_PROPOSAL_CHOSEN) { s = format (s, "\n state: %s", stateNames[sa->state]); diff --git a/src/plugins/ikev2/ikev2_test.c b/src/plugins/ikev2/ikev2_test.c index 9f572813565..18d01dc6ffb 100644 --- a/src/plugins/ikev2/ikev2_test.c +++ b/src/plugins/ikev2/ikev2_test.c @@ -396,8 +396,78 @@ vl_api_ikev2_sa_details_t_handler (vl_api_ikev2_sa_details_t * mp) ip_address_decode2 (&sa->iaddr, &iaddr); ip_address_decode2 (&sa->raddr, &raddr); - fformat (vam->ofp, "profile index %d sa index: %d\n", - mp->sa.profile_index, mp->sa.sa_index); + fformat (vam->ofp, "profile index %u sa index: %d\n", mp->sa.profile_index, + mp->sa.sa_index); + fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address, + &iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi); + fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption); + fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->prf); + fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->integrity); + fformat (vam->ofp, "%U \n", format_ikev2_sa_transform, &sa->dh); + + fformat (vam->ofp, " SK_d %U\n", format_hex_bytes, k->sk_d, k->sk_d_len); + + fformat (vam->ofp, " SK_a i:%U\n r:%U\n", format_hex_bytes, + k->sk_ai, k->sk_ai_len, format_hex_bytes, k->sk_ar, k->sk_ar_len); + + fformat (vam->ofp, " SK_e i:%U\n r:%U\n", format_hex_bytes, + k->sk_ei, k->sk_ei_len, format_hex_bytes, k->sk_er, k->sk_er_len); + + fformat (vam->ofp, " SK_p i:%U\n r:%U\n", format_hex_bytes, + k->sk_pi, k->sk_pi_len, format_hex_bytes, k->sk_pr, k->sk_pr_len); + + fformat (vam->ofp, " identifier (i) %U\n", format_ikev2_id_type_and_data, + &sa->i_id); + fformat (vam->ofp, " identifier (r) %U\n", format_ikev2_id_type_and_data, + &sa->r_id); + + vam->result_ready = 1; +} + +static int +api_ikev2_sa_v2_dump (vat_main_t *vam) +{ + ikev2_test_main_t *im = &ikev2_test_main; + vl_api_ikev2_sa_v2_dump_t *mp; + vl_api_control_ping_t *mp_ping; + int ret; + + /* Construct the API message */ + M (IKEV2_SA_V2_DUMP, mp); + + /* send it... */ + S (mp); + + /* Use a control ping for synchronization */ + if (!im->ping_id) + im->ping_id = vl_msg_api_get_msg_index ((u8 *) (VL_API_CONTROL_PING_CRC)); + mp_ping = vl_msg_api_alloc_as_if_client (sizeof (*mp_ping)); + mp_ping->_vl_msg_id = htons (im->ping_id); + mp_ping->client_index = vam->my_client_index; + vam->result_ready = 0; + + S (mp_ping); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +static void +vl_api_ikev2_sa_v2_details_t_handler (vl_api_ikev2_sa_v2_details_t *mp) +{ + vat_main_t *vam = ikev2_test_main.vat_main; + vl_api_ikev2_sa_v2_t *sa = &mp->sa; + ip_address_t iaddr; + ip_address_t raddr; + vl_api_ikev2_keys_t *k = &sa->keys; + vl_api_ikev2_sa_v2_t_endian (sa); + + ip_address_decode2 (&sa->iaddr, &iaddr); + ip_address_decode2 (&sa->raddr, &raddr); + + fformat (vam->ofp, "profile name %s sa index: %d\n", mp->sa.profile_name, + mp->sa.sa_index); fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address, &iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi); fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption); diff --git a/src/plugins/ikev2/ikev2_types.api b/src/plugins/ikev2/ikev2_types.api index b279026c2b9..f0e50165501 100644 --- a/src/plugins/ikev2/ikev2_types.api +++ b/src/plugins/ikev2/ikev2_types.api @@ -138,6 +138,18 @@ typedef ikev2_sa_stats u16 n_init_sa_retransmit; }; +enum ikev2_state +{ + UNKNOWN, + SA_INIT, + DELETED, + AUTH_FAILED, + AUTHENTICATED, + NOTIFY_AND_DELETE, + TS_UNACCEPTABLE, + NO_PROPOSAL_CHOSEN, +}; + typedef ikev2_sa { u32 sa_index; @@ -161,3 +173,28 @@ typedef ikev2_sa vl_api_ikev2_sa_stats_t stats; }; + +typedef ikev2_sa_v2 +{ + u32 sa_index; + string profile_name[64]; + vl_api_ikev2_state_t state; + + u64 ispi; + u64 rspi; + vl_api_address_t iaddr; + vl_api_address_t raddr; + + vl_api_ikev2_keys_t keys; + + /* ID */ + vl_api_ikev2_id_t i_id; + vl_api_ikev2_id_t r_id; + + vl_api_ikev2_sa_transform_t encryption; + vl_api_ikev2_sa_transform_t integrity; + vl_api_ikev2_sa_transform_t prf; + vl_api_ikev2_sa_transform_t dh; + + vl_api_ikev2_sa_stats_t stats; +}; \ No newline at end of file diff --git a/test/test_ikev2.py b/test/test_ikev2.py index d2b4c691f85..be788d86b3f 100644 --- a/test/test_ikev2.py +++ b/test/test_ikev2.py @@ -662,6 +662,8 @@ class IkePeer(VppTestCase): self.initiate_del_sa_from_initiator() r = self.vapi.ikev2_sa_dump() self.assertEqual(len(r), 0) + r = self.vapi.ikev2_sa_v2_dump() + self.assertEqual(len(r), 0) sas = self.vapi.ipsec_sa_dump() self.assertEqual(len(sas), 0) self.p.remove_vpp_config() @@ -968,6 +970,76 @@ class IkePeer(VppTestCase): self.assertEqual(len(r), 1) self.verify_ts(r[0].ts, tsr[0], False) + def verify_ike_sas_v2(self): + r = self.vapi.ikev2_sa_v2_dump() + self.assertEqual(len(r), 1) + sa = r[0].sa + self.assertEqual(self.p.profile_name, sa.profile_name) + self.assertEqual(self.sa.ispi, (sa.ispi).to_bytes(8, "big")) + self.assertEqual(self.sa.rspi, (sa.rspi).to_bytes(8, "big")) + if self.ip6: + if self.sa.is_initiator: + self.assertEqual(sa.iaddr, IPv6Address(self.pg0.remote_ip6)) + self.assertEqual(sa.raddr, IPv6Address(self.pg0.local_ip6)) + else: + self.assertEqual(sa.iaddr, IPv6Address(self.pg0.local_ip6)) + self.assertEqual(sa.raddr, IPv6Address(self.pg0.remote_ip6)) + else: + if self.sa.is_initiator: + self.assertEqual(sa.iaddr, IPv4Address(self.pg0.remote_ip4)) + self.assertEqual(sa.raddr, IPv4Address(self.pg0.local_ip4)) + else: + self.assertEqual(sa.iaddr, IPv4Address(self.pg0.local_ip4)) + self.assertEqual(sa.raddr, IPv4Address(self.pg0.remote_ip4)) + self.verify_keymat(sa.keys, self.sa, "sk_d") + self.verify_keymat(sa.keys, self.sa, "sk_ai") + self.verify_keymat(sa.keys, self.sa, "sk_ar") + self.verify_keymat(sa.keys, self.sa, "sk_ei") + self.verify_keymat(sa.keys, self.sa, "sk_er") + self.verify_keymat(sa.keys, self.sa, "sk_pi") + self.verify_keymat(sa.keys, self.sa, "sk_pr") + + self.assertEqual(sa.i_id.type, self.sa.id_type) + self.assertEqual(sa.r_id.type, self.sa.id_type) + self.assertEqual(sa.i_id.data_len, len(self.sa.i_id)) + self.assertEqual(sa.r_id.data_len, len(self.idr)) + self.assertEqual(bytes(sa.i_id.data, "ascii"), self.sa.i_id) + self.assertEqual(bytes(sa.r_id.data, "ascii"), self.idr) + + r = self.vapi.ikev2_child_sa_dump(sa_index=sa.sa_index) + self.assertEqual(len(r), 1) + csa = r[0].child_sa + self.assertEqual(csa.sa_index, sa.sa_index) + c = self.sa.child_sas[0] + if hasattr(c, "sk_ai"): + self.verify_keymat(csa.keys, c, "sk_ai") + self.verify_keymat(csa.keys, c, "sk_ar") + self.verify_keymat(csa.keys, c, "sk_ei") + self.verify_keymat(csa.keys, c, "sk_er") + self.assertEqual(csa.i_spi.to_bytes(4, "big"), c.ispi) + self.assertEqual(csa.r_spi.to_bytes(4, "big"), c.rspi) + + tsi, tsr = self.sa.generate_ts(self.p.ts_is_ip4) + tsi = tsi[0] + tsr = tsr[0] + r = self.vapi.ikev2_traffic_selector_dump( + is_initiator=True, sa_index=sa.sa_index, child_sa_index=csa.child_sa_index + ) + self.assertEqual(len(r), 1) + ts = r[0].ts + self.verify_ts(r[0].ts, tsi[0], True) + + r = self.vapi.ikev2_traffic_selector_dump( + is_initiator=False, sa_index=sa.sa_index, child_sa_index=csa.child_sa_index + ) + self.assertEqual(len(r), 1) + self.verify_ts(r[0].ts, tsr[0], False) + + n = self.vapi.ikev2_nonce_get(is_initiator=True, sa_index=sa.sa_index) + self.verify_nonce(n, self.sa.i_nonce) + n = self.vapi.ikev2_nonce_get(is_initiator=False, sa_index=sa.sa_index) + self.verify_nonce(n, self.sa.r_nonce) + def verify_nonce(self, api_nonce, nonce): self.assertEqual(api_nonce.data_len, len(nonce)) self.assertEqual(api_nonce.nonce, nonce) @@ -1289,6 +1361,7 @@ class TemplateInitiator(IkePeer): self.sa.calc_child_keys() self.send_auth_response() self.verify_ike_sas() + self.verify_ike_sas_v2() class TemplateResponder(IkePeer): @@ -1598,11 +1671,17 @@ class TemplateResponder(IkePeer): self.assertEqual(1, s.n_sa_auth_req) self.assertEqual(1, s.n_sa_init_req) + r = self.vapi.ikev2_sa_v2_dump() + s = r[0].sa.stats + self.assertEqual(1, s.n_sa_auth_req) + self.assertEqual(1, s.n_sa_init_req) + def test_responder(self): self.send_sa_init_req() self.send_sa_auth() self.verify_ipsec_sas() self.verify_ike_sas() + self.verify_ike_sas_v2() self.verify_counters() @@ -2063,6 +2142,7 @@ class TestInitiatorRequestWindowSize(TestInitiatorPsk): # verify that only the second request was accepted self.verify_ike_sas() + self.verify_ike_sas_v2() self.verify_ipsec_sas(is_rekey=True) @@ -2107,6 +2187,7 @@ class TestInitiatorRekey(TestInitiatorPsk): super(TestInitiatorRekey, self).test_initiator() self.rekey_from_initiator() self.verify_ike_sas() + self.verify_ike_sas_v2() self.verify_ipsec_sas(is_rekey=True) @@ -2188,6 +2269,8 @@ class TestResponderDpd(TestResponderPsk): time.sleep(3) ike_sas = self.vapi.ikev2_sa_dump() self.assertEqual(len(ike_sas), 0) + ike_sas = self.vapi.ikev2_sa_v2_dump() + self.assertEqual(len(ike_sas), 0) ipsec_sas = self.vapi.ipsec_sa_dump() self.assertEqual(len(ipsec_sas), 0) @@ -2225,10 +2308,13 @@ class TestResponderRekey(TestResponderPsk): super(TestResponderRekey, self).test_responder() self.process_rekey_response(self.send_rekey_from_initiator()) self.verify_ike_sas() + self.verify_ike_sas_v2() self.verify_ipsec_sas(is_rekey=True) self.assert_counter(1, "rekey_req", "ip4") r = self.vapi.ikev2_sa_dump() self.assertEqual(r[0].sa.stats.n_rekey_req, 1) + r = self.vapi.ikev2_sa_v2_dump() + self.assertEqual(r[0].sa.stats.n_rekey_req, 1) @tag_fixme_vpp_workers @@ -2253,6 +2339,7 @@ class TestResponderRekeyRepeat(TestResponderRekey): self.fail("old IPsec SA not expired") self.process_rekey_response(self.send_rekey_from_initiator()) self.verify_ike_sas() + self.verify_ike_sas_v2() self.verify_ipsec_sas(sa_count=3) @@ -2456,6 +2543,8 @@ class TestInitiatorKeepaliveMsg(TestInitiatorPsk): self.assert_counter(1, "keepalive", "ip4") r = self.vapi.ikev2_sa_dump() self.assertEqual(1, r[0].sa.stats.n_keepalives) + r = self.vapi.ikev2_sa_v2_dump() + self.assertEqual(1, r[0].sa.stats.n_keepalives) def test_initiator(self): super(TestInitiatorKeepaliveMsg, self).test_initiator() -- cgit 1.2.3-korg