diff options
author | Neale Ranns <nranns@cisco.com> | 2019-02-25 10:28:29 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2019-02-25 19:37:09 +0000 |
commit | 7c44d78ef2e7bf0c8714be4184511ed8f23ff239 (patch) | |
tree | b09f294ebe6365bd38ed0dc7ef4c696cd7630de0 /src/vnet/ipsec | |
parent | f883f6a1132ad4bb7aa9d9a79d420274fbcf3b64 (diff) |
IKEv2 to plugin
for easy integration with ptoducts running their own Ike stack.
Without the VPP IKE plugin loaded, the product is free to handle
IKE packets as it pleases.
Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r-- | src/vnet/ipsec/ikev2.c | 3477 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2.h | 435 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2_cli.c | 602 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2_crypto.c | 1076 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2_format.c | 155 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2_payload.c | 550 | ||||
-rw-r--r-- | src/vnet/ipsec/ikev2_priv.h | 362 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 247 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.c | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 356 |
10 files changed, 19 insertions, 7245 deletions
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c deleted file mode 100644 index d85feee4274..00000000000 --- a/src/vnet/ipsec/ikev2.c +++ /dev/null @@ -1,3477 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <vlib/vlib.h> -#include <vnet/vnet.h> -#include <vnet/pg/pg.h> -#include <vppinfra/error.h> -#include <vppinfra/random.h> -#include <vnet/udp/udp.h> -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/ikev2.h> -#include <vnet/ipsec/ikev2_priv.h> -#include <openssl/sha.h> - -ikev2_main_t ikev2_main; - -static int ikev2_delete_tunnel_interface (vnet_main_t * vnm, - ikev2_sa_t * sa, - ikev2_child_sa_t * child); - -#define ikev2_set_state(sa, v) do { \ - (sa)->state = v; \ - clib_warning("sa state changed to " #v); \ - } while(0); - -typedef struct -{ - u32 next_index; - u32 sw_if_index; -} ikev2_trace_t; - -static u8 * -format_ikev2_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - ikev2_trace_t *t = va_arg (*args, ikev2_trace_t *); - - s = format (s, "ikev2: sw_if_index %d, next index %d", - t->sw_if_index, t->next_index); - return s; -} - -static vlib_node_registration_t ikev2_node; - -#define foreach_ikev2_error \ -_(PROCESSED, "IKEv2 packets processed") \ -_(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \ -_(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \ -_(IKE_REQ_RETRANSMIT, "IKE request retransmit") \ -_(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \ -_(NOT_IKEV2, "Non IKEv2 packets received") - -typedef enum -{ -#define _(sym,str) IKEV2_ERROR_##sym, - foreach_ikev2_error -#undef _ - IKEV2_N_ERROR, -} ikev2_error_t; - -static char *ikev2_error_strings[] = { -#define _(sym,string) string, - foreach_ikev2_error -#undef _ -}; - -typedef enum -{ - IKEV2_NEXT_IP4_LOOKUP, - IKEV2_NEXT_ERROR_DROP, - IKEV2_N_NEXT, -} ikev2_next_t; - -static ikev2_sa_transform_t * -ikev2_find_transform_data (ikev2_sa_transform_t * t) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_sa_transform_t *td; - - vec_foreach (td, km->supported_transforms) - { - if (td->type != t->type) - continue; - - if (td->transform_id != t->transform_id) - continue; - - if (td->type == IKEV2_TRANSFORM_TYPE_ENCR) - { - if (vec_len (t->attrs) != 4 || t->attrs[0] != 0x80 - || t->attrs[1] != 14) - continue; - - if (((t->attrs[2] << 8 | t->attrs[3]) / 8) != td->key_len) - continue; - } - return td; - } - return 0; -} - -static ikev2_sa_proposal_t * -ikev2_select_proposal (ikev2_sa_proposal_t * proposals, - ikev2_protocol_id_t prot_id) -{ - ikev2_sa_proposal_t *rv = 0; - ikev2_sa_proposal_t *proposal; - ikev2_sa_transform_t *transform, *new_t; - u8 mandatory_bitmap, optional_bitmap; - - if (prot_id == IKEV2_PROTOCOL_IKE) - { - mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) | - (1 << IKEV2_TRANSFORM_TYPE_PRF) | - (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH); - optional_bitmap = mandatory_bitmap; - } - else if (prot_id == IKEV2_PROTOCOL_ESP) - { - mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) | - (1 << IKEV2_TRANSFORM_TYPE_ESN); - optional_bitmap = mandatory_bitmap | - (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH); - } - else if (prot_id == IKEV2_PROTOCOL_AH) - { - mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) | - (1 << IKEV2_TRANSFORM_TYPE_ESN); - optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH); - } - else - return 0; - - vec_add2 (rv, proposal, 1); - - vec_foreach (proposal, proposals) - { - u8 bitmap = 0; - if (proposal->protocol_id != prot_id) - continue; - - vec_foreach (transform, proposal->transforms) - { - if ((1 << transform->type) & bitmap) - continue; - - if (ikev2_find_transform_data (transform)) - { - bitmap |= 1 << transform->type; - vec_add2 (rv->transforms, new_t, 1); - clib_memcpy_fast (new_t, transform, sizeof (*new_t)); - new_t->attrs = vec_dup (transform->attrs); - } - } - - clib_warning ("bitmap is %x mandatory is %x optional is %x", - bitmap, mandatory_bitmap, optional_bitmap); - - if ((bitmap & mandatory_bitmap) == mandatory_bitmap && - (bitmap & ~optional_bitmap) == 0) - { - rv->proposal_num = proposal->proposal_num; - rv->protocol_id = proposal->protocol_id; - RAND_bytes ((u8 *) & rv->spi, sizeof (rv->spi)); - goto done; - } - else - { - vec_free (rv->transforms); - } - } - - vec_free (rv); -done: - return rv; -} - -ikev2_sa_transform_t * -ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p, - ikev2_transform_type_t type) -{ - ikev2_sa_transform_t *t; - - if (!p) - return 0; - - vec_foreach (t, p->transforms) - { - if (t->type == type) - return ikev2_find_transform_data (t); - } - return 0; -} - -ikev2_child_sa_t * -ikev2_sa_get_child (ikev2_sa_t * sa, u32 spi, ikev2_protocol_id_t prot_id, - int by_initiator) -{ - ikev2_child_sa_t *c; - vec_foreach (c, sa->childs) - { - ikev2_sa_proposal_t *proposal = - by_initiator ? &c->i_proposals[0] : &c->r_proposals[0]; - if (proposal && proposal->spi == spi && proposal->protocol_id == prot_id) - return c; - } - - return 0; -} - -void -ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v) -{ - ikev2_sa_proposal_t *p; - ikev2_sa_transform_t *t; - - if (!*v) - return; - - vec_foreach (p, *v) - { - vec_foreach (t, p->transforms) - { - vec_free (t->attrs); - } - vec_free (p->transforms); - } - vec_free (*v); -}; - -static void -ikev2_sa_free_all_child_sa (ikev2_child_sa_t ** childs) -{ - ikev2_child_sa_t *c; - vec_foreach (c, *childs) - { - ikev2_sa_free_proposal_vector (&c->r_proposals); - ikev2_sa_free_proposal_vector (&c->i_proposals); - vec_free (c->sk_ai); - vec_free (c->sk_ar); - vec_free (c->sk_ei); - vec_free (c->sk_er); - } - - vec_free (*childs); -} - -static void -ikev2_sa_del_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * child) -{ - ikev2_sa_free_proposal_vector (&child->r_proposals); - ikev2_sa_free_proposal_vector (&child->i_proposals); - vec_free (child->sk_ai); - vec_free (child->sk_ar); - vec_free (child->sk_ei); - vec_free (child->sk_er); - - vec_del1 (sa->childs, child - sa->childs); -} - -static void -ikev2_sa_free_all_vec (ikev2_sa_t * sa) -{ - vec_free (sa->i_nonce); - vec_free (sa->i_dh_data); - vec_free (sa->dh_shared_key); - vec_free (sa->dh_private_key); - - ikev2_sa_free_proposal_vector (&sa->r_proposals); - ikev2_sa_free_proposal_vector (&sa->i_proposals); - - vec_free (sa->sk_d); - vec_free (sa->sk_ai); - vec_free (sa->sk_ar); - vec_free (sa->sk_ei); - vec_free (sa->sk_er); - vec_free (sa->sk_pi); - vec_free (sa->sk_pr); - - vec_free (sa->i_id.data); - vec_free (sa->i_auth.data); - vec_free (sa->r_id.data); - vec_free (sa->r_auth.data); - if (sa->r_auth.key) - EVP_PKEY_free (sa->r_auth.key); - - vec_free (sa->del); - - ikev2_sa_free_all_child_sa (&sa->childs); -} - -static void -ikev2_delete_sa (ikev2_sa_t * sa) -{ - ikev2_main_t *km = &ikev2_main; - u32 thread_index = vlib_get_thread_index (); - uword *p; - - ikev2_sa_free_all_vec (sa); - - p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi); - if (p) - { - hash_unset (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi); - pool_put (km->per_thread_data[thread_index].sas, sa); - } -} - -static void -ikev2_generate_sa_init_data (ikev2_sa_t * sa) -{ - ikev2_sa_transform_t *t = 0, *t2; - ikev2_main_t *km = &ikev2_main; - - if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE) - { - return; - } - - /* check if received DH group is on our list of supported groups */ - vec_foreach (t2, km->supported_transforms) - { - if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type) - { - t = t2; - break; - } - } - - if (!t) - { - clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group, - vec_len (sa->i_dh_data)); - sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE; - return; - } - - if (sa->is_initiator) - { - /* generate rspi */ - RAND_bytes ((u8 *) & sa->ispi, 8); - - /* generate nonce */ - sa->i_nonce = vec_new (u8, IKEV2_NONCE_SIZE); - RAND_bytes ((u8 *) sa->i_nonce, IKEV2_NONCE_SIZE); - } - else - { - /* generate rspi */ - RAND_bytes ((u8 *) & sa->rspi, 8); - - /* generate nonce */ - sa->r_nonce = vec_new (u8, IKEV2_NONCE_SIZE); - RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE); - } - - /* generate dh keys */ - ikev2_generate_dh (sa, t); - -} - -static void -ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai) -{ - ikev2_sa_transform_t *t = 0, *t2; - ikev2_main_t *km = &ikev2_main; - - - /*move some data to the new SA */ -#define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;}) - sa->i_nonce = _(sai->i_nonce); - sa->i_dh_data = _(sai->i_dh_data); - sa->dh_private_key = _(sai->dh_private_key); - sa->iaddr.as_u32 = sai->iaddr.as_u32; - sa->raddr.as_u32 = sai->raddr.as_u32; - sa->is_initiator = sai->is_initiator; - sa->profile = sai->profile; - sa->i_id.type = sai->i_id.type; - sa->i_id.data = _(sai->i_id.data); - sa->i_auth.method = sai->i_auth.method; - sa->i_auth.hex = sai->i_auth.hex; - sa->i_auth.data = _(sai->i_auth.data); - sa->i_auth.key = _(sai->i_auth.key); - sa->last_sa_init_req_packet_data = _(sai->last_sa_init_req_packet_data); - sa->childs = _(sai->childs); -#undef _ - - - if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE) - { - return; - } - - /* check if received DH group is on our list of supported groups */ - vec_foreach (t2, km->supported_transforms) - { - if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type) - { - t = t2; - break; - } - } - - if (!t) - { - clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group, - vec_len (sa->i_dh_data)); - sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE; - return; - } - - - /* generate dh keys */ - ikev2_complete_dh (sa, t); - -} - -static void -ikev2_calc_keys (ikev2_sa_t * sa) -{ - u8 *tmp; - /* calculate SKEYSEED = prf(Ni | Nr, g^ir) */ - u8 *skeyseed = 0; - u8 *s = 0; - ikev2_sa_transform_t *tr_encr, *tr_prf, *tr_integ; - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - tr_prf = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - tr_integ = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - - vec_append (s, sa->i_nonce); - vec_append (s, sa->r_nonce); - skeyseed = ikev2_calc_prf (tr_prf, s, sa->dh_shared_key); - - /* Calculate S = Ni | Nr | SPIi | SPIr */ - u64 *spi; - vec_add2 (s, tmp, 2 * sizeof (*spi)); - spi = (u64 *) tmp; - spi[0] = clib_host_to_net_u64 (sa->ispi); - spi[1] = clib_host_to_net_u64 (sa->rspi); - - /* calculate PRFplus */ - u8 *keymat; - int len = tr_prf->key_trunc + /* SK_d */ - tr_integ->key_len * 2 + /* SK_ai, SK_ar */ - tr_encr->key_len * 2 + /* SK_ei, SK_er */ - tr_prf->key_len * 2; /* SK_pi, SK_pr */ - - keymat = ikev2_calc_prfplus (tr_prf, skeyseed, s, len); - vec_free (skeyseed); - vec_free (s); - - int pos = 0; - - /* SK_d */ - sa->sk_d = vec_new (u8, tr_prf->key_trunc); - clib_memcpy_fast (sa->sk_d, keymat + pos, tr_prf->key_trunc); - pos += tr_prf->key_trunc; - - /* SK_ai */ - sa->sk_ai = vec_new (u8, tr_integ->key_len); - clib_memcpy_fast (sa->sk_ai, keymat + pos, tr_integ->key_len); - pos += tr_integ->key_len; - - /* SK_ar */ - sa->sk_ar = vec_new (u8, tr_integ->key_len); - clib_memcpy_fast (sa->sk_ar, keymat + pos, tr_integ->key_len); - pos += tr_integ->key_len; - - /* SK_ei */ - sa->sk_ei = vec_new (u8, tr_encr->key_len); - clib_memcpy_fast (sa->sk_ei, keymat + pos, tr_encr->key_len); - pos += tr_encr->key_len; - - /* SK_er */ - sa->sk_er = vec_new (u8, tr_encr->key_len); - clib_memcpy_fast (sa->sk_er, keymat + pos, tr_encr->key_len); - pos += tr_encr->key_len; - - /* SK_pi */ - sa->sk_pi = vec_new (u8, tr_prf->key_len); - clib_memcpy_fast (sa->sk_pi, keymat + pos, tr_prf->key_len); - pos += tr_prf->key_len; - - /* SK_pr */ - sa->sk_pr = vec_new (u8, tr_prf->key_len); - clib_memcpy_fast (sa->sk_pr, keymat + pos, tr_prf->key_len); - pos += tr_prf->key_len; - - vec_free (keymat); -} - -static void -ikev2_calc_child_keys (ikev2_sa_t * sa, ikev2_child_sa_t * child) -{ - u8 *s = 0; - ikev2_sa_transform_t *tr_prf, *ctr_encr, *ctr_integ; - tr_prf = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - ctr_encr = - ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - ctr_integ = - ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - - vec_append (s, sa->i_nonce); - vec_append (s, sa->r_nonce); - /* calculate PRFplus */ - u8 *keymat; - int len = ctr_encr->key_len * 2 + ctr_integ->key_len * 2; - - keymat = ikev2_calc_prfplus (tr_prf, sa->sk_d, s, len); - - int pos = 0; - - /* SK_ei */ - child->sk_ei = vec_new (u8, ctr_encr->key_len); - clib_memcpy_fast (child->sk_ei, keymat + pos, ctr_encr->key_len); - pos += ctr_encr->key_len; - - /* SK_ai */ - child->sk_ai = vec_new (u8, ctr_integ->key_len); - clib_memcpy_fast (child->sk_ai, keymat + pos, ctr_integ->key_len); - pos += ctr_integ->key_len; - - /* SK_er */ - child->sk_er = vec_new (u8, ctr_encr->key_len); - clib_memcpy_fast (child->sk_er, keymat + pos, ctr_encr->key_len); - pos += ctr_encr->key_len; - - /* SK_ar */ - child->sk_ar = vec_new (u8, ctr_integ->key_len); - clib_memcpy_fast (child->sk_ar, keymat + pos, ctr_integ->key_len); - pos += ctr_integ->key_len; - - ASSERT (pos == len); - - vec_free (keymat); -} - -static void -ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa, - ike_header_t * ike) -{ - int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); - u8 payload = ike->nextpayload; - - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); - - sa->ispi = clib_net_to_host_u64 (ike->ispi); - - /* store whole IKE payload - needed for PSK auth */ - vec_free (sa->last_sa_init_req_packet_data); - vec_add (sa->last_sa_init_req_packet_data, ike, len); - - while (p < len && payload != IKEV2_PAYLOAD_NONE) - { - ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p]; - u32 plen = clib_net_to_host_u16 (ikep->length); - - if (plen < sizeof (ike_payload_header_t)) - return; - - if (payload == IKEV2_PAYLOAD_SA) - { - ikev2_sa_free_proposal_vector (&sa->i_proposals); - sa->i_proposals = ikev2_parse_sa_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_KE) - { - ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep; - sa->dh_group = clib_net_to_host_u16 (ke->dh_group); - vec_free (sa->i_dh_data); - vec_add (sa->i_dh_data, ke->payload, plen - sizeof (*ke)); - } - else if (payload == IKEV2_PAYLOAD_NONCE) - { - vec_free (sa->i_nonce); - vec_add (sa->i_nonce, ikep->payload, plen - sizeof (*ikep)); - } - else if (payload == IKEV2_PAYLOAD_NOTIFY) - { - ikev2_notify_t *n = ikev2_parse_notify_payload (ikep); - vec_free (n); - } - else if (payload == IKEV2_PAYLOAD_VENDOR) - { - ikev2_parse_vendor_payload (ikep); - } - else - { - clib_warning ("unknown payload %u flags %x length %u", payload, - ikep->flags, plen); - if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) - { - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - sa->unsupported_cp = payload; - return; - } - } - - payload = ikep->nextpayload; - p += plen; - } - - ikev2_set_state (sa, IKEV2_STATE_SA_INIT); -} - -static void -ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa, - ike_header_t * ike) -{ - int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); - u8 payload = ike->nextpayload; - - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); - - sa->ispi = clib_net_to_host_u64 (ike->ispi); - sa->rspi = clib_net_to_host_u64 (ike->rspi); - - /* store whole IKE payload - needed for PSK auth */ - vec_free (sa->last_sa_init_res_packet_data); - vec_add (sa->last_sa_init_res_packet_data, ike, len); - - while (p < len && payload != IKEV2_PAYLOAD_NONE) - { - ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p]; - u32 plen = clib_net_to_host_u16 (ikep->length); - - if (plen < sizeof (ike_payload_header_t)) - return; - - if (payload == IKEV2_PAYLOAD_SA) - { - ikev2_sa_free_proposal_vector (&sa->r_proposals); - sa->r_proposals = ikev2_parse_sa_payload (ikep); - if (sa->r_proposals) - { - ikev2_set_state (sa, IKEV2_STATE_SA_INIT); - ike->msgid = - clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1); - } - } - else if (payload == IKEV2_PAYLOAD_KE) - { - ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep; - sa->dh_group = clib_net_to_host_u16 (ke->dh_group); - vec_free (sa->r_dh_data); - vec_add (sa->r_dh_data, ke->payload, plen - sizeof (*ke)); - } - else if (payload == IKEV2_PAYLOAD_NONCE) - { - vec_free (sa->r_nonce); - vec_add (sa->r_nonce, ikep->payload, plen - sizeof (*ikep)); - } - else if (payload == IKEV2_PAYLOAD_NOTIFY) - { - ikev2_notify_t *n = ikev2_parse_notify_payload (ikep); - vec_free (n); - } - else if (payload == IKEV2_PAYLOAD_VENDOR) - { - ikev2_parse_vendor_payload (ikep); - } - else - { - clib_warning ("unknown payload %u flags %x length %u", payload, - ikep->flags, plen); - if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) - { - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - sa->unsupported_cp = payload; - return; - } - } - - payload = ikep->nextpayload; - p += plen; - } -} - -static u8 * -ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload) -{ - int p = 0; - u8 last_payload = 0; - u8 *hmac = 0; - u32 len = clib_net_to_host_u32 (ike->length); - ike_payload_header_t *ikep = 0; - u32 plen = 0; - ikev2_sa_transform_t *tr_integ; - tr_integ = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - - while (p < len && - *payload != IKEV2_PAYLOAD_NONE && last_payload != IKEV2_PAYLOAD_SK) - { - ikep = (ike_payload_header_t *) & ike->payload[p]; - plen = clib_net_to_host_u16 (ikep->length); - - if (plen < sizeof (*ikep)) - return 0; - - if (*payload == IKEV2_PAYLOAD_SK) - { - clib_warning ("received IKEv2 payload SK, len %u", plen - 4); - last_payload = *payload; - } - else - { - clib_warning ("unknown payload %u flags %x length %u", payload, - ikep->flags, plen); - if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) - { - sa->unsupported_cp = *payload; - return 0; - } - } - - *payload = ikep->nextpayload; - p += plen; - } - - if (last_payload != IKEV2_PAYLOAD_SK) - { - clib_warning ("Last payload must be SK"); - return 0; - } - - hmac = - ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ar : sa->sk_ai, - (u8 *) ike, len - tr_integ->key_trunc); - - plen = plen - sizeof (*ikep) - tr_integ->key_trunc; - - if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc)) - { - clib_warning ("message integrity check failed"); - vec_free (hmac); - return 0; - } - vec_free (hmac); - - return ikev2_decrypt_data (sa, ikep->payload, plen); -} - -static void -ikev2_initial_contact_cleanup (ikev2_sa_t * sa) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_sa_t *tmp; - u32 i, *delete = 0; - ikev2_child_sa_t *c; - u32 thread_index = vlib_get_thread_index (); - - if (!sa->initial_contact) - return; - - /* find old IKE SAs with the same authenticated identity */ - /* *INDENT-OFF* */ - pool_foreach (tmp, km->per_thread_data[thread_index].sas, ({ - if (tmp->i_id.type != sa->i_id.type || - vec_len(tmp->i_id.data) != vec_len(sa->i_id.data) || - memcmp(sa->i_id.data, tmp->i_id.data, vec_len(sa->i_id.data))) - continue; - - if (sa->rspi != tmp->rspi) - vec_add1(delete, tmp - km->per_thread_data[thread_index].sas); - })); - /* *INDENT-ON* */ - - for (i = 0; i < vec_len (delete); i++) - { - tmp = - pool_elt_at_index (km->per_thread_data[thread_index].sas, delete[i]); - vec_foreach (c, - tmp->childs) ikev2_delete_tunnel_interface (km->vnet_main, - tmp, c); - ikev2_delete_sa (tmp); - } - - vec_free (delete); - sa->initial_contact = 0; -} - -static void -ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) -{ - ikev2_child_sa_t *first_child_sa; - int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); - u8 payload = ike->nextpayload; - u8 *plaintext = 0; - - ike_payload_header_t *ikep; - u32 plen; - - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); - - ikev2_calc_keys (sa); - - plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload); - - if (!plaintext) - { - if (sa->unsupported_cp) - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - goto cleanup_and_exit; - } - - /* select or create 1st child SA */ - if (sa->is_initiator) - { - first_child_sa = &sa->childs[0]; - } - else - { - ikev2_sa_free_all_child_sa (&sa->childs); - vec_add2 (sa->childs, first_child_sa, 1); - } - - - /* process encrypted payload */ - p = 0; - while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE) - { - ikep = (ike_payload_header_t *) & plaintext[p]; - plen = clib_net_to_host_u16 (ikep->length); - - if (plen < sizeof (ike_payload_header_t)) - goto cleanup_and_exit; - - if (payload == IKEV2_PAYLOAD_SA) /* 33 */ - { - clib_warning ("received payload SA, len %u", plen - sizeof (*ikep)); - if (sa->is_initiator) - { - ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals); - first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep); - } - else - { - ikev2_sa_free_proposal_vector (&first_child_sa->i_proposals); - first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep); - } - } - else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */ - { - ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep; - - sa->i_id.type = id->id_type; - vec_free (sa->i_id.data); - vec_add (sa->i_id.data, id->payload, plen - sizeof (*id)); - - clib_warning ("received payload IDi, len %u id_type %u", - plen - sizeof (*id), id->id_type); - } - else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */ - { - ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep; - - sa->r_id.type = id->id_type; - vec_free (sa->r_id.data); - vec_add (sa->r_id.data, id->payload, plen - sizeof (*id)); - - clib_warning ("received payload IDr len %u id_type %u", - plen - sizeof (*id), id->id_type); - } - else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */ - { - ike_auth_payload_header_t *a = (ike_auth_payload_header_t *) ikep; - - if (sa->is_initiator) - { - sa->r_auth.method = a->auth_method; - vec_free (sa->r_auth.data); - vec_add (sa->r_auth.data, a->payload, plen - sizeof (*a)); - } - else - { - sa->i_auth.method = a->auth_method; - vec_free (sa->i_auth.data); - vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a)); - } - - clib_warning ("received payload AUTH, len %u auth_type %u", - plen - sizeof (*a), a->auth_method); - } - else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */ - { - ikev2_notify_t *n = ikev2_parse_notify_payload (ikep); - if (n->msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT) - { - sa->initial_contact = 1; - } - vec_free (n); - } - else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */ - { - ikev2_parse_vendor_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */ - { - clib_warning ("received payload TSi, len %u", - plen - sizeof (*ikep)); - - vec_free (first_child_sa->tsi); - first_child_sa->tsi = ikev2_parse_ts_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */ - { - clib_warning ("received payload TSr, len %u", - plen - sizeof (*ikep)); - - vec_free (first_child_sa->tsr); - first_child_sa->tsr = ikev2_parse_ts_payload (ikep); - } - else - { - clib_warning ("unknown payload %u flags %x length %u data %u", - payload, ikep->flags, plen - 4, - format_hex_bytes, ikep->payload, plen - 4); - - if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) - { - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - sa->unsupported_cp = payload; - return; - } - } - - payload = ikep->nextpayload; - p += plen; - } - -cleanup_and_exit: - vec_free (plaintext); -} - -static void -ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa, - ike_header_t * ike) -{ - int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); - u8 payload = ike->nextpayload; - u8 *plaintext = 0; - - ike_payload_header_t *ikep; - u32 plen; - - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); - - plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload); - - if (!plaintext) - goto cleanup_and_exit; - - /* process encrypted payload */ - p = 0; - while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE) - { - ikep = (ike_payload_header_t *) & plaintext[p]; - plen = clib_net_to_host_u16 (ikep->length); - - if (plen < sizeof (ike_payload_header_t)) - goto cleanup_and_exit; - - if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */ - { - ikev2_notify_t *n = ikev2_parse_notify_payload (ikep); - if (n->msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED) - ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); - vec_free (n); - } - else if (payload == IKEV2_PAYLOAD_DELETE) /* 42 */ - { - sa->del = ikev2_parse_delete_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */ - { - ikev2_parse_vendor_payload (ikep); - } - else - { - clib_warning ("unknown payload %u flags %x length %u data %u", - payload, ikep->flags, plen - 4, - format_hex_bytes, ikep->payload, plen - 4); - - if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) - { - sa->unsupported_cp = payload; - return; - } - } - - payload = ikep->nextpayload; - p += plen; - } - -cleanup_and_exit: - vec_free (plaintext); -} - -static void -ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa, - ike_header_t * ike) -{ - int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); - u8 payload = ike->nextpayload; - u8 *plaintext = 0; - u8 rekeying = 0; - u8 nonce[IKEV2_NONCE_SIZE]; - - ike_payload_header_t *ikep; - u32 plen; - ikev2_notify_t *n = 0; - ikev2_ts_t *tsi = 0; - ikev2_ts_t *tsr = 0; - ikev2_sa_proposal_t *proposal = 0; - ikev2_child_sa_t *child_sa; - - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); - - plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload); - - if (!plaintext) - goto cleanup_and_exit; - - /* process encrypted payload */ - p = 0; - while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE) - { - ikep = (ike_payload_header_t *) & plaintext[p]; - plen = clib_net_to_host_u16 (ikep->length); - - if (plen < sizeof (ike_payload_header_t)) - goto cleanup_and_exit; - - else if (payload == IKEV2_PAYLOAD_SA) - { - proposal = ikev2_parse_sa_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_NOTIFY) - { - n = ikev2_parse_notify_payload (ikep); - if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA) - { - rekeying = 1; - } - } - else if (payload == IKEV2_PAYLOAD_DELETE) - { - sa->del = ikev2_parse_delete_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_VENDOR) - { - ikev2_parse_vendor_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_NONCE) - { - clib_memcpy_fast (nonce, ikep->payload, plen - sizeof (*ikep)); - } - else if (payload == IKEV2_PAYLOAD_TSI) - { - tsi = ikev2_parse_ts_payload (ikep); - } - else if (payload == IKEV2_PAYLOAD_TSR) - { - tsr = ikev2_parse_ts_payload (ikep); - } - else - { - clib_warning ("unknown payload %u flags %x length %u data %u", - payload, ikep->flags, plen - 4, - format_hex_bytes, ikep->payload, plen - 4); - - if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) - { - sa->unsupported_cp = payload; - return; - } - } - - payload = ikep->nextpayload; - p += plen; - } - - if (sa->is_initiator && proposal->protocol_id == IKEV2_PROTOCOL_ESP) - { - ikev2_rekey_t *rekey = &sa->rekey[0]; - rekey->protocol_id = proposal->protocol_id; - rekey->i_proposal = - ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP); - rekey->i_proposal->spi = rekey->spi; - rekey->r_proposal = proposal; - rekey->tsi = tsi; - rekey->tsr = tsr; - /* update Nr */ - vec_free (sa->r_nonce); - vec_add (sa->r_nonce, nonce, IKEV2_NONCE_SIZE); - child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1); - if (child_sa) - { - child_sa->rekey_retries = 0; - } - } - else if (rekeying) - { - ikev2_rekey_t *rekey; - child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1); - if (!child_sa) - { - clib_warning ("child SA spi %lx not found", n->spi); - goto cleanup_and_exit; - } - vec_add2 (sa->rekey, rekey, 1); - rekey->protocol_id = n->protocol_id; - rekey->spi = n->spi; - rekey->i_proposal = proposal; - rekey->r_proposal = - ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP); - rekey->tsi = tsi; - rekey->tsr = tsr; - /* update Ni */ - vec_free (sa->i_nonce); - vec_add (sa->i_nonce, nonce, IKEV2_NONCE_SIZE); - /* generate new Nr */ - vec_free (sa->r_nonce); - sa->r_nonce = vec_new (u8, IKEV2_NONCE_SIZE); - RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE); - } - -cleanup_and_exit: - vec_free (plaintext); - vec_free (n); -} - -static u8 * -ikev2_sa_generate_authmsg (ikev2_sa_t * sa, int is_responder) -{ - u8 *authmsg = 0; - u8 *data; - u8 *nonce; - ikev2_id_t *id; - u8 *key; - u8 *packet_data; - ikev2_sa_transform_t *tr_prf; - - tr_prf = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - - if (is_responder) - { - id = &sa->r_id; - key = sa->sk_pr; - nonce = sa->i_nonce; - packet_data = sa->last_sa_init_res_packet_data; - } - else - { - id = &sa->i_id; - key = sa->sk_pi; - nonce = sa->r_nonce; - packet_data = sa->last_sa_init_req_packet_data; - } - - data = vec_new (u8, 4); - data[0] = id->type; - vec_append (data, id->data); - - u8 *id_hash = ikev2_calc_prf (tr_prf, key, data); - vec_append (authmsg, packet_data); - vec_append (authmsg, nonce); - vec_append (authmsg, id_hash); - vec_free (id_hash); - vec_free (data); - - return authmsg; -} - -static int -ikev2_ts_cmp (ikev2_ts_t * ts1, ikev2_ts_t * ts2) -{ - if (ts1->ts_type == ts2->ts_type && ts1->protocol_id == ts2->protocol_id && - ts1->start_port == ts2->start_port && ts1->end_port == ts2->end_port && - ts1->start_addr.as_u32 == ts2->start_addr.as_u32 && - ts1->end_addr.as_u32 == ts2->end_addr.as_u32) - return 1; - - return 0; -} - -static void -ikev2_sa_match_ts (ikev2_sa_t * sa) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_profile_t *p; - ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0; - ikev2_id_t *id; - - /* *INDENT-OFF* */ - pool_foreach (p, km->profiles, ({ - - if (sa->is_initiator) - { - p_tsi = &p->loc_ts; - p_tsr = &p->rem_ts; - id = &sa->r_id; - } - else - { - p_tsi = &p->rem_ts; - p_tsr = &p->loc_ts; - id = &sa->i_id; - } - - /* check id */ - if (p->rem_id.type != id->type || - vec_len(p->rem_id.data) != vec_len(id->data) || - memcmp(p->rem_id.data, id->data, vec_len(p->rem_id.data))) - continue; - - vec_foreach(ts, sa->childs[0].tsi) - { - if (ikev2_ts_cmp(p_tsi, ts)) - { - tsi = vec_dup(ts); - break; - } - } - - vec_foreach(ts, sa->childs[0].tsr) - { - if (ikev2_ts_cmp(p_tsr, ts)) - { - tsr = vec_dup(ts); - break; - } - } - - break; - })); - /* *INDENT-ON* */ - - if (tsi && tsr) - { - vec_free (sa->childs[0].tsi); - vec_free (sa->childs[0].tsr); - sa->childs[0].tsi = tsi; - sa->childs[0].tsr = tsr; - } - else - { - vec_free (tsi); - vec_free (tsr); - ikev2_set_state (sa, IKEV2_STATE_TS_UNACCEPTABLE); - } -} - -static void -ikev2_sa_auth (ikev2_sa_t * sa) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_profile_t *p, *sel_p = 0; - u8 *authmsg, *key_pad, *psk = 0, *auth = 0; - ikev2_sa_transform_t *tr_prf; - - tr_prf = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - - /* only shared key and rsa signature */ - if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC || - sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)) - { - clib_warning ("unsupported authentication method %u", - sa->i_auth.method); - ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); - return; - } - - key_pad = format (0, "%s", IKEV2_KEY_PAD); - authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator); - - ikev2_id_t *sa_id; - ikev2_auth_t *sa_auth; - - if (sa->is_initiator) - { - sa_id = &sa->r_id; - sa_auth = &sa->r_auth; - } - else - { - sa_id = &sa->i_id; - sa_auth = &sa->i_auth; - } - - /* *INDENT-OFF* */ - pool_foreach (p, km->profiles, ({ - - /* check id */ - if (p->rem_id.type != sa_id->type || - vec_len(p->rem_id.data) != vec_len(sa_id->data) || - memcmp(p->rem_id.data, sa_id->data, vec_len(p->rem_id.data))) - continue; - - if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC) - { - if (!p->auth.data || - p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC) - continue; - - psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad); - auth = ikev2_calc_prf(tr_prf, psk, authmsg); - - if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data))) - { - ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED); - vec_free(auth); - sel_p = p; - break; - } - - } - else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG) - { - if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG) - continue; - - if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1) - { - ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED); - sel_p = p; - break; - } - } - - vec_free(auth); - vec_free(psk); - })); - /* *INDENT-ON* */ - - vec_free (authmsg); - - if (sa->state == IKEV2_STATE_AUTHENTICATED) - { - if (!sa->is_initiator) - { - vec_free (sa->r_id.data); - sa->r_id.data = vec_dup (sel_p->loc_id.data); - sa->r_id.type = sel_p->loc_id.type; - - /* generate our auth data */ - authmsg = ikev2_sa_generate_authmsg (sa, 1); - if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC) - { - sa->r_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg); - sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC; - } - else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG) - { - sa->r_auth.data = ikev2_calc_sign (km->pkey, authmsg); - sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG; - } - vec_free (authmsg); - - /* select transforms for 1st child sa */ - ikev2_sa_free_proposal_vector (&sa->childs[0].r_proposals); - sa->childs[0].r_proposals = - ikev2_select_proposal (sa->childs[0].i_proposals, - IKEV2_PROTOCOL_ESP); - } - } - else - { - ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); - } - vec_free (psk); - vec_free (key_pad); -} - - -static void -ikev2_sa_auth_init (ikev2_sa_t * sa) -{ - ikev2_main_t *km = &ikev2_main; - u8 *authmsg, *key_pad, *psk = 0, *auth = 0; - ikev2_sa_transform_t *tr_prf; - - tr_prf = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - - /* only shared key and rsa signature */ - if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC || - sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)) - { - clib_warning ("unsupported authentication method %u", - sa->i_auth.method); - ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); - return; - } - - key_pad = format (0, "%s", IKEV2_KEY_PAD); - authmsg = ikev2_sa_generate_authmsg (sa, 0); - psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad); - auth = ikev2_calc_prf (tr_prf, psk, authmsg); - - - if (sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC) - { - sa->i_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg); - sa->i_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC; - } - else if (sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG) - { - sa->i_auth.data = ikev2_calc_sign (km->pkey, authmsg); - sa->i_auth.method = IKEV2_AUTH_METHOD_RSA_SIG; - } - - vec_free (psk); - vec_free (key_pad); - vec_free (auth); - vec_free (authmsg); -} - - -static int -ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, - ikev2_child_sa_t * child) -{ - ipsec_add_del_tunnel_args_t a; - ikev2_sa_transform_t *tr; - ikev2_sa_proposal_t *proposals; - u8 encr_type = 0; - u8 integ_type = 0; - - if (!child->r_proposals) - { - ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); - return 1; - } - - clib_memset (&a, 0, sizeof (a)); - a.is_add = 1; - if (sa->is_initiator) - { - a.local_ip.ip4.as_u32 = sa->iaddr.as_u32; - a.remote_ip.ip4.as_u32 = sa->raddr.as_u32; - proposals = child->i_proposals; - a.local_spi = child->r_proposals[0].spi; - a.remote_spi = child->i_proposals[0].spi; - } - else - { - a.local_ip.ip4.as_u32 = sa->raddr.as_u32; - a.remote_ip.ip4.as_u32 = sa->iaddr.as_u32; - proposals = child->r_proposals; - a.local_spi = child->i_proposals[0].spi; - a.remote_spi = child->r_proposals[0].spi; - } - a.anti_replay = 1; - - tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN); - if (tr) - a.esn = tr->esn_type; - else - a.esn = 0; - - tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ENCR); - if (tr) - { - if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC && tr->key_len) - { - switch (tr->key_len) - { - case 16: - encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128; - break; - case 24: - encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192; - break; - case 32: - encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256; - break; - default: - ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); - return 1; - break; - } - } - else - { - ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); - return 1; - } - } - else - { - ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); - return 1; - } - - tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG); - if (tr) - { - switch (tr->integ_type) - { - case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128: - integ_type = IPSEC_INTEG_ALG_SHA_256_128; - break; - case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192: - integ_type = IPSEC_INTEG_ALG_SHA_384_192; - break; - case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256: - integ_type = IPSEC_INTEG_ALG_SHA_512_256; - break; - case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96: - integ_type = IPSEC_INTEG_ALG_SHA1_96; - break; - default: - ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); - return 1; - } - } - else - { - ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); - return 1; - } - - ikev2_calc_child_keys (sa, child); - - u8 *loc_ckey, *rem_ckey, *loc_ikey, *rem_ikey; - if (sa->is_initiator) - { - loc_ikey = child->sk_ai; - rem_ikey = child->sk_ar; - loc_ckey = child->sk_ei; - rem_ckey = child->sk_er; - } - else - { - loc_ikey = child->sk_ar; - rem_ikey = child->sk_ai; - loc_ckey = child->sk_er; - rem_ckey = child->sk_ei; - } - - a.integ_alg = integ_type; - a.local_integ_key_len = vec_len (loc_ikey); - clib_memcpy_fast (a.local_integ_key, loc_ikey, a.local_integ_key_len); - a.remote_integ_key_len = vec_len (rem_ikey); - clib_memcpy_fast (a.remote_integ_key, rem_ikey, a.remote_integ_key_len); - - a.crypto_alg = encr_type; - a.local_crypto_key_len = vec_len (loc_ckey); - clib_memcpy_fast (a.local_crypto_key, loc_ckey, a.local_crypto_key_len); - a.remote_crypto_key_len = vec_len (rem_ckey); - clib_memcpy_fast (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len); - - if (sa->profile && sa->profile->lifetime) - { - child->time_to_expiration = vlib_time_now (vnm->vlib_main) - + sa->profile->lifetime; - if (sa->profile->lifetime_jitter) - { - // This is not much better than rand(3), which Coverity warns - // is unsuitable for security applications; random_u32 is - // however fast. If this perturbance to the expiration time - // needs to use a better RNG then we may need to use something - // like /dev/urandom which has significant overhead. - u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6); - rnd = random_u32 (&rnd); - - child->time_to_expiration += - 1 + (rnd % sa->profile->lifetime_jitter); - } - } - - ipsec_add_del_tunnel_if (&a); - - return 0; -} - -static int -ikev2_delete_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, - ikev2_child_sa_t * child) -{ - ipsec_add_del_tunnel_args_t a; - - if (sa->is_initiator) - { - if (!vec_len (child->i_proposals)) - return 0; - - a.is_add = 0; - a.local_ip.ip4.as_u32 = sa->iaddr.as_u32; - a.remote_ip.ip4.as_u32 = sa->raddr.as_u32; - a.local_spi = child->r_proposals[0].spi; - a.remote_spi = child->i_proposals[0].spi; - } - else - { - if (!vec_len (child->r_proposals)) - return 0; - - a.is_add = 0; - a.local_ip.ip4.as_u32 = sa->raddr.as_u32; - a.remote_ip.ip4.as_u32 = sa->iaddr.as_u32; - a.local_spi = child->i_proposals[0].spi; - a.remote_spi = child->r_proposals[0].spi; - } - - ipsec_add_del_tunnel_if (&a); - return 0; -} - -static u32 -ikev2_generate_message (ikev2_sa_t * sa, ike_header_t * ike, void *user) -{ - v8 *integ = 0; - ike_payload_header_t *ph; - u16 plen; - u32 tlen = 0; - - ikev2_sa_transform_t *tr_encr, *tr_integ; - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - tr_integ = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - - ikev2_payload_chain_t *chain = 0; - ikev2_payload_new_chain (chain); - - if (ike->exchange == IKEV2_EXCHANGE_SA_INIT) - { - if (sa->r_proposals == 0) - { - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0); - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - } - else if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE) - { - u8 *data = vec_new (u8, 2); - ikev2_sa_transform_t *tr_dh; - tr_dh = - ikev2_sa_get_td_for_type (sa->r_proposals, - IKEV2_TRANSFORM_TYPE_DH); - ASSERT (tr_dh && tr_dh->dh_type); - - data[0] = (tr_dh->dh_type >> 8) & 0xff; - data[1] = (tr_dh->dh_type) & 0xff; - - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD, - data); - vec_free (data); - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - } - else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE) - { - u8 *data = vec_new (u8, 1); - - data[0] = sa->unsupported_cp; - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD, - data); - vec_free (data); - } - else - { - ike->rspi = clib_host_to_net_u64 (sa->rspi); - ikev2_payload_add_sa (chain, sa->r_proposals); - ikev2_payload_add_ke (chain, sa->dh_group, sa->r_dh_data); - ikev2_payload_add_nonce (chain, sa->r_nonce); - } - } - else if (ike->exchange == IKEV2_EXCHANGE_IKE_AUTH) - { - if (sa->state == IKEV2_STATE_AUTHENTICATED) - { - ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR); - ikev2_payload_add_auth (chain, &sa->r_auth); - ikev2_payload_add_sa (chain, sa->childs[0].r_proposals); - ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI); - ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR); - } - else if (sa->state == IKEV2_STATE_AUTH_FAILED) - { - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED, - 0); - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - } - else if (sa->state == IKEV2_STATE_TS_UNACCEPTABLE) - { - ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_TS_UNACCEPTABLE, - 0); - ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR); - ikev2_payload_add_auth (chain, &sa->r_auth); - } - else if (sa->state == IKEV2_STATE_NO_PROPOSAL_CHOSEN) - { - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0); - ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR); - ikev2_payload_add_auth (chain, &sa->r_auth); - ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI); - ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR); - } - else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE) - { - u8 *data = vec_new (u8, 1); - - data[0] = sa->unsupported_cp; - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD, - data); - vec_free (data); - } - else if (sa->state == IKEV2_STATE_SA_INIT) - { - ikev2_payload_add_id (chain, &sa->i_id, IKEV2_PAYLOAD_IDI); - ikev2_payload_add_auth (chain, &sa->i_auth); - ikev2_payload_add_sa (chain, sa->childs[0].i_proposals); - ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI); - ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR); - } - else - { - ikev2_set_state (sa, IKEV2_STATE_DELETED); - goto done; - } - } - else if (ike->exchange == IKEV2_EXCHANGE_INFORMATIONAL) - { - /* if pending delete */ - if (sa->del) - { - if (sa->del[0].protocol_id == IKEV2_PROTOCOL_IKE) - { - if (sa->is_initiator) - ikev2_payload_add_delete (chain, sa->del); - - /* The response to a request that deletes the IKE SA is an empty - INFORMATIONAL response. */ - ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); - } - /* The response to a request that deletes ESP or AH SAs will contain - delete payloads for the paired SAs going in the other direction. */ - else - { - ikev2_payload_add_delete (chain, sa->del); - } - vec_free (sa->del); - sa->del = 0; - } - /* received N(AUTHENTICATION_FAILED) */ - else if (sa->state == IKEV2_STATE_AUTH_FAILED) - { - ikev2_set_state (sa, IKEV2_STATE_DELETED); - goto done; - } - /* received unsupported critical payload */ - else if (sa->unsupported_cp) - { - u8 *data = vec_new (u8, 1); - - data[0] = sa->unsupported_cp; - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD, - data); - vec_free (data); - sa->unsupported_cp = 0; - } - /* else send empty response */ - } - else if (ike->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA) - { - if (sa->is_initiator) - { - - ikev2_sa_proposal_t *proposals = (ikev2_sa_proposal_t *) user; - ikev2_notify_t notify; - u8 *data = vec_new (u8, 4); - clib_memset (¬ify, 0, sizeof (notify)); - notify.protocol_id = IKEV2_PROTOCOL_ESP; - notify.spi = sa->childs[0].i_proposals->spi; - *(u32 *) data = clib_host_to_net_u32 (notify.spi); - - ikev2_payload_add_sa (chain, proposals); - ikev2_payload_add_nonce (chain, sa->i_nonce); - ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI); - ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR); - ikev2_payload_add_notify_2 (chain, IKEV2_NOTIFY_MSG_REKEY_SA, data, - ¬ify); - - vec_free (data); - } - else - { - if (sa->rekey) - { - ikev2_payload_add_sa (chain, sa->rekey[0].r_proposal); - ikev2_payload_add_nonce (chain, sa->r_nonce); - ikev2_payload_add_ts (chain, sa->rekey[0].tsi, - IKEV2_PAYLOAD_TSI); - ikev2_payload_add_ts (chain, sa->rekey[0].tsr, - IKEV2_PAYLOAD_TSR); - vec_del1 (sa->rekey, 0); - } - else if (sa->unsupported_cp) - { - u8 *data = vec_new (u8, 1); - - data[0] = sa->unsupported_cp; - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD, - data); - vec_free (data); - sa->unsupported_cp = 0; - } - else - { - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS, - 0); - } - } - } - - /* IKEv2 header */ - ike->version = IKE_VERSION_2; - ike->nextpayload = IKEV2_PAYLOAD_SK; - tlen = sizeof (*ike); - if (sa->is_initiator) - { - ike->flags = IKEV2_HDR_FLAG_INITIATOR; - sa->last_init_msg_id = clib_net_to_host_u32 (ike->msgid); - } - else - { - ike->flags = IKEV2_HDR_FLAG_RESPONSE; - } - - - if (ike->exchange == IKEV2_EXCHANGE_SA_INIT) - { - tlen += vec_len (chain->data); - ike->nextpayload = chain->first_payload_type; - ike->length = clib_host_to_net_u32 (tlen); - clib_memcpy_fast (ike->payload, chain->data, vec_len (chain->data)); - - /* store whole IKE payload - needed for PSK auth */ - vec_free (sa->last_sa_init_res_packet_data); - vec_add (sa->last_sa_init_res_packet_data, ike, tlen); - } - else - { - - ikev2_payload_chain_add_padding (chain, tr_encr->block_size); - - /* SK payload */ - plen = sizeof (*ph); - ph = (ike_payload_header_t *) & ike->payload[0]; - ph->nextpayload = chain->first_payload_type; - ph->flags = 0; - int enc_len = ikev2_encrypt_data (sa, chain->data, ph->payload); - plen += enc_len; - - /* add space for hmac */ - plen += tr_integ->key_trunc; - tlen += plen; - - /* payload and total length */ - ph->length = clib_host_to_net_u16 (plen); - ike->length = clib_host_to_net_u32 (tlen); - - /* calc integrity data for whole packet except hash itself */ - integ = - ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ai : sa->sk_ar, - (u8 *) ike, tlen - tr_integ->key_trunc); - - clib_memcpy_fast (ike->payload + tlen - tr_integ->key_trunc - - sizeof (*ike), integ, tr_integ->key_trunc); - - /* store whole IKE payload - needed for retransmit */ - vec_free (sa->last_res_packet_data); - vec_add (sa->last_res_packet_data, ike, tlen); - } - -done: - ikev2_payload_destroy_chain (chain); - vec_free (integ); - return tlen; -} - -static int -ikev2_retransmit_sa_init (ike_header_t * ike, - ip4_address_t iaddr, ip4_address_t raddr) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_sa_t *sa; - u32 thread_index = vlib_get_thread_index (); - - /* *INDENT-OFF* */ - pool_foreach (sa, km->per_thread_data[thread_index].sas, ({ - if (sa->ispi == clib_net_to_host_u64(ike->ispi) && - sa->iaddr.as_u32 == iaddr.as_u32 && - sa->raddr.as_u32 == raddr.as_u32) - { - int p = 0; - u32 len = clib_net_to_host_u32(ike->length); - u8 payload = ike->nextpayload; - - while (p < len && payload!= IKEV2_PAYLOAD_NONE) { - ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p]; - u32 plen = clib_net_to_host_u16(ikep->length); - - if (plen < sizeof(ike_payload_header_t)) - return -1; - - if (payload == IKEV2_PAYLOAD_NONCE) - { - if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep))) - { - /* req is retransmit */ - if (sa->state == IKEV2_STATE_SA_INIT) - { - ike_header_t * tmp; - tmp = (ike_header_t*)sa->last_sa_init_res_packet_data; - ike->ispi = tmp->ispi; - ike->rspi = tmp->rspi; - ike->nextpayload = tmp->nextpayload; - ike->version = tmp->version; - ike->exchange = tmp->exchange; - ike->flags = tmp->flags; - ike->msgid = tmp->msgid; - ike->length = tmp->length; - clib_memcpy_fast(ike->payload, tmp->payload, - clib_net_to_host_u32(tmp->length) - sizeof(*ike)); - clib_warning("IKE_SA_INIT retransmit from %U to %U", - format_ip4_address, &raddr, - format_ip4_address, &iaddr); - return 1; - } - /* else ignore req */ - else - { - clib_warning("IKE_SA_INIT ignore from %U to %U", - format_ip4_address, &raddr, - format_ip4_address, &iaddr); - return -1; - } - } - } - payload = ikep->nextpayload; - p+=plen; - } - } - })); - /* *INDENT-ON* */ - - /* req is not retransmit */ - return 0; -} - -static int -ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike) -{ - u32 msg_id = clib_net_to_host_u32 (ike->msgid); - - /* new req */ - if (msg_id > sa->last_msg_id) - { - sa->last_msg_id = msg_id; - return 0; - } - /* retransmitted req */ - else if (msg_id == sa->last_msg_id) - { - ike_header_t *tmp; - tmp = (ike_header_t *) sa->last_res_packet_data; - ike->ispi = tmp->ispi; - ike->rspi = tmp->rspi; - ike->nextpayload = tmp->nextpayload; - ike->version = tmp->version; - ike->exchange = tmp->exchange; - ike->flags = tmp->flags; - ike->msgid = tmp->msgid; - ike->length = tmp->length; - clib_memcpy_fast (ike->payload, tmp->payload, - clib_net_to_host_u32 (tmp->length) - sizeof (*ike)); - clib_warning ("IKE msgid %u retransmit from %U to %U", - msg_id, - format_ip4_address, &sa->raddr, - format_ip4_address, &sa->iaddr); - return 1; - } - /* old req ignore */ - else - { - clib_warning ("IKE msgid %u req ignore from %U to %U", - msg_id, - format_ip4_address, &sa->raddr, - format_ip4_address, &sa->iaddr); - return -1; - } -} - - -static uword -ikev2_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, vlib_frame_t * frame) -{ - u32 n_left_from, *from, *to_next; - ikev2_next_t next_index; - ikev2_main_t *km = &ikev2_main; - u32 thread_index = vlib_get_thread_index (); - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 next0 = IKEV2_NEXT_ERROR_DROP; - u32 sw_if_index0; - ip4_header_t *ip40; - udp_header_t *udp0; - ike_header_t *ike0; - ikev2_sa_t *sa0 = 0; - ikev2_sa_t sa; /* temporary store for SA */ - int len = 0; - int r; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - ike0 = vlib_buffer_get_current (b0); - vlib_buffer_advance (b0, -sizeof (*udp0)); - udp0 = vlib_buffer_get_current (b0); - vlib_buffer_advance (b0, -sizeof (*ip40)); - ip40 = vlib_buffer_get_current (b0); - - if (ike0->version != IKE_VERSION_2) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_NOT_IKEV2, 1); - goto dispatch0; - } - - if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT) - { - sa0 = &sa; - clib_memset (sa0, 0, sizeof (*sa0)); - - if (ike0->flags & IKEV2_HDR_FLAG_INITIATOR) - { - if (ike0->rspi == 0) - { - sa0->raddr.as_u32 = ip40->dst_address.as_u32; - sa0->iaddr.as_u32 = ip40->src_address.as_u32; - - r = ikev2_retransmit_sa_init (ike0, sa0->iaddr, - sa0->raddr); - if (r == 1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT, - 1); - len = clib_net_to_host_u32 (ike0->length); - goto dispatch0; - } - else if (r == -1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_SA_INIT_IGNORE, - 1); - goto dispatch0; - } - - ikev2_process_sa_init_req (vm, sa0, ike0); - - if (sa0->state == IKEV2_STATE_SA_INIT) - { - ikev2_sa_free_proposal_vector (&sa0->r_proposals); - sa0->r_proposals = - ikev2_select_proposal (sa0->i_proposals, - IKEV2_PROTOCOL_IKE); - ikev2_generate_sa_init_data (sa0); - } - - if (sa0->state == IKEV2_STATE_SA_INIT - || sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE) - { - len = ikev2_generate_message (sa0, ike0, 0); - } - - if (sa0->state == IKEV2_STATE_SA_INIT) - { - /* add SA to the pool */ - pool_get (km->per_thread_data[thread_index].sas, - sa0); - clib_memcpy_fast (sa0, &sa, sizeof (*sa0)); - hash_set (km-> - per_thread_data[thread_index].sa_by_rspi, - sa0->rspi, - sa0 - - km->per_thread_data[thread_index].sas); - } - else - { - ikev2_sa_free_all_vec (sa0); - } - } - } - else //received sa_init without initiator flag - { - ikev2_process_sa_init_resp (vm, sa0, ike0); - - if (sa0->state == IKEV2_STATE_SA_INIT) - { - ike0->exchange = IKEV2_EXCHANGE_IKE_AUTH; - uword *p = hash_get (km->sa_by_ispi, ike0->ispi); - if (p) - { - ikev2_sa_t *sai = - pool_elt_at_index (km->sais, p[0]); - - ikev2_complete_sa_data (sa0, sai); - ikev2_calc_keys (sa0); - ikev2_sa_auth_init (sa0); - len = ikev2_generate_message (sa0, ike0, 0); - } - } - - if (sa0->state == IKEV2_STATE_SA_INIT) - { - /* add SA to the pool */ - pool_get (km->per_thread_data[thread_index].sas, sa0); - clib_memcpy_fast (sa0, &sa, sizeof (*sa0)); - hash_set (km->per_thread_data[thread_index].sa_by_rspi, - sa0->rspi, - sa0 - km->per_thread_data[thread_index].sas); - } - else - { - ikev2_sa_free_all_vec (sa0); - } - } - } - else if (ike0->exchange == IKEV2_EXCHANGE_IKE_AUTH) - { - uword *p; - p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, - clib_net_to_host_u64 (ike0->rspi)); - if (p) - { - sa0 = - pool_elt_at_index (km->per_thread_data[thread_index].sas, - p[0]); - - r = ikev2_retransmit_resp (sa0, ike0); - if (r == 1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_REQ_RETRANSMIT, - 1); - len = clib_net_to_host_u32 (ike0->length); - goto dispatch0; - } - else if (r == -1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_REQ_IGNORE, - 1); - goto dispatch0; - } - - ikev2_process_auth_req (vm, sa0, ike0); - ikev2_sa_auth (sa0); - if (sa0->state == IKEV2_STATE_AUTHENTICATED) - { - ikev2_initial_contact_cleanup (sa0); - ikev2_sa_match_ts (sa0); - if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE) - ikev2_create_tunnel_interface (km->vnet_main, sa0, - &sa0->childs[0]); - } - - if (sa0->is_initiator) - { - uword *p = hash_get (km->sa_by_ispi, ike0->ispi); - if (p) - { - ikev2_sa_t *sai = - pool_elt_at_index (km->sais, p[0]); - hash_unset (km->sa_by_ispi, sai->ispi); - ikev2_sa_free_all_vec (sai); - pool_put (km->sais, sai); - } - } - else - { - len = ikev2_generate_message (sa0, ike0, 0); - } - } - } - else if (ike0->exchange == IKEV2_EXCHANGE_INFORMATIONAL) - { - uword *p; - p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, - clib_net_to_host_u64 (ike0->rspi)); - if (p) - { - sa0 = - pool_elt_at_index (km->per_thread_data[thread_index].sas, - p[0]); - - r = ikev2_retransmit_resp (sa0, ike0); - if (r == 1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_REQ_RETRANSMIT, - 1); - len = clib_net_to_host_u32 (ike0->length); - goto dispatch0; - } - else if (r == -1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_REQ_IGNORE, - 1); - goto dispatch0; - } - - ikev2_process_informational_req (vm, sa0, ike0); - if (sa0->del) - { - if (sa0->del[0].protocol_id != IKEV2_PROTOCOL_IKE) - { - ikev2_delete_t *d, *tmp, *resp = 0; - vec_foreach (d, sa0->del) - { - ikev2_child_sa_t *ch_sa; - ch_sa = ikev2_sa_get_child (sa0, d->spi, - d->protocol_id, - !sa0->is_initiator); - if (ch_sa) - { - ikev2_delete_tunnel_interface (km->vnet_main, - sa0, ch_sa); - if (!sa0->is_initiator) - { - vec_add2 (resp, tmp, 1); - tmp->protocol_id = d->protocol_id; - tmp->spi = ch_sa->r_proposals[0].spi; - } - ikev2_sa_del_child_sa (sa0, ch_sa); - } - } - if (!sa0->is_initiator) - { - vec_free (sa0->del); - sa0->del = resp; - } - } - } - if (!sa0->is_initiator) - { - len = ikev2_generate_message (sa0, ike0, 0); - } - } - } - else if (ike0->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA) - { - uword *p; - p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, - clib_net_to_host_u64 (ike0->rspi)); - if (p) - { - sa0 = - pool_elt_at_index (km->per_thread_data[thread_index].sas, - p[0]); - - r = ikev2_retransmit_resp (sa0, ike0); - if (r == 1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_REQ_RETRANSMIT, - 1); - len = clib_net_to_host_u32 (ike0->length); - goto dispatch0; - } - else if (r == -1) - { - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_IKE_REQ_IGNORE, - 1); - goto dispatch0; - } - - ikev2_process_create_child_sa_req (vm, sa0, ike0); - if (sa0->rekey) - { - if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE) - { - ikev2_child_sa_t *child; - vec_add2 (sa0->childs, child, 1); - child->r_proposals = sa0->rekey[0].r_proposal; - child->i_proposals = sa0->rekey[0].i_proposal; - child->tsi = sa0->rekey[0].tsi; - child->tsr = sa0->rekey[0].tsr; - ikev2_create_tunnel_interface (km->vnet_main, sa0, - child); - } - if (sa0->is_initiator) - { - vec_del1 (sa0->rekey, 0); - } - else - { - len = ikev2_generate_message (sa0, ike0, 0); - } - } - } - } - else - { - clib_warning ("IKEv2 exchange %u packet received from %U to %U", - ike0->exchange, - format_ip4_address, ip40->src_address.as_u8, - format_ip4_address, ip40->dst_address.as_u8); - } - - dispatch0: - /* if we are sending packet back, rewrite headers */ - if (len) - { - next0 = IKEV2_NEXT_IP4_LOOKUP; - if (sa0->is_initiator) - { - ip40->dst_address.as_u32 = sa0->raddr.as_u32; - ip40->src_address.as_u32 = sa0->iaddr.as_u32; - } - else - { - ip40->dst_address.as_u32 = sa0->iaddr.as_u32; - ip40->src_address.as_u32 = sa0->raddr.as_u32; - } - udp0->length = - clib_host_to_net_u16 (len + sizeof (udp_header_t)); - udp0->checksum = 0; - b0->current_length = - len + sizeof (ip4_header_t) + sizeof (udp_header_t); - ip40->length = clib_host_to_net_u16 (b0->current_length); - ip40->checksum = ip4_header_checksum (ip40); - } - /* delete sa */ - if (sa0 && (sa0->state == IKEV2_STATE_DELETED || - sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE)) - { - ikev2_child_sa_t *c; - - vec_foreach (c, sa0->childs) - ikev2_delete_tunnel_interface (km->vnet_main, sa0, c); - - ikev2_delete_sa (sa0); - } - sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - ikev2_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, ikev2_node.index, - IKEV2_ERROR_PROCESSED, frame->n_vectors); - return frame->n_vectors; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ikev2_node,static) = { - .function = ikev2_node_fn, - .name = "ikev2", - .vector_size = sizeof (u32), - .format_trace = format_ikev2_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(ikev2_error_strings), - .error_strings = ikev2_error_strings, - - .n_next_nodes = IKEV2_N_NEXT, - - .next_nodes = { - [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup", - [IKEV2_NEXT_ERROR_DROP] = "error-drop", - }, -}; -/* *INDENT-ON* */ - -// set ikev2 proposals when vpp is used as initiator -static clib_error_t * -ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa, - ikev2_transforms_set * ts, - ikev2_sa_proposal_t ** proposals, int is_ike) -{ - clib_error_t *r; - ikev2_main_t *km = &ikev2_main; - ikev2_sa_proposal_t *proposal; - vec_add2 (*proposals, proposal, 1); - ikev2_sa_transform_t *td; - int error; - - /* Encryption */ - error = 1; - vec_foreach (td, km->supported_transforms) - { - if (td->type == IKEV2_TRANSFORM_TYPE_ENCR - && td->encr_type == ts->crypto_alg - && td->key_len == ts->crypto_key_size / 8) - { - u16 attr[2]; - attr[0] = clib_host_to_net_u16 (14 | (1 << 15)); - attr[1] = clib_host_to_net_u16 (td->key_len << 3); - vec_add (td->attrs, (u8 *) attr, 4); - vec_add1 (proposal->transforms, *td); - td->attrs = 0; - - error = 0; - break; - } - } - if (error) - { - r = clib_error_return (0, "Unsupported algorithm"); - return r; - } - - /* Integrity */ - error = 1; - vec_foreach (td, km->supported_transforms) - { - if (td->type == IKEV2_TRANSFORM_TYPE_INTEG - && td->integ_type == ts->integ_alg) - { - vec_add1 (proposal->transforms, *td); - error = 0; - break; - } - } - if (error) - { - clib_warning - ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG"); - r = clib_error_return (0, "Unsupported algorithm"); - return r; - } - - /* PRF */ - if (is_ike) - { - error = 1; - vec_foreach (td, km->supported_transforms) - { - if (td->type == IKEV2_TRANSFORM_TYPE_PRF - && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256) - { - vec_add1 (proposal->transforms, *td); - error = 0; - break; - } - } - if (error) - { - r = clib_error_return (0, "Unsupported algorithm"); - return r; - } - } - - /* DH */ - error = 1; - vec_foreach (td, km->supported_transforms) - { - if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type) - { - vec_add1 (proposal->transforms, *td); - if (is_ike) - { - sa->dh_group = td->dh_type; - } - error = 0; - break; - } - } - if (error) - { - r = clib_error_return (0, "Unsupported algorithm"); - return r; - } - - if (!is_ike) - { - error = 1; - vec_foreach (td, km->supported_transforms) - { - if (td->type == IKEV2_TRANSFORM_TYPE_ESN) - { - vec_add1 (proposal->transforms, *td); - error = 0; - break; - } - } - if (error) - { - r = clib_error_return (0, "Unsupported algorithm"); - return r; - } - } - - - return 0; -} - -static ikev2_profile_t * -ikev2_profile_index_by_name (u8 * name) -{ - ikev2_main_t *km = &ikev2_main; - uword *p; - - p = mhash_get (&km->profile_index_by_name, name); - if (!p) - return 0; - - return pool_elt_at_index (km->profiles, p[0]); -} - - -static void -ikev2_send_ike (vlib_main_t * vm, ip4_address_t * src, ip4_address_t * dst, - u32 bi0, u32 len) -{ - ip4_header_t *ip40; - udp_header_t *udp0; - vlib_buffer_t *b0; - vlib_frame_t *f; - u32 *to_next; - - b0 = vlib_get_buffer (vm, bi0); - vlib_buffer_advance (b0, -sizeof (udp_header_t)); - udp0 = vlib_buffer_get_current (b0); - vlib_buffer_advance (b0, -sizeof (ip4_header_t)); - ip40 = vlib_buffer_get_current (b0); - - - ip40->ip_version_and_header_length = 0x45; - ip40->tos = 0; - ip40->fragment_id = 0; - ip40->flags_and_fragment_offset = 0; - ip40->ttl = 0xff; - ip40->protocol = IP_PROTOCOL_UDP; - ip40->dst_address.as_u32 = dst->as_u32; - ip40->src_address.as_u32 = src->as_u32; - udp0->dst_port = clib_host_to_net_u16 (500); - udp0->src_port = clib_host_to_net_u16 (500); - udp0->length = clib_host_to_net_u16 (len + sizeof (udp_header_t)); - udp0->checksum = 0; - b0->current_length = len + sizeof (ip4_header_t) + sizeof (udp_header_t); - ip40->length = clib_host_to_net_u16 (b0->current_length); - ip40->checksum = ip4_header_checksum (ip40); - - - /* send the request */ - f = vlib_get_frame_to_node (vm, ip4_lookup_node.index); - to_next = vlib_frame_vector_args (f); - to_next[0] = bi0; - f->n_vectors = 1; - vlib_put_frame_to_node (vm, ip4_lookup_node.index, f); - -} - -static u32 -ikev2_get_new_ike_header_buff (vlib_main_t * vm, ike_header_t ** ike) -{ - u32 bi0; - if (vlib_buffer_alloc (vm, &bi0, 1) != 1) - { - *ike = 0; - return 0; - } - vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0); - *ike = vlib_buffer_get_current (b0); - return bi0; -} - -clib_error_t * -ikev2_set_local_key (vlib_main_t * vm, u8 * file) -{ - ikev2_main_t *km = &ikev2_main; - - km->pkey = ikev2_load_key_file (file); - if (km->pkey == NULL) - return clib_error_return (0, "load key '%s' failed", file); - - return 0; -} - -clib_error_t * -ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_profile_t *p; - - if (is_add) - { - if (ikev2_profile_index_by_name (name)) - return clib_error_return (0, "policy %v already exists", name); - - pool_get (km->profiles, p); - clib_memset (p, 0, sizeof (*p)); - p->name = vec_dup (name); - p->responder.sw_if_index = ~0; - uword index = p - km->profiles; - mhash_set_mem (&km->profile_index_by_name, name, &index, 0); - } - else - { - p = ikev2_profile_index_by_name (name); - if (!p) - return clib_error_return (0, "policy %v does not exists", name); - - vec_free (p->name); - pool_put (km->profiles, p); - mhash_unset (&km->profile_index_by_name, name, 0); - } - return 0; -} - -clib_error_t * -ikev2_set_profile_auth (vlib_main_t * vm, u8 * name, u8 auth_method, - u8 * auth_data, u8 data_hex_format) -{ - ikev2_profile_t *p; - clib_error_t *r; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - vec_free (p->auth.data); - p->auth.method = auth_method; - p->auth.data = vec_dup (auth_data); - p->auth.hex = data_hex_format; - - if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG) - { - vec_add1 (p->auth.data, 0); - if (p->auth.key) - EVP_PKEY_free (p->auth.key); - p->auth.key = ikev2_load_cert_file (auth_data); - if (p->auth.key == NULL) - return clib_error_return (0, "load cert '%s' failed", auth_data); - } - - return 0; -} - -clib_error_t * -ikev2_set_profile_id (vlib_main_t * vm, u8 * name, u8 id_type, u8 * data, - int is_local) -{ - ikev2_profile_t *p; - clib_error_t *r; - - if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR - && id_type < IKEV2_ID_TYPE_ID_KEY_ID) - { - r = clib_error_return (0, "unsupported identity type %U", - format_ikev2_id_type, id_type); - return r; - } - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - if (is_local) - { - vec_free (p->loc_id.data); - p->loc_id.type = id_type; - p->loc_id.data = vec_dup (data); - } - else - { - vec_free (p->rem_id.data); - p->rem_id.type = id_type; - p->rem_id.data = vec_dup (data); - } - - return 0; -} - -clib_error_t * -ikev2_set_profile_ts (vlib_main_t * vm, u8 * name, u8 protocol_id, - u16 start_port, u16 end_port, ip4_address_t start_addr, - ip4_address_t end_addr, int is_local) -{ - ikev2_profile_t *p; - clib_error_t *r; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - if (is_local) - { - p->loc_ts.start_addr.as_u32 = start_addr.as_u32; - p->loc_ts.end_addr.as_u32 = end_addr.as_u32; - p->loc_ts.start_port = start_port; - p->loc_ts.end_port = end_port; - p->loc_ts.protocol_id = protocol_id; - p->loc_ts.ts_type = 7; - } - else - { - p->rem_ts.start_addr.as_u32 = start_addr.as_u32; - p->rem_ts.end_addr.as_u32 = end_addr.as_u32; - p->rem_ts.start_port = start_port; - p->rem_ts.end_port = end_port; - p->rem_ts.protocol_id = protocol_id; - p->rem_ts.ts_type = 7; - } - - return 0; -} - - -clib_error_t * -ikev2_set_profile_responder (vlib_main_t * vm, u8 * name, - u32 sw_if_index, ip4_address_t ip4) -{ - ikev2_profile_t *p; - clib_error_t *r; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - p->responder.sw_if_index = sw_if_index; - p->responder.ip4 = ip4; - - return 0; -} - -clib_error_t * -ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name, - ikev2_transform_encr_type_t crypto_alg, - ikev2_transform_integ_type_t integ_alg, - ikev2_transform_dh_type_t dh_type, - u32 crypto_key_size) -{ - ikev2_profile_t *p; - clib_error_t *r; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - p->ike_ts.crypto_alg = crypto_alg; - p->ike_ts.integ_alg = integ_alg; - p->ike_ts.dh_type = dh_type; - p->ike_ts.crypto_key_size = crypto_key_size; - return 0; -} - -clib_error_t * -ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name, - ikev2_transform_encr_type_t crypto_alg, - ikev2_transform_integ_type_t integ_alg, - ikev2_transform_dh_type_t dh_type, - u32 crypto_key_size) -{ - ikev2_profile_t *p; - clib_error_t *r; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - p->esp_ts.crypto_alg = crypto_alg; - p->esp_ts.integ_alg = integ_alg; - p->esp_ts.dh_type = dh_type; - p->esp_ts.crypto_key_size = crypto_key_size; - return 0; -} - -clib_error_t * -ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name, - u64 lifetime, u32 jitter, u32 handover, - u64 maxdata) -{ - ikev2_profile_t *p; - clib_error_t *r; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - p->lifetime = lifetime; - p->lifetime_jitter = jitter; - p->handover = handover; - p->lifetime_maxdata = maxdata; - return 0; -} - -clib_error_t * -ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name) -{ - ikev2_profile_t *p; - clib_error_t *r; - ip4_main_t *im = &ip4_main; - ikev2_main_t *km = &ikev2_main; - - p = ikev2_profile_index_by_name (name); - - if (!p) - { - r = clib_error_return (0, "unknown profile %v", name); - return r; - } - - if (p->responder.sw_if_index == ~0 || p->responder.ip4.data_u32 == 0) - { - r = clib_error_return (0, "responder not set for profile %v", name); - return r; - } - - - /* Create the Initiator Request */ - { - ike_header_t *ike0; - u32 bi0 = 0; - ip_lookup_main_t *lm = &im->lookup_main; - u32 if_add_index0; - int len = sizeof (ike_header_t); - - /* Get own iface IP */ - if_add_index0 = - lm->if_address_pool_index_by_sw_if_index[p->responder.sw_if_index]; - ip_interface_address_t *if_add = - pool_elt_at_index (lm->if_address_pool, if_add_index0); - ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add); - - bi0 = ikev2_get_new_ike_header_buff (vm, &ike0); - - /* Prepare the SA and the IKE payload */ - ikev2_sa_t sa; - clib_memset (&sa, 0, sizeof (ikev2_sa_t)); - ikev2_payload_chain_t *chain = 0; - ikev2_payload_new_chain (chain); - - /* Build the IKE proposal payload */ - ikev2_sa_proposal_t *proposals = 0; - ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1); - proposals[0].proposal_num = 1; - proposals[0].protocol_id = IKEV2_PROTOCOL_IKE; - - /* Add and then cleanup proposal data */ - ikev2_payload_add_sa (chain, proposals); - ikev2_sa_free_proposal_vector (&proposals); - - sa.is_initiator = 1; - sa.profile = p; - sa.state = IKEV2_STATE_SA_INIT; - ikev2_generate_sa_init_data (&sa); - ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data); - ikev2_payload_add_nonce (chain, sa.i_nonce); - - /* Build the child SA proposal */ - vec_resize (sa.childs, 1); - ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts, - &sa.childs[0].i_proposals, 0); - sa.childs[0].i_proposals[0].proposal_num = 1; - sa.childs[0].i_proposals[0].protocol_id = IKEV2_PROTOCOL_ESP; - RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi, - sizeof (sa.childs[0].i_proposals[0].spi)); - - - - /* Add NAT detection notification messages (mandatory) */ - u8 nat_detection_source[8 + 8 + 4 + 2]; - u8 *nat_detection_sha1 = vec_new (u8, 20); - - u64 tmpspi = clib_host_to_net_u64 (sa.ispi); - clib_memcpy_fast (&nat_detection_source[0], &tmpspi, sizeof (tmpspi)); - tmpspi = clib_host_to_net_u64 (sa.rspi); - clib_memcpy_fast (&nat_detection_source[8], &tmpspi, sizeof (tmpspi)); - u16 tmpport = clib_host_to_net_u16 (500); - clib_memcpy_fast (&nat_detection_source[8 + 8 + 4], &tmpport, - sizeof (tmpport)); - u32 tmpip = clib_host_to_net_u32 (if_ip->as_u32); - clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip)); - SHA1 (nat_detection_source, sizeof (nat_detection_source), - nat_detection_sha1); - ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP, - nat_detection_sha1); - tmpip = clib_host_to_net_u32 (p->responder.ip4.as_u32); - clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip)); - SHA1 (nat_detection_source, sizeof (nat_detection_source), - nat_detection_sha1); - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP, - nat_detection_sha1); - vec_free (nat_detection_sha1); - - u8 *sig_hash_algo = vec_new (u8, 8); - u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004); - clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig)); - ikev2_payload_add_notify (chain, - IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS, - sig_hash_algo); - vec_free (sig_hash_algo); - - - /* Buffer update and boilerplate */ - len += vec_len (chain->data); - ike0->nextpayload = chain->first_payload_type; - ike0->length = clib_host_to_net_u32 (len); - clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data)); - ikev2_payload_destroy_chain (chain); - - ike0->version = IKE_VERSION_2; - ike0->flags = IKEV2_HDR_FLAG_INITIATOR; - ike0->exchange = IKEV2_EXCHANGE_SA_INIT; - ike0->ispi = sa.ispi; - - /* store whole IKE payload - needed for PSK auth */ - vec_free (sa.last_sa_init_req_packet_data); - vec_add (sa.last_sa_init_req_packet_data, ike0, len); - - /* add data to the SA then add it to the pool */ - sa.iaddr.as_u32 = if_ip->as_u32; - sa.raddr.as_u32 = p->responder.ip4.as_u32; - sa.i_id.type = p->loc_id.type; - sa.i_id.data = vec_dup (p->loc_id.data); - sa.i_auth.method = p->auth.method; - sa.i_auth.hex = p->auth.hex; - sa.i_auth.data = vec_dup (p->auth.data); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - clib_memcpy_fast (sa.i_auth.key, p->auth.key, - EVP_PKEY_size (p->auth.key)); -#else - sa.i_auth.key = vec_dup (p->auth.key); -#endif - vec_add (sa.childs[0].tsi, &p->loc_ts, 1); - vec_add (sa.childs[0].tsr, &p->rem_ts, 1); - - /* add SA to the pool */ - ikev2_sa_t *sa0 = 0; - pool_get (km->sais, sa0); - clib_memcpy_fast (sa0, &sa, sizeof (*sa0)); - hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais); - - ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len); - - } - - return 0; -} - -static void -ikev2_delete_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa, - ikev2_child_sa_t * csa) -{ - /* Create the Initiator notification for child SA removal */ - ikev2_main_t *km = &ikev2_main; - ike_header_t *ike0; - u32 bi0 = 0; - int len; - - bi0 = ikev2_get_new_ike_header_buff (vm, &ike0); - - - ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL; - ike0->ispi = clib_host_to_net_u64 (sa->ispi); - ike0->rspi = clib_host_to_net_u64 (sa->rspi); - vec_resize (sa->del, 1); - sa->del->protocol_id = IKEV2_PROTOCOL_ESP; - sa->del->spi = csa->i_proposals->spi; - ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1); - sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid); - len = ikev2_generate_message (sa, ike0, 0); - - ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len); - - /* delete local child SA */ - ikev2_delete_tunnel_interface (km->vnet_main, sa, csa); - ikev2_sa_del_child_sa (sa, csa); -} - -clib_error_t * -ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi) -{ - clib_error_t *r; - ikev2_main_t *km = &ikev2_main; - ikev2_main_per_thread_data_t *tkm; - ikev2_sa_t *fsa = 0; - ikev2_child_sa_t *fchild = 0; - - /* Search for the child SA */ - vec_foreach (tkm, km->per_thread_data) - { - ikev2_sa_t *sa; - if (fchild) - break; - /* *INDENT-OFF* */ - pool_foreach (sa, tkm->sas, ({ - fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1); - if (fchild) - { - fsa = sa; - break; - } - })); - /* *INDENT-ON* */ - } - - if (!fchild || !fsa) - { - r = clib_error_return (0, "Child SA not found"); - return r; - } - else - { - ikev2_delete_child_sa_internal (vm, fsa, fchild); - } - - return 0; -} - -clib_error_t * -ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi) -{ - clib_error_t *r; - ikev2_main_t *km = &ikev2_main; - ikev2_main_per_thread_data_t *tkm; - ikev2_sa_t *fsa = 0; - ikev2_main_per_thread_data_t *ftkm = 0; - - /* Search for the IKE SA */ - vec_foreach (tkm, km->per_thread_data) - { - ikev2_sa_t *sa; - if (fsa) - break; - /* *INDENT-OFF* */ - pool_foreach (sa, tkm->sas, ({ - if (sa->ispi == ispi) - { - fsa = sa; - ftkm = tkm; - break; - } - })); - /* *INDENT-ON* */ - } - - if (!fsa) - { - r = clib_error_return (0, "IKE SA not found"); - return r; - } - - - /* Create the Initiator notification for IKE SA removal */ - { - ike_header_t *ike0; - u32 bi0 = 0; - int len; - - bi0 = ikev2_get_new_ike_header_buff (vm, &ike0); - - - ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL; - ike0->ispi = clib_host_to_net_u64 (fsa->ispi); - ike0->rspi = clib_host_to_net_u64 (fsa->rspi); - vec_resize (fsa->del, 1); - fsa->del->protocol_id = IKEV2_PROTOCOL_IKE; - fsa->del->spi = ispi; - ike0->msgid = clib_host_to_net_u32 (fsa->last_init_msg_id + 1); - fsa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid); - len = ikev2_generate_message (fsa, ike0, 0); - - ikev2_send_ike (vm, &fsa->iaddr, &fsa->raddr, bi0, len); - } - - - /* delete local SA */ - ikev2_child_sa_t *c; - vec_foreach (c, fsa->childs) - { - ikev2_delete_tunnel_interface (km->vnet_main, fsa, c); - ikev2_sa_del_child_sa (fsa, c); - } - ikev2_sa_free_all_vec (fsa); - uword *p = hash_get (ftkm->sa_by_rspi, fsa->rspi); - if (p) - { - hash_unset (ftkm->sa_by_rspi, fsa->rspi); - pool_put (ftkm->sas, fsa); - } - - - return 0; -} - -static void -ikev2_rekey_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa, - ikev2_child_sa_t * csa) -{ - /* Create the Initiator request for create child SA */ - ike_header_t *ike0; - u32 bi0 = 0; - int len; - - - bi0 = ikev2_get_new_ike_header_buff (vm, &ike0); - - - ike0->version = IKE_VERSION_2; - ike0->flags = IKEV2_HDR_FLAG_INITIATOR; - ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA; - ike0->ispi = clib_host_to_net_u64 (sa->ispi); - ike0->rspi = clib_host_to_net_u64 (sa->rspi); - ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1); - sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid); - - ikev2_rekey_t *rekey; - vec_add2 (sa->rekey, rekey, 1); - ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals); - - /*need new ispi */ - RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi)); - rekey->spi = proposals[0].spi; - rekey->ispi = csa->i_proposals->spi; - len = ikev2_generate_message (sa, ike0, proposals); - ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len); - vec_free (proposals); -} - -clib_error_t * -ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi) -{ - clib_error_t *r; - ikev2_main_t *km = &ikev2_main; - ikev2_main_per_thread_data_t *tkm; - ikev2_sa_t *fsa = 0; - ikev2_child_sa_t *fchild = 0; - - /* Search for the child SA */ - vec_foreach (tkm, km->per_thread_data) - { - ikev2_sa_t *sa; - if (fchild) - break; - /* *INDENT-OFF* */ - pool_foreach (sa, tkm->sas, ({ - fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1); - if (fchild) - { - fsa = sa; - break; - } - })); - /* *INDENT-ON* */ - } - - if (!fchild || !fsa) - { - r = clib_error_return (0, "Child SA not found"); - return r; - } - else - { - ikev2_rekey_child_sa_internal (vm, fsa, fchild); - } - - return 0; -} - -clib_error_t * -ikev2_init (vlib_main_t * vm) -{ - ikev2_main_t *km = &ikev2_main; - clib_error_t *error; - vlib_thread_main_t *tm = vlib_get_thread_main (); - int thread_id; - - clib_memset (km, 0, sizeof (ikev2_main_t)); - km->vnet_main = vnet_get_main (); - km->vlib_main = vm; - - ikev2_crypto_init (km); - - mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword)); - - vec_validate (km->per_thread_data, tm->n_vlib_mains - 1); - for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++) - { - km->per_thread_data[thread_id].sa_by_rspi = - hash_create (0, sizeof (uword)); - } - - km->sa_by_ispi = hash_create (0, sizeof (uword)); - - - if ((error = vlib_call_init_function (vm, ikev2_cli_init))) - return error; - - udp_register_dst_port (vm, 500, ikev2_node.index, 1); - - return 0; -} - - -static u8 -ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa) -{ - ikev2_main_t *km = &ikev2_main; - vlib_main_t *vm = km->vlib_main; - f64 now = vlib_time_now (vm); - u8 res = 0; - - if (sa->is_initiator && sa->profile && csa->time_to_expiration - && now > csa->time_to_expiration) - { - if (!csa->is_expired || csa->rekey_retries > 0) - { - ikev2_rekey_child_sa_internal (vm, sa, csa); - csa->time_to_expiration = now + sa->profile->handover; - csa->is_expired = 1; - if (csa->rekey_retries == 0) - { - csa->rekey_retries = 5; - } - else if (csa->rekey_retries > 0) - { - csa->rekey_retries--; - clib_warning ("Rekeying Child SA 0x%x, retries left %d", - csa->i_proposals->spi, csa->rekey_retries); - if (csa->rekey_retries == 0) - { - csa->rekey_retries = -1; - } - } - res |= 1; - } - else - { - csa->time_to_expiration = 0; - ikev2_delete_child_sa_internal (vm, sa, csa); - res |= 1; - } - } - - return res; -} - -static void -ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa) -{ - ikev2_main_t *km = &ikev2_main; - vlib_main_t *vm = km->vlib_main; - ikev2_main_per_thread_data_t *tkm; - ikev2_sa_t *fsa = 0; - ikev2_child_sa_t *fchild = 0; - f64 now = vlib_time_now (vm); - vlib_counter_t counts; - - /* Search for the SA and child SA */ - vec_foreach (tkm, km->per_thread_data) - { - ikev2_sa_t *sa; - if (fchild) - break; - /* *INDENT-OFF* */ - pool_foreach (sa, tkm->sas, ({ - fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1); - if (fchild) - { - fsa = sa; - break; - } - })); - /* *INDENT-ON* */ - } - vlib_get_combined_counter (&ipsec_sa_counters, - ipsec_sa->stat_index, &counts); - - if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata) - { - if (!fchild->is_expired - && counts.bytes > fsa->profile->lifetime_maxdata) - { - fchild->time_to_expiration = now; - } - } -} - -static vlib_node_registration_t ikev2_mngr_process_node; - -static uword -ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt, - vlib_frame_t * f) -{ - ikev2_main_t *km = &ikev2_main; - ipsec_main_t *im = &ipsec_main; - - while (1) - { - u8 req_sent = 0; - vlib_process_wait_for_event_or_clock (vm, 1); - vlib_process_get_events (vm, NULL); - - /* process ike child sas */ - ikev2_main_per_thread_data_t *tkm; - vec_foreach (tkm, km->per_thread_data) - { - ikev2_sa_t *sa; - /* *INDENT-OFF* */ - pool_foreach (sa, tkm->sas, ({ - ikev2_child_sa_t *c; - vec_foreach (c, sa->childs) - { - req_sent |= ikev2_mngr_process_child_sa(sa, c); - } - })); - /* *INDENT-ON* */ - } - - /* process ipsec sas */ - ipsec_sa_t *sa; - /* *INDENT-OFF* */ - pool_foreach (sa, im->sad, ({ - ikev2_mngr_process_ipsec_sa(sa); - })); - /* *INDENT-ON* */ - - if (req_sent) - { - vlib_process_wait_for_event_or_clock (vm, 5); - vlib_process_get_events (vm, NULL); - req_sent = 0; - } - - } - return 0; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ikev2_mngr_process_node, static) = { - .function = ikev2_mngr_process_fn, - .type = VLIB_NODE_TYPE_PROCESS, - .name = - "ikev2-manager-process", -}; - -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ikev2.h b/src/vnet/ipsec/ikev2.h deleted file mode 100644 index 55731bff975..00000000000 --- a/src/vnet/ipsec/ikev2.h +++ /dev/null @@ -1,435 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#ifndef __included_ikev2_h__ -#define __included_ikev2_h__ - -#include <vnet/vnet.h> -#include <vnet/ip/ip.h> - -#include <vppinfra/error.h> - -#define IKEV2_NONCE_SIZE 32 - -#define IKEV2_KEY_PAD "Key Pad for IKEv2" - -typedef u8 v8; - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u64 ispi; - u64 rspi; - u8 nextpayload; - u8 version; - u8 exchange; - u8 flags; - u32 msgid; u32 length; u8 payload[0]; -}) ike_header_t; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct - { - u8 nextpayload; - u8 flags; - u16 length; - u16 dh_group; - u8 reserved[2]; u8 payload[0];}) ike_ke_payload_header_t; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u8 nextpayload; - u8 flags; - u16 length; u8 payload[0]; -}) ike_payload_header_t; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u8 nextpayload; - u8 flags; - u16 length; - u8 auth_method; - u8 reserved[3]; - u8 payload[0]; -}) ike_auth_payload_header_t; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u8 nextpayload; - u8 flags; - u16 length; - u8 id_type; - u8 reserved[3]; u8 payload[0]; -}) ike_id_payload_header_t; -/* *INDENT-ON* */ - -#define IKE_VERSION_2 0x20 - -#define IKEV2_EXCHANGE_SA_INIT 34 -#define IKEV2_EXCHANGE_IKE_AUTH 35 -#define IKEV2_EXCHANGE_CREATE_CHILD_SA 36 -#define IKEV2_EXCHANGE_INFORMATIONAL 37 - -#define IKEV2_HDR_FLAG_INITIATOR (1<<3) -#define IKEV2_HDR_FLAG_VERSION (1<<4) -#define IKEV2_HDR_FLAG_RESPONSE (1<<5) - -#define IKEV2_PAYLOAD_FLAG_CRITICAL (1<<7) - -#define IKEV2_PAYLOAD_NONE 0 -#define IKEV2_PAYLOAD_SA 33 -#define IKEV2_PAYLOAD_KE 34 -#define IKEV2_PAYLOAD_IDI 35 -#define IKEV2_PAYLOAD_IDR 36 -#define IKEV2_PAYLOAD_AUTH 39 -#define IKEV2_PAYLOAD_NONCE 40 -#define IKEV2_PAYLOAD_NOTIFY 41 -#define IKEV2_PAYLOAD_DELETE 42 -#define IKEV2_PAYLOAD_VENDOR 43 -#define IKEV2_PAYLOAD_TSI 44 -#define IKEV2_PAYLOAD_TSR 45 -#define IKEV2_PAYLOAD_SK 46 - -typedef enum -{ - IKEV2_PROTOCOL_IKE = 1, - IKEV2_PROTOCOL_AH = 2, - IKEV2_PROTOCOL_ESP = 3, -} ikev2_protocol_id_t; - -#define foreach_ikev2_notify_msg_type \ - _( 0, NONE) \ - _( 1, UNSUPPORTED_CRITICAL_PAYLOAD) \ - _( 4, INVALID_IKE_SPI) \ - _( 5, INVALID_MAJOR_VERSION) \ - _( 7, INVALID_SYNTAX) \ - _( 8, INVALID_MESSAGE_ID) \ - _( 11, INVALID_SPI) \ - _( 14, NO_PROPOSAL_CHOSEN) \ - _( 17, INVALID_KE_PAYLOAD) \ - _( 24, AUTHENTICATION_FAILED) \ - _( 34, SINGLE_PAIR_REQUIRED) \ - _( 35, NO_ADDITIONAL_SAS) \ - _( 36, INTERNAL_ADDRESS_FAILURE) \ - _( 37, FAILED_CP_REQUIRED) \ - _( 38, TS_UNACCEPTABLE) \ - _( 39, INVALID_SELECTORS) \ - _( 40, UNACCEPTABLE_ADDRESSES) \ - _( 41, UNEXPECTED_NAT_DETECTED) \ - _( 42, USE_ASSIGNED_HoA) \ - _( 43, TEMPORARY_FAILURE) \ - _( 44, CHILD_SA_NOT_FOUND) \ - _( 45, INVALID_GROUP_ID) \ - _( 46, AUTHORIZATION_FAILED) \ - _(16384, INITIAL_CONTACT) \ - _(16385, SET_WINDOW_SIZE) \ - _(16386, ADDITIONAL_TS_POSSIBLE) \ - _(16387, IPCOMP_SUPPORTED) \ - _(16388, NAT_DETECTION_SOURCE_IP) \ - _(16389, NAT_DETECTION_DESTINATION_IP) \ - _(16390, COOKIE) \ - _(16391, USE_TRANSPORT_MODE) \ - _(16392, HTTP_CERT_LOOKUP_SUPPORTED) \ - _(16393, REKEY_SA) \ - _(16394, ESP_TFC_PADDING_NOT_SUPPORTED) \ - _(16395, NON_FIRST_FRAGMENTS_ALSO) \ - _(16396, MOBIKE_SUPPORTED) \ - _(16397, ADDITIONAL_IP4_ADDRESS) \ - _(16398, ADDITIONAL_IP6_ADDRESS) \ - _(16399, NO_ADDITIONAL_ADDRESSES) \ - _(16400, UPDATE_SA_ADDRESSES) \ - _(16401, COOKIE2) \ - _(16402, NO_NATS_ALLOWED) \ - _(16403, AUTH_LIFETIME) \ - _(16404, MULTIPLE_AUTH_SUPPORTED) \ - _(16405, ANOTHER_AUTH_FOLLOWS) \ - _(16406, REDIRECT_SUPPORTED) \ - _(16407, REDIRECT) \ - _(16408, REDIRECTED_FROM) \ - _(16409, TICKET_LT_OPAQUE) \ - _(16410, TICKET_REQUEST) \ - _(16411, TICKET_ACK) \ - _(16412, TICKET_NACK) \ - _(16413, TICKET_OPAQUE) \ - _(16414, LINK_ID) \ - _(16415, USE_WESP_MODE) \ - _(16416, ROHC_SUPPORTED) \ - _(16417, EAP_ONLY_AUTHENTICATION) \ - _(16418, CHILDLESS_IKEV2_SUPPORTED) \ - _(16419, QUICK_CRASH_DETECTION) \ - _(16420, IKEV2_MESSAGE_ID_SYNC_SUPPORTED) \ - _(16421, IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED) \ - _(16422, IKEV2_MESSAGE_ID_SYNC) \ - _(16423, IPSEC_REPLAY_COUNTER_SYNC) \ - _(16424, SECURE_PASSWORD_METHODS) \ - _(16425, PSK_PERSIST) \ - _(16426, PSK_CONFIRM) \ - _(16427, ERX_SUPPORTED) \ - _(16428, IFOM_CAPABILITY) \ - _(16429, SENDER_REQUEST_ID) \ - _(16430, IKEV2_FRAGMENTATION_SUPPORTED) \ - _(16431, SIGNATURE_HASH_ALGORITHMS) - - -typedef enum -{ -#define _(v,f) IKEV2_NOTIFY_MSG_##f = v, - foreach_ikev2_notify_msg_type -#undef _ -} ikev2_notify_msg_type_t; - -#define foreach_ikev2_transform_type \ - _(0, UNDEFINED, "undefined") \ - _(1, ENCR, "encr") \ - _(2, PRF, "prf") \ - _(3, INTEG, "integ") \ - _(4, DH, "dh-group") \ - _(5, ESN, "esn") - -typedef enum -{ -#define _(v,f,s) IKEV2_TRANSFORM_TYPE_##f = v, - foreach_ikev2_transform_type -#undef _ - IKEV2_TRANSFORM_NUM_TYPES -} ikev2_transform_type_t; - - -#define foreach_ikev2_transform_encr_type \ - _(1 , DES_IV64, "des-iv64") \ - _(2 , DES, "des") \ - _(3 , 3DES, "3des") \ - _(4 , RC5, "rc5") \ - _(5 , IDEA, "idea") \ - _(6 , CAST, "cast") \ - _(7 , BLOWFISH, "blowfish") \ - _(8 , 3IDEA, "3idea") \ - _(9 , DES_IV32, "des-iv32") \ - _(11, NULL, "null") \ - _(12, AES_CBC, "aes-cbc") \ - _(13, AES_CTR, "aes-ctr") - -typedef enum -{ -#define _(v,f,str) IKEV2_TRANSFORM_ENCR_TYPE_##f = v, - foreach_ikev2_transform_encr_type -#undef _ -} ikev2_transform_encr_type_t; - -#define foreach_ikev2_transform_prf_type \ - _(1, PRF_HMAC_MD5, "hmac-md5") \ - _(2, PRF_HMAC_SHA1, "hmac-sha1") \ - _(3, PRF_MAC_TIGER, "mac-tiger") \ - _(4, PRF_AES128_XCBC, "aes128-xcbc") \ - _(5, PRF_HMAC_SHA2_256, "hmac-sha2-256") \ - _(6, PRF_HMAC_SHA2_384, "hmac-sha2-384") \ - _(7, PRF_HMAC_SHA2_512, "hmac-sha2-512") \ - _(8, PRF_AES128_CMAC, "aes128-cmac") - -typedef enum -{ -#define _(v,f,str) IKEV2_TRANSFORM_PRF_TYPE_##f = v, - foreach_ikev2_transform_prf_type -#undef _ -} ikev2_transform_prf_type_t; - -#define foreach_ikev2_transform_integ_type \ - _(0, NONE, "none") \ - _(1, AUTH_HMAC_MD5_96, "md5-96") \ - _(2, AUTH_HMAC_SHA1_96, "sha1-96") \ - _(3, AUTH_DES_MAC, "des-mac") \ - _(4, AUTH_KPDK_MD5, "kpdk-md5") \ - _(5, AUTH_AES_XCBC_96, "aes-xcbc-96") \ - _(6, AUTH_HMAC_MD5_128, "md5-128") \ - _(7, AUTH_HMAC_SHA1_160, "sha1-160") \ - _(8, AUTH_AES_CMAC_96, "cmac-96") \ - _(9, AUTH_AES_128_GMAC, "aes-128-gmac") \ - _(10, AUTH_AES_192_GMAC, "aes-192-gmac") \ - _(11, AUTH_AES_256_GMAC, "aes-256-gmac") \ - _(12, AUTH_HMAC_SHA2_256_128, "hmac-sha2-256-128") \ - _(13, AUTH_HMAC_SHA2_384_192, "hmac-sha2-384-192") \ - _(14, AUTH_HMAC_SHA2_512_256, "hmac-sha2-512-256") - -typedef enum -{ -#define _(v,f, str) IKEV2_TRANSFORM_INTEG_TYPE_##f = v, - foreach_ikev2_transform_integ_type -#undef _ -} ikev2_transform_integ_type_t; - -#if defined(OPENSSL_NO_CISCO_FECDH) -#define foreach_ikev2_transform_dh_type \ - _(0, NONE, "none") \ - _(1, MODP_768, "modp-768") \ - _(2, MODP_1024, "modp-1024") \ - _(5, MODP_1536, "modp-1536") \ - _(14, MODP_2048, "modp-2048") \ - _(15, MODP_3072, "modp-3072") \ - _(16, MODP_4096, "modp-4096") \ - _(17, MODP_6144, "modp-6144") \ - _(18, MODP_8192, "modp-8192") \ - _(19, ECP_256, "ecp-256") \ - _(20, ECP_384, "ecp-384") \ - _(21, ECP_521, "ecp-521") \ - _(22, MODP_1024_160, "modp-1024-160") \ - _(23, MODP_2048_224, "modp-2048-224") \ - _(24, MODP_2048_256, "modp-2048-256") \ - _(25, ECP_192, "ecp-192") \ - _(26, ECP_224, "ecp-224") \ - _(27, BRAINPOOL_224, "brainpool-224") \ - _(28, BRAINPOOL_256, "brainpool-256") \ - _(29, BRAINPOOL_384, "brainpool-384") \ - _(30, BRAINPOOL_512, "brainpool-512") -#else -#define foreach_ikev2_transform_dh_type \ - _(0, NONE, "none") \ - _(1, MODP_768, "modp-768") \ - _(2, MODP_1024, "modp-1024") \ - _(5, MODP_1536, "modp-1536") \ - _(14, MODP_2048, "modp-2048") \ - _(15, MODP_3072, "modp-3072") \ - _(16, MODP_4096, "modp-4096") \ - _(17, MODP_6144, "modp-6144") \ - _(18, MODP_8192, "modp-8192") \ - _(19, ECP_256, "ecp-256") \ - _(20, ECP_384, "ecp-384") \ - _(21, ECP_521, "ecp-521") \ - _(22, MODP_1024_160, "modp-1024-160") \ - _(23, MODP_2048_224, "modp-2048-224") \ - _(24, MODP_2048_256, "modp-2048-256") \ - _(25, ECP_192, "ecp-192") -#endif - -typedef enum -{ -#define _(v,f, str) IKEV2_TRANSFORM_DH_TYPE_##f = v, - foreach_ikev2_transform_dh_type -#undef _ -} ikev2_transform_dh_type_t; - -#define foreach_ikev2_transform_esn_type \ - _(0, NO_ESN, "no") \ - _(1, ESN, "yes") - -typedef enum -{ -#define _(v,f,str) IKEV2_TRANSFORM_ESN_TYPE_##f = v, - foreach_ikev2_transform_esn_type -#undef _ -} ikev2_transform_esn_type_t; - -#define foreach_ikev2_auth_method \ - _( 1, RSA_SIG, "rsa-sig") \ - _( 2, SHARED_KEY_MIC, "shared-key-mic") - -typedef enum -{ -#define _(v,f,s) IKEV2_AUTH_METHOD_##f = v, - foreach_ikev2_auth_method -#undef _ -} ikev2_auth_method_t; - -#define foreach_ikev2_id_type \ - _( 1, ID_IPV4_ADDR, "ip4-addr") \ - _( 2, ID_FQDN, "fqdn") \ - _( 3, ID_RFC822_ADDR, "rfc822") \ - _( 5, ID_IPV6_ADDR, "ip6-addr") \ - _( 9, ID_DER_ASN1_DN, "der-asn1-dn") \ - _(10, ID_DER_ASN1_GN, "der-asn1-gn") \ - _(11, ID_KEY_ID, "key-id") - -typedef enum -{ -#define _(v,f,s) IKEV2_ID_TYPE_##f = v, - foreach_ikev2_id_type -#undef _ -} ikev2_id_type_t; - -clib_error_t *ikev2_init (vlib_main_t * vm); -clib_error_t *ikev2_set_local_key (vlib_main_t * vm, u8 * file); -clib_error_t *ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add); -clib_error_t *ikev2_set_profile_auth (vlib_main_t * vm, u8 * name, - u8 auth_method, u8 * data, - u8 data_hex_format); -clib_error_t *ikev2_set_profile_id (vlib_main_t * vm, u8 * name, - u8 id_type, u8 * data, int is_local); -clib_error_t *ikev2_set_profile_ts (vlib_main_t * vm, u8 * name, - u8 protocol_id, u16 start_port, - u16 end_port, ip4_address_t start_addr, - ip4_address_t end_addr, int is_local); -clib_error_t *ikev2_set_profile_responder (vlib_main_t * vm, u8 * name, - u32 sw_if_index, - ip4_address_t ip4); -clib_error_t *ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name, - ikev2_transform_encr_type_t - crypto_alg, - ikev2_transform_integ_type_t - integ_alg, - ikev2_transform_dh_type_t - dh_type, u32 crypto_key_size); -clib_error_t *ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name, - ikev2_transform_encr_type_t - crypto_alg, - ikev2_transform_integ_type_t - integ_alg, - ikev2_transform_dh_type_t - dh_type, u32 crypto_key_size); -clib_error_t *ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name, - u64 lifetime, u32 jitter, - u32 handover, u64 maxdata); -clib_error_t *ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name); -clib_error_t *ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi); -clib_error_t *ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi); -clib_error_t *ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi); - -/* ikev2_format.c */ -u8 *format_ikev2_auth_method (u8 * s, va_list * args); -u8 *format_ikev2_id_type (u8 * s, va_list * args); -u8 *format_ikev2_transform_type (u8 * s, va_list * args); -u8 *format_ikev2_notify_msg_type (u8 * s, va_list * args); -u8 *format_ikev2_transform_encr_type (u8 * s, va_list * args); -u8 *format_ikev2_transform_prf_type (u8 * s, va_list * args); -u8 *format_ikev2_transform_integ_type (u8 * s, va_list * args); -u8 *format_ikev2_transform_dh_type (u8 * s, va_list * args); -u8 *format_ikev2_transform_esn_type (u8 * s, va_list * args); -u8 *format_ikev2_sa_transform (u8 * s, va_list * args); - -uword unformat_ikev2_auth_method (unformat_input_t * input, va_list * args); -uword unformat_ikev2_id_type (unformat_input_t * input, va_list * args); -uword unformat_ikev2_transform_type (unformat_input_t * input, - va_list * args); -uword unformat_ikev2_transform_encr_type (unformat_input_t * input, - va_list * args); -uword unformat_ikev2_transform_prf_type (unformat_input_t * input, - va_list * args); -uword unformat_ikev2_transform_integ_type (unformat_input_t * input, - va_list * args); -uword unformat_ikev2_transform_dh_type (unformat_input_t * input, - va_list * args); -uword unformat_ikev2_transform_esn_type (unformat_input_t * input, - va_list * args); - -#endif /* __included_ikev2_h__ */ - - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ikev2_cli.c b/src/vnet/ipsec/ikev2_cli.c deleted file mode 100644 index 05ed4e6067f..00000000000 --- a/src/vnet/ipsec/ikev2_cli.c +++ /dev/null @@ -1,602 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <vlib/vlib.h> -#include <vnet/vnet.h> -#include <vnet/pg/pg.h> -#include <vppinfra/error.h> -#include <vnet/udp/udp.h> -#include <vnet/ipsec/ikev2.h> -#include <vnet/ipsec/ikev2_priv.h> - -u8 * -format_ikev2_id_type_and_data (u8 * s, va_list * args) -{ - ikev2_id_t *id = va_arg (*args, ikev2_id_t *); - - if (id->type == 0 || vec_len (id->data) == 0) - return format (s, "none"); - - s = format (s, "%U", format_ikev2_id_type, id->type); - - if (id->type == IKEV2_ID_TYPE_ID_FQDN || - id->type == IKEV2_ID_TYPE_ID_RFC822_ADDR) - { - s = format (s, " %v", id->data); - } - else - { - s = - format (s, " %U", format_hex_bytes, &id->data, - (uword) (vec_len (id->data))); - } - - return s; -} - - -static clib_error_t * -show_ikev2_sa_command_fn (vlib_main_t * vm, - unformat_input_t * input, vlib_cli_command_t * cmd) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_main_per_thread_data_t *tkm; - ikev2_sa_t *sa; - ikev2_ts_t *ts; - ikev2_child_sa_t *child; - ikev2_sa_transform_t *tr; - - vec_foreach (tkm, km->per_thread_data) - { - /* *INDENT-OFF* */ - pool_foreach (sa, tkm->sas, ({ - u8 * s = 0; - vlib_cli_output(vm, " iip %U ispi %lx rip %U rspi %lx", - format_ip4_address, &sa->iaddr, sa->ispi, - format_ip4_address, &sa->raddr, sa->rspi); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - vlib_cli_output(vm, " %v", s); - vec_free(s); - - vlib_cli_output(vm, " nonce i:%U\n r:%U", - format_hex_bytes, sa->i_nonce, vec_len(sa->i_nonce), - format_hex_bytes, sa->r_nonce, vec_len(sa->r_nonce)); - - vlib_cli_output(vm, " SK_d %U", - format_hex_bytes, sa->sk_d, vec_len(sa->sk_d)); - vlib_cli_output(vm, " SK_a i:%U\n r:%U", - format_hex_bytes, sa->sk_ai, vec_len(sa->sk_ai), - format_hex_bytes, sa->sk_ar, vec_len(sa->sk_ar)); - vlib_cli_output(vm, " SK_e i:%U\n r:%U", - format_hex_bytes, sa->sk_ei, vec_len(sa->sk_ei), - format_hex_bytes, sa->sk_er, vec_len(sa->sk_er)); - vlib_cli_output(vm, " SK_p i:%U\n r:%U", - format_hex_bytes, sa->sk_pi, vec_len(sa->sk_pi), - format_hex_bytes, sa->sk_pr, vec_len(sa->sk_pr)); - - vlib_cli_output(vm, " identifier (i) %U", - format_ikev2_id_type_and_data, &sa->i_id); - vlib_cli_output(vm, " identifier (r) %U", - format_ikev2_id_type_and_data, &sa->r_id); - - vec_foreach(child, sa->childs) - { - vlib_cli_output(vm, " child sa %u:", child - sa->childs); - - tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - vlib_cli_output(vm, " %v", s); - vec_free(s); - - vlib_cli_output(vm, " spi(i) %lx spi(r) %lx", - child->i_proposals ? child->i_proposals[0].spi : 0, - child->r_proposals ? child->r_proposals[0].spi : 0); - - vlib_cli_output(vm, " SK_e i:%U\n r:%U", - format_hex_bytes, child->sk_ei, vec_len(child->sk_ei), - format_hex_bytes, child->sk_er, vec_len(child->sk_er)); - vlib_cli_output(vm, " SK_a i:%U\n r:%U", - format_hex_bytes, child->sk_ai, vec_len(child->sk_ai), - format_hex_bytes, child->sk_ar, vec_len(child->sk_ar)); - vlib_cli_output(vm, " traffic selectors (i):"); - vec_foreach(ts, child->tsi) - { - vlib_cli_output(vm, " %u type %u protocol_id %u addr " - "%U - %U port %u - %u", - ts - child->tsi, - ts->ts_type, ts->protocol_id, - format_ip4_address, &ts->start_addr, - format_ip4_address, &ts->end_addr, - clib_net_to_host_u16( ts->start_port), - clib_net_to_host_u16( ts->end_port)); - } - vlib_cli_output(vm, " traffic selectors (r):"); - vec_foreach(ts, child->tsr) - { - vlib_cli_output(vm, " %u type %u protocol_id %u addr " - "%U - %U port %u - %u", - ts - child->tsr, - ts->ts_type, ts->protocol_id, - format_ip4_address, &ts->start_addr, - format_ip4_address, &ts->end_addr, - clib_net_to_host_u16( ts->start_port), - clib_net_to_host_u16( ts->end_port)); - } - } - vlib_cli_output(vm, ""); - })); - /* *INDENT-ON* */ - } - return 0; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (show_ikev2_sa_command, static) = { - .path = "show ikev2 sa", - .short_help = "show ikev2 sa", - .function = show_ikev2_sa_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -ikev2_profile_add_del_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - vnet_main_t *vnm = vnet_get_main (); - unformat_input_t _line_input, *line_input = &_line_input; - u8 *name = 0; - clib_error_t *r = 0; - u32 id_type; - u8 *data = 0; - u32 tmp1, tmp2, tmp3; - u64 tmp4, tmp5; - ip4_address_t ip4; - ip4_address_t end_addr; - u32 responder_sw_if_index = (u32) ~ 0; - ip4_address_t responder_ip4; - ikev2_transform_encr_type_t crypto_alg; - ikev2_transform_integ_type_t integ_alg; - ikev2_transform_dh_type_t dh_type; - - const char *valid_chars = "a-zA-Z0-9_"; - - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "add %U", unformat_token, valid_chars, &name)) - { - r = ikev2_add_del_profile (vm, name, 1); - goto done; - } - else - if (unformat - (line_input, "del %U", unformat_token, valid_chars, &name)) - { - r = ikev2_add_del_profile (vm, name, 0); - goto done; - } - else if (unformat (line_input, "set %U auth shared-key-mic string %v", - unformat_token, valid_chars, &name, &data)) - { - r = - ikev2_set_profile_auth (vm, name, - IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data, - 0); - goto done; - } - else if (unformat (line_input, "set %U auth shared-key-mic hex %U", - unformat_token, valid_chars, &name, - unformat_hex_string, &data)) - { - r = - ikev2_set_profile_auth (vm, name, - IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data, - 1); - goto done; - } - else if (unformat (line_input, "set %U auth rsa-sig cert-file %v", - unformat_token, valid_chars, &name, &data)) - { - r = - ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_RSA_SIG, data, - 0); - goto done; - } - else if (unformat (line_input, "set %U id local %U %U", - unformat_token, valid_chars, &name, - unformat_ikev2_id_type, &id_type, - unformat_ip4_address, &ip4)) - { - data = vec_new (u8, 4); - clib_memcpy (data, ip4.as_u8, 4); - r = - ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1); - goto done; - } - else if (unformat (line_input, "set %U id local %U 0x%U", - unformat_token, valid_chars, &name, - unformat_ikev2_id_type, &id_type, - unformat_hex_string, &data)) - { - r = - ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1); - goto done; - } - else if (unformat (line_input, "set %U id local %U %v", - unformat_token, valid_chars, &name, - unformat_ikev2_id_type, &id_type, &data)) - { - r = - ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1); - goto done; - } - else if (unformat (line_input, "set %U id remote %U %U", - unformat_token, valid_chars, &name, - unformat_ikev2_id_type, &id_type, - unformat_ip4_address, &ip4)) - { - data = vec_new (u8, 4); - clib_memcpy (data, ip4.as_u8, 4); - r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */ - 0); - goto done; - } - else if (unformat (line_input, "set %U id remote %U 0x%U", - unformat_token, valid_chars, &name, - unformat_ikev2_id_type, &id_type, - unformat_hex_string, &data)) - { - r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */ - 0); - goto done; - } - else if (unformat (line_input, "set %U id remote %U %v", - unformat_token, valid_chars, &name, - unformat_ikev2_id_type, &id_type, &data)) - { - r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */ - 0); - goto done; - } - else if (unformat (line_input, "set %U traffic-selector local " - "ip-range %U - %U port-range %u - %u protocol %u", - unformat_token, valid_chars, &name, - unformat_ip4_address, &ip4, - unformat_ip4_address, &end_addr, - &tmp1, &tmp2, &tmp3)) - { - r = - ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2, - ip4, end_addr, /*local */ 1); - goto done; - } - else if (unformat (line_input, "set %U traffic-selector remote " - "ip-range %U - %U port-range %u - %u protocol %u", - unformat_token, valid_chars, &name, - unformat_ip4_address, &ip4, - unformat_ip4_address, &end_addr, - &tmp1, &tmp2, &tmp3)) - { - r = - ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2, - ip4, end_addr, /*remote */ 0); - goto done; - } - else if (unformat (line_input, "set %U responder %U %U", - unformat_token, valid_chars, &name, - unformat_vnet_sw_interface, vnm, - &responder_sw_if_index, unformat_ip4_address, - &responder_ip4)) - { - r = - ikev2_set_profile_responder (vm, name, responder_sw_if_index, - responder_ip4); - goto done; - } - else - if (unformat - (line_input, - "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U", - unformat_token, valid_chars, &name, - unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, - unformat_ikev2_transform_integ_type, &integ_alg, - unformat_ikev2_transform_dh_type, &dh_type)) - { - r = - ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg, - dh_type, tmp1); - goto done; - } - else - if (unformat - (line_input, - "set %U esp-crypto-alg %U %u esp-integ-alg %U esp-dh %U", - unformat_token, valid_chars, &name, - unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, - unformat_ikev2_transform_integ_type, &integ_alg, - unformat_ikev2_transform_dh_type, &dh_type)) - { - r = - ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg, - dh_type, tmp1); - goto done; - } - else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu", - unformat_token, valid_chars, &name, - &tmp4, &tmp1, &tmp2, &tmp5)) - { - r = - ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5); - goto done; - } - else - break; - } - - r = clib_error_return (0, "parse error: '%U'", - format_unformat_error, line_input); - -done: - vec_free (name); - vec_free (data); - unformat_free (line_input); - return r; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = { - .path = "ikev2 profile", - .short_help = - "ikev2 profile [add|del] <id>\n" - "ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex]" - " <data>\n" - "ikev2 profile set <id> id <local|remote> <type> <data>\n" - "ikev2 profile set <id> traffic-selector <local|remote> ip-range " - "<start-addr> - <end-addr> port-range <start-port> - <end-port> " - "protocol <protocol-number>\n" - "ikev2 profile set <id> responder <interface> <addr>\n" - "ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>\n" - "ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>\n" - "ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>", - .function = ikev2_profile_add_del_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -show_ikev2_profile_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - ikev2_main_t *km = &ikev2_main; - ikev2_profile_t *p; - - /* *INDENT-OFF* */ - pool_foreach (p, km->profiles, ({ - vlib_cli_output(vm, "profile %v", p->name); - - if (p->auth.data) - { - if (p->auth.hex) - vlib_cli_output(vm, " auth-method %U auth data 0x%U", - format_ikev2_auth_method, p->auth.method, - format_hex_bytes, p->auth.data, vec_len(p->auth.data)); - else - vlib_cli_output(vm, " auth-method %U auth data %v", - format_ikev2_auth_method, p->auth.method, p->auth.data); - } - - if (p->loc_id.data) - { - if (p->loc_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR) - vlib_cli_output(vm, " local id-type %U data %U", - format_ikev2_id_type, p->loc_id.type, - format_ip4_address, p->loc_id.data); - else if (p->loc_id.type == IKEV2_ID_TYPE_ID_KEY_ID) - vlib_cli_output(vm, " local id-type %U data 0x%U", - format_ikev2_id_type, p->loc_id.type, - format_hex_bytes, p->loc_id.data, - vec_len(p->loc_id.data)); - else - vlib_cli_output(vm, " local id-type %U data %v", - format_ikev2_id_type, p->loc_id.type, p->loc_id.data); - } - - if (p->rem_id.data) - { - if (p->rem_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR) - vlib_cli_output(vm, " remote id-type %U data %U", - format_ikev2_id_type, p->rem_id.type, - format_ip4_address, p->rem_id.data); - else if (p->rem_id.type == IKEV2_ID_TYPE_ID_KEY_ID) - vlib_cli_output(vm, " remote id-type %U data 0x%U", - format_ikev2_id_type, p->rem_id.type, - format_hex_bytes, p->rem_id.data, - vec_len(p->rem_id.data)); - else - vlib_cli_output(vm, " remote id-type %U data %v", - format_ikev2_id_type, p->rem_id.type, p->rem_id.data); - } - - if (p->loc_ts.end_addr.as_u32) - vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u" - " protocol %u", - format_ip4_address, &p->loc_ts.start_addr, - format_ip4_address, &p->loc_ts.end_addr, - p->loc_ts.start_port, p->loc_ts.end_port, - p->loc_ts.protocol_id); - - if (p->rem_ts.end_addr.as_u32) - vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u" - " protocol %u", - format_ip4_address, &p->rem_ts.start_addr, - format_ip4_address, &p->rem_ts.end_addr, - p->rem_ts.start_port, p->rem_ts.end_port, - p->rem_ts.protocol_id); - })); - /* *INDENT-ON* */ - - return 0; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = { - .path = "show ikev2 profile", - .short_help = "show ikev2 profile", - .function = show_ikev2_profile_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -set_ikev2_local_key_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - clib_error_t *r = 0; - u8 *data = 0; - - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "%s", &data)) - { - r = ikev2_set_local_key (vm, data); - goto done; - } - else - break; - } - - r = clib_error_return (0, "parse error: '%U'", - format_unformat_error, line_input); - -done: - vec_free (data); - unformat_free (line_input); - return r; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = { - .path = "set ikev2 local key", - .short_help = - "set ikev2 local key <file>", - .function = set_ikev2_local_key_command_fn, -}; -/* *INDENT-ON* */ - - -static clib_error_t * -ikev2_initiate_command_fn (vlib_main_t * vm, - unformat_input_t * input, vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - clib_error_t *r = 0; - u8 *name = 0; - u32 tmp1; - u64 tmp2; - - const char *valid_chars = "a-zA-Z0-9_"; - - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat - (line_input, "sa-init %U", unformat_token, valid_chars, &name)) - { - r = ikev2_initiate_sa_init (vm, name); - goto done; - } - else if (unformat (line_input, "del-child-sa %x", &tmp1)) - { - r = ikev2_initiate_delete_child_sa (vm, tmp1); - goto done; - } - else if (unformat (line_input, "del-sa %lx", &tmp2)) - { - r = ikev2_initiate_delete_ike_sa (vm, tmp2); - goto done; - } - else if (unformat (line_input, "rekey-child-sa %x", &tmp1)) - { - r = ikev2_initiate_rekey_child_sa (vm, tmp1); - goto done; - } - else - break; - } - - r = clib_error_return (0, "parse error: '%U'", - format_unformat_error, line_input); - -done: - vec_free (name); - unformat_free (line_input); - return r; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (ikev2_initiate_command, static) = { - .path = "ikev2 initiate", - .short_help = - "ikev2 initiate sa-init <profile id>\n" - "ikev2 initiate del-child-sa <child sa ispi>\n" - "ikev2 initiate del-sa <sa ispi>\n" - "ikev2 initiate rekey-child-sa <profile id> <child sa ispi>\n", - .function = ikev2_initiate_command_fn, -}; -/* *INDENT-ON* */ - - -clib_error_t * -ikev2_cli_init (vlib_main_t * vm) -{ - return 0; -} - -VLIB_INIT_FUNCTION (ikev2_cli_init); - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ikev2_crypto.c b/src/vnet/ipsec/ikev2_crypto.c deleted file mode 100644 index ffe15891b75..00000000000 --- a/src/vnet/ipsec/ikev2_crypto.c +++ /dev/null @@ -1,1076 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <vlib/vlib.h> -#include <vnet/vnet.h> -#include <vnet/pg/pg.h> -#include <vppinfra/error.h> -#include <vnet/udp/udp.h> -#include <vnet/ipsec/ikev2.h> -#include <vnet/ipsec/ikev2_priv.h> -#include <openssl/obj_mac.h> -#include <openssl/ec.h> -#include <openssl/x509.h> -#include <openssl/pem.h> -#include <openssl/bn.h> -#include <openssl/dh.h> - -/* from RFC7296 */ -static const char modp_dh_768_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"; -static const char modp_dh_768_generator[] = "02"; - -static const char modp_dh_1024_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" "FFFFFFFFFFFFFFFF"; -static const char modp_dh_1024_generator[] = "02"; - -/* from RFC3526 */ -static const char modp_dh_1536_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"; -static const char modp_dh_1536_generator[] = "02"; - -static const char modp_dh_2048_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; -static const char modp_dh_2048_generator[] = "02"; - -static const char modp_dh_3072_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; -static const char modp_dh_3072_generator[] = "02"; - -static const char modp_dh_4096_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" "FFFFFFFFFFFFFFFF"; -static const char modp_dh_4096_generator[] = "02"; - -static const char modp_dh_6144_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" - "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" - "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" - "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8" - "FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C" - "180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718" - "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D" - "04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7D" - "B3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D226" - "1AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFC" - "E0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B26" - "99C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB" - "04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2" - "233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127" - "D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" - "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406" - "AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918" - "DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B33205151" - "2BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03" - "F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97F" - "BEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" - "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58B" - "B7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632" - "387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E" - "6DCC4024FFFFFFFFFFFFFFFF"; -static const char modp_dh_6144_generator[] = "02"; - -static const char modp_dh_8192_prime[] = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" - "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BD" - "F8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831" - "179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B" - "DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF" - "5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6" - "D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F3" - "23A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" - "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE328" - "06A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55C" - "DA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE" - "12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E4" - "38777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300" - "741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F568" - "3423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD9" - "22222E04A4037C0713EB57A81A23F0C73473FC646CEA306B" - "4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A" - "062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A36" - "4597E899A0255DC164F31CC50846851DF9AB48195DED7EA1" - "B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F92" - "4009438B481C6CD7889A002ED5EE382BC9190DA6FC026E47" - "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" - "60C980DD98EDD3DFFFFFFFFFFFFFFFFF"; -static const char modp_dh_8192_generator[] = "02"; - -/* from RFC5114 */ -static const char modp_dh_1024_160_prime[] = - "B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C6" - "9A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C0" - "13ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD70" - "98488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0" - "A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708" "DF1FB2BC2E4A4371"; -static const char modp_dh_1024_160_generator[] = - "A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507F" - "D6406CFF14266D31266FEA1E5C41564B777E690F5504F213" - "160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1" - "909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28A" - "D662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24" "855E6EEB22B3B2E5"; - -static const char modp_dh_2048_224_prime[] = - "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" - "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" - "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" - "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" - "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" - "B3BF8A317091883681286130BC8985DB1602E714415D9330" - "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" - "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" - "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" - "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" - "CF9DE5384E71B81C0AC4DFFE0C10E64F"; -static const char modp_dh_2048_224_generator[] = - "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" - "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" - "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" - "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" - "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" - "F180EB34118E98D119529A45D6F834566E3025E316A330EF" - "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" - "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" - "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" - "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" - "81BC087F2A7065B384B890D3191F2BFA"; - -static const char modp_dh_2048_256_prime[] = - "87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F2" - "5D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA30" - "16C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD" - "5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B" - "6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C" - "4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0E" - "F13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D9" - "67E144E5140564251CCACB83E6B486F6B3CA3F7971506026" - "C0B857F689962856DED4010ABD0BE621C3A3960A54E710C3" - "75F26375D7014103A4B54330C198AF126116D2276E11715F" - "693877FAD7EF09CADB094AE91E1A1597"; -static const char modp_dh_2048_256_generator[] = - "3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF2054" - "07F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555" - "BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18" - "A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B" - "777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC83" - "1D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55" - "A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14" - "C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915" - "B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6" - "184B523D1DB246C32F63078490F00EF8D647D148D4795451" - "5E2327CFEF98C582664B4C0F6CC41659"; - -v8 * -ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - HMAC_CTX *ctx; -#else - HMAC_CTX ctx; -#endif - v8 *prf; - unsigned int len = 0; - - prf = vec_new (u8, tr->key_trunc); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ctx = HMAC_CTX_new (); - HMAC_Init_ex (ctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (ctx, data, vec_len (data)); - HMAC_Final (ctx, prf, &len); -#else - HMAC_CTX_init (&ctx); - HMAC_Init_ex (&ctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (&ctx, data, vec_len (data)); - HMAC_Final (&ctx, prf, &len); - HMAC_CTX_cleanup (&ctx); -#endif - ASSERT (len == tr->key_trunc); - - return prf; -} - -u8 * -ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed, int len) -{ - v8 *t = 0, *s = 0, *tmp = 0, *ret = 0; - u8 x = 0; - - /* prf+ (K,S) = T1 | T2 | T3 | T4 | ... - - where: - T1 = prf (K, S | 0x01) - T2 = prf (K, T1 | S | 0x02) - T3 = prf (K, T2 | S | 0x03) - T4 = prf (K, T3 | S | 0x04) - */ - - while (vec_len (ret) < len && x < 255) - { - if (t) - { - vec_append (s, t); - vec_free (t); - } - - vec_append (s, seed); - vec_add2 (s, tmp, 1); - *tmp = x + 1; - t = ikev2_calc_prf (tr, key, s); - vec_append (ret, t); - vec_free (s); - x++; - } - - vec_free (t); - - if (x == 255) - { - vec_free (ret); - } - - return ret; -} - -v8 * -ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len) -{ - v8 *r; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - HMAC_CTX *hctx; -#else - HMAC_CTX hctx; -#endif - unsigned int l; - - ASSERT (tr->type == IKEV2_TRANSFORM_TYPE_INTEG); - - r = vec_new (u8, tr->key_len); - - if (tr->md == EVP_sha1 ()) - { - clib_warning ("integrity checking with sha1"); - } - else if (tr->md == EVP_sha256 ()) - { - clib_warning ("integrity checking with sha256"); - } - - /* verify integrity of data */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - hctx = HMAC_CTX_new (); - HMAC_Init_ex (hctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (hctx, (const u8 *) data, len); - HMAC_Final (hctx, r, &l); -#else - HMAC_CTX_init (&hctx); - HMAC_Init_ex (&hctx, key, vec_len (key), tr->md, NULL); - HMAC_Update (&hctx, (const u8 *) data, len); - HMAC_Final (&hctx, r, &l); - HMAC_CTX_cleanup (&hctx); -#endif - - ASSERT (l == tr->key_len); - - return r; -} - -v8 * -ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_CIPHER_CTX *ctx; -#else - EVP_CIPHER_CTX ctx; -#endif - v8 *r; - int out_len = 0, block_size; - ikev2_sa_transform_t *tr_encr; - u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei; - - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - block_size = tr_encr->block_size; - - /* check if data is multiplier of cipher block size */ - if (len % block_size) - { - clib_warning ("wrong data length"); - return 0; - } - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ctx = EVP_CIPHER_CTX_new (); -#else - EVP_CIPHER_CTX_init (&ctx); -#endif - - r = vec_new (u8, len - block_size); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data); - EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size); - EVP_DecryptFinal_ex (ctx, r + out_len, &out_len); -#else - EVP_DecryptInit_ex (&ctx, tr_encr->cipher, NULL, key, data); - EVP_DecryptUpdate (&ctx, r, &out_len, data + block_size, len - block_size); - EVP_DecryptFinal_ex (&ctx, r + out_len, &out_len); -#endif - /* remove padding */ - _vec_len (r) -= r[vec_len (r) - 1] + 1; - -#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_CIPHER_CTX_cleanup (&ctx); -#endif - return r; -} - -int -ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_CIPHER_CTX *ctx; -#else - EVP_CIPHER_CTX ctx; -#endif - int out_len; - int bs; - ikev2_sa_transform_t *tr_encr; - u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er; - - tr_encr = - ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - bs = tr_encr->block_size; - - /* generate IV */ - RAND_bytes (dst, bs); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ctx = EVP_CIPHER_CTX_new (); - EVP_EncryptInit_ex (ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); - EVP_EncryptUpdate (ctx, dst + bs, &out_len, src, vec_len (src)); -#else - EVP_CIPHER_CTX_init (&ctx); - EVP_EncryptInit_ex (&ctx, tr_encr->cipher, NULL, key, dst /* dst */ ); - EVP_EncryptUpdate (&ctx, dst + bs, &out_len, src, vec_len (src)); - EVP_CIPHER_CTX_cleanup (&ctx); -#endif - - ASSERT (vec_len (src) == out_len); - - return out_len + bs; -} - -void -ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) -{ - int r; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - BIGNUM *p = BN_new (); - BIGNUM *q = BN_new (); - BIGNUM *g = BN_new (); - BIGNUM *pub_key = BN_new (); - BIGNUM *priv_key = BN_new (); -#endif - - if (t->dh_group == IKEV2_DH_GROUP_MODP) - { - DH *dh = DH_new (); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - BN_hex2bn (&p, t->dh_p); - BN_hex2bn (&g, t->dh_g); - DH_set0_pqg (dh, p, q, g); -#else - BN_hex2bn (&dh->p, t->dh_p); - BN_hex2bn (&dh->g, t->dh_g); -#endif - DH_generate_key (dh); - - if (sa->is_initiator) - { - sa->i_dh_data = vec_new (u8, t->key_len); - sa->dh_private_key = vec_new (u8, t->key_len); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - r = BN_bn2bin (pub_key, sa->i_dh_data); - ASSERT (r == t->key_len); - r = BN_bn2bin (priv_key, sa->dh_private_key); - DH_set0_key (dh, pub_key, priv_key); -#else - r = BN_bn2bin (dh->pub_key, sa->i_dh_data); - ASSERT (r == t->key_len); - r = BN_bn2bin (dh->priv_key, sa->dh_private_key); - ASSERT (r == t->key_len); -#endif - } - else - { - sa->r_dh_data = vec_new (u8, t->key_len); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - r = BN_bn2bin (pub_key, sa->i_dh_data); - ASSERT (r == t->key_len); - DH_set0_key (dh, pub_key, NULL); -#else - r = BN_bn2bin (dh->pub_key, sa->r_dh_data); - ASSERT (r == t->key_len); -#endif - BIGNUM *ex; - sa->dh_shared_key = vec_new (u8, t->key_len); - ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL); - r = DH_compute_key (sa->dh_shared_key, ex, dh); - ASSERT (r == t->key_len); - BN_clear_free (ex); - } - DH_free (dh); - } - else if (t->dh_group == IKEV2_DH_GROUP_ECP) - { - EC_KEY *ec = EC_KEY_new_by_curve_name (t->nid); - ASSERT (ec); - - EC_KEY_generate_key (ec); - - const EC_POINT *r_point = EC_KEY_get0_public_key (ec); - const EC_GROUP *group = EC_KEY_get0_group (ec); - BIGNUM *x = NULL, *y = NULL; - BN_CTX *bn_ctx = BN_CTX_new (); - u16 x_off, y_off, len; - EC_POINT *i_point = EC_POINT_new (group); - EC_POINT *shared_point = EC_POINT_new (group); - - x = BN_new (); - y = BN_new (); - len = t->key_len / 2; - -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - EC_POINT_get_affine_coordinates (group, r_point, x, y, bn_ctx); -#else - EC_POINT_get_affine_coordinates_GFp (group, r_point, x, y, bn_ctx); -#endif - - if (sa->is_initiator) - { - sa->i_dh_data = vec_new (u8, t->key_len); - x_off = len - BN_num_bytes (x); - clib_memset (sa->i_dh_data, 0, x_off); - BN_bn2bin (x, sa->i_dh_data + x_off); - y_off = t->key_len - BN_num_bytes (y); - clib_memset (sa->i_dh_data + len, 0, y_off - len); - BN_bn2bin (y, sa->i_dh_data + y_off); - - const BIGNUM *prv = EC_KEY_get0_private_key (ec); - sa->dh_private_key = vec_new (u8, BN_num_bytes (prv)); - r = BN_bn2bin (prv, sa->dh_private_key); - ASSERT (r == BN_num_bytes (prv)); - } - else - { - sa->r_dh_data = vec_new (u8, t->key_len); - x_off = len - BN_num_bytes (x); - clib_memset (sa->r_dh_data, 0, x_off); - BN_bn2bin (x, sa->r_dh_data + x_off); - y_off = t->key_len - BN_num_bytes (y); - clib_memset (sa->r_dh_data + len, 0, y_off - len); - BN_bn2bin (y, sa->r_dh_data + y_off); - - x = BN_bin2bn (sa->i_dh_data, len, x); - y = BN_bin2bn (sa->i_dh_data + len, len, y); -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - EC_POINT_set_affine_coordinates (group, i_point, x, y, bn_ctx); -#else - EC_POINT_set_affine_coordinates_GFp (group, i_point, x, y, bn_ctx); -#endif - sa->dh_shared_key = vec_new (u8, t->key_len); - EC_POINT_mul (group, shared_point, NULL, i_point, - EC_KEY_get0_private_key (ec), NULL); -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - EC_POINT_get_affine_coordinates (group, shared_point, x, y, bn_ctx); -#else - EC_POINT_get_affine_coordinates_GFp (group, shared_point, x, y, - bn_ctx); -#endif - x_off = len - BN_num_bytes (x); - clib_memset (sa->dh_shared_key, 0, x_off); - BN_bn2bin (x, sa->dh_shared_key + x_off); - y_off = t->key_len - BN_num_bytes (y); - clib_memset (sa->dh_shared_key + len, 0, y_off - len); - BN_bn2bin (y, sa->dh_shared_key + y_off); - } - - EC_KEY_free (ec); - BN_free (x); - BN_free (y); - BN_CTX_free (bn_ctx); - EC_POINT_free (i_point); - EC_POINT_free (shared_point); - } -} - -void -ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) -{ - int r; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - BIGNUM *p = BN_new (); - BIGNUM *q = BN_new (); - BIGNUM *g = BN_new (); - BIGNUM *priv_key = BN_new (); -#endif - - if (t->dh_group == IKEV2_DH_GROUP_MODP) - { - DH *dh = DH_new (); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - BN_hex2bn (&p, t->dh_p); - BN_hex2bn (&g, t->dh_g); - DH_set0_pqg (dh, p, q, g); - - priv_key = - BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL); - DH_set0_key (dh, NULL, priv_key); -#else - BN_hex2bn (&dh->p, t->dh_p); - BN_hex2bn (&dh->g, t->dh_g); - - dh->priv_key = - BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL); -#endif - BIGNUM *ex; - sa->dh_shared_key = vec_new (u8, t->key_len); - ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL); - r = DH_compute_key (sa->dh_shared_key, ex, dh); - ASSERT (r == t->key_len); - BN_clear_free (ex); - DH_free (dh); - } - else if (t->dh_group == IKEV2_DH_GROUP_ECP) - { - EC_KEY *ec = EC_KEY_new_by_curve_name (t->nid); - ASSERT (ec); - - const EC_GROUP *group = EC_KEY_get0_group (ec); - BIGNUM *x = NULL, *y = NULL; - BN_CTX *bn_ctx = BN_CTX_new (); - u16 x_off, y_off, len; - BIGNUM *prv; - - prv = - BN_bin2bn (sa->dh_private_key, vec_len (sa->dh_private_key), NULL); - EC_KEY_set_private_key (ec, prv); - - x = BN_new (); - y = BN_new (); - len = t->key_len / 2; - - x = BN_bin2bn (sa->r_dh_data, len, x); - y = BN_bin2bn (sa->r_dh_data + len, len, y); - EC_POINT *r_point = EC_POINT_new (group); -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - EC_POINT_set_affine_coordinates (group, r_point, x, y, bn_ctx); -#else - EC_POINT_set_affine_coordinates_GFp (group, r_point, x, y, bn_ctx); -#endif - EC_KEY_set_public_key (ec, r_point); - - EC_POINT *i_point = EC_POINT_new (group); - EC_POINT *shared_point = EC_POINT_new (group); - - x = BN_bin2bn (sa->i_dh_data, len, x); - y = BN_bin2bn (sa->i_dh_data + len, len, y); -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - EC_POINT_set_affine_coordinates (group, i_point, x, y, bn_ctx); -#else - EC_POINT_set_affine_coordinates_GFp (group, i_point, x, y, bn_ctx); -#endif - EC_POINT_mul (group, shared_point, NULL, r_point, - EC_KEY_get0_private_key (ec), NULL); -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - EC_POINT_get_affine_coordinates (group, shared_point, x, y, bn_ctx); -#else - EC_POINT_get_affine_coordinates_GFp (group, shared_point, x, y, bn_ctx); -#endif - sa->dh_shared_key = vec_new (u8, t->key_len); - x_off = len - BN_num_bytes (x); - clib_memset (sa->dh_shared_key, 0, x_off); - BN_bn2bin (x, sa->dh_shared_key + x_off); - y_off = t->key_len - BN_num_bytes (y); - clib_memset (sa->dh_shared_key + len, 0, y_off - len); - BN_bn2bin (y, sa->dh_shared_key + y_off); - - EC_KEY_free (ec); - BN_free (x); - BN_free (y); - BN_free (prv); - BN_CTX_free (bn_ctx); - EC_POINT_free (i_point); - EC_POINT_free (r_point); - EC_POINT_free (shared_point); - } -} - -int -ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); -#else - EVP_MD_CTX md_ctx; - EVP_MD_CTX_init (&md_ctx); -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_VerifyInit (md_ctx, EVP_sha1 ()); - EVP_VerifyUpdate (md_ctx, data, vec_len (data)); -#else - EVP_VerifyInit_ex (&md_ctx, EVP_sha1 (), NULL); - EVP_VerifyUpdate (&md_ctx, data, vec_len (data)); -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - return EVP_VerifyFinal (md_ctx, sigbuf, vec_len (sigbuf), pkey); -#else - return EVP_VerifyFinal (&md_ctx, sigbuf, vec_len (sigbuf), pkey); -#endif -} - -u8 * -ikev2_calc_sign (EVP_PKEY * pkey, u8 * data) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); -#else - EVP_MD_CTX md_ctx; -#endif - unsigned int sig_len = 0; - u8 *sign; - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - EVP_SignInit (md_ctx, EVP_sha1 ()); - EVP_SignUpdate (md_ctx, data, vec_len (data)); - /* get sign len */ - EVP_SignFinal (md_ctx, NULL, &sig_len, pkey); - sign = vec_new (u8, sig_len); - /* calc sign */ - EVP_SignFinal (md_ctx, sign, &sig_len, pkey); -#else - EVP_SignInit (&md_ctx, EVP_sha1 ()); - EVP_SignUpdate (&md_ctx, data, vec_len (data)); - /* get sign len */ - EVP_SignFinal (&md_ctx, NULL, &sig_len, pkey); - sign = vec_new (u8, sig_len); - /* calc sign */ - EVP_SignFinal (&md_ctx, sign, &sig_len, pkey); -#endif - return sign; -} - -EVP_PKEY * -ikev2_load_cert_file (u8 * file) -{ - FILE *fp; - X509 *x509; - EVP_PKEY *pkey = NULL; - - fp = fopen ((char *) file, "r"); - if (!fp) - { - clib_warning ("open %s failed", file); - goto end; - } - - x509 = PEM_read_X509 (fp, NULL, NULL, NULL); - fclose (fp); - if (x509 == NULL) - { - clib_warning ("read cert %s failed", file); - goto end; - } - - pkey = X509_get_pubkey (x509); - if (pkey == NULL) - clib_warning ("get pubkey %s failed", file); - -end: - return pkey; -} - -EVP_PKEY * -ikev2_load_key_file (u8 * file) -{ - FILE *fp; - EVP_PKEY *pkey = NULL; - - fp = fopen ((char *) file, "r"); - if (!fp) - { - clib_warning ("open %s failed", file); - goto end; - } - - pkey = PEM_read_PrivateKey (fp, NULL, NULL, NULL); - fclose (fp); - if (pkey == NULL) - clib_warning ("read %s failed", file); - -end: - return pkey; -} - -void -ikev2_crypto_init (ikev2_main_t * km) -{ - ikev2_sa_transform_t *tr; - - /* vector of supported transforms - in order of preference */ - - //Encryption - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_ENCR; - tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC; - tr->key_len = 256 / 8; - tr->block_size = 128 / 8; - tr->cipher = EVP_aes_256_cbc (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_ENCR; - tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC; - tr->key_len = 192 / 8; - tr->block_size = 128 / 8; - tr->cipher = EVP_aes_192_cbc (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_ENCR; - tr->encr_type = IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC; - tr->key_len = 128 / 8; - tr->block_size = 128 / 8; - tr->cipher = EVP_aes_128_cbc (); - - //PRF - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_PRF; - tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256; - tr->key_len = 256 / 8; - tr->key_trunc = 256 / 8; - tr->md = EVP_sha256 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_PRF; - tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_384; - tr->key_len = 384 / 8; - tr->key_trunc = 384 / 8; - tr->md = EVP_sha384 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_PRF; - tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_512; - tr->key_len = 512 / 8; - tr->key_trunc = 512 / 8; - tr->md = EVP_sha512 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_PRF; - tr->prf_type = IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA1; - tr->key_len = 160 / 8; - tr->key_trunc = 160 / 8; - tr->md = EVP_sha1 (); - - //Integrity - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_INTEG; - tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128; - tr->key_len = 256 / 8; - tr->key_trunc = 128 / 8; - tr->md = EVP_sha256 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_INTEG; - tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192; - tr->key_len = 384 / 8; - tr->key_trunc = 192 / 8; - tr->md = EVP_sha384 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_INTEG; - tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256; - tr->key_len = 512 / 8; - tr->key_trunc = 256 / 8; - tr->md = EVP_sha512 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_INTEG; - tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_160; - tr->key_len = 160 / 8; - tr->key_trunc = 160 / 8; - tr->md = EVP_sha1 (); - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_INTEG; - tr->integ_type = IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96; - tr->key_len = 160 / 8; - tr->key_trunc = 96 / 8; - tr->md = EVP_sha1 (); - - -#if defined(OPENSSL_NO_CISCO_FECDH) - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_BRAINPOOL_512; - tr->key_len = (512 * 2) / 8; - tr->nid = NID_brainpoolP512r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_BRAINPOOL_384; - tr->key_len = (384 * 2) / 8; - tr->nid = NID_brainpoolP384r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_BRAINPOOL_256; - tr->key_len = (256 * 2) / 8; - tr->nid = NID_brainpoolP256r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_BRAINPOOL_224; - tr->key_len = (224 * 2) / 8; - tr->nid = NID_brainpoolP224r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_ECP_224; - tr->key_len = (224 * 2) / 8; - tr->nid = NID_secp224r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; -#endif - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_ECP_521; - tr->key_len = (528 * 2) / 8; - tr->nid = NID_secp521r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_ECP_384; - tr->key_len = (384 * 2) / 8; - tr->nid = NID_secp384r1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_ECP_256; - tr->key_len = (256 * 2) / 8; - tr->nid = NID_X9_62_prime256v1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_ECP_192; - tr->key_len = (192 * 2) / 8; - tr->nid = NID_X9_62_prime192v1; - tr->dh_group = IKEV2_DH_GROUP_ECP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_2048_256; - tr->key_len = 2048 / 8; - tr->dh_p = (const char *) &modp_dh_2048_256_prime; - tr->dh_g = (const char *) &modp_dh_2048_256_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_2048_224; - tr->key_len = 2048 / 8; - tr->dh_p = (const char *) &modp_dh_2048_224_prime; - tr->dh_g = (const char *) &modp_dh_2048_224_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_1024_160; - tr->key_len = 1024 / 8; - tr->dh_p = (const char *) &modp_dh_1024_160_prime; - tr->dh_g = (const char *) &modp_dh_1024_160_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_8192; - tr->key_len = 8192 / 8; - tr->dh_p = (const char *) &modp_dh_8192_prime; - tr->dh_g = (const char *) &modp_dh_8192_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_6144; - tr->key_len = 6144 / 8; - tr->dh_p = (const char *) &modp_dh_6144_prime; - tr->dh_g = (const char *) &modp_dh_6144_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_4096; - tr->key_len = 4096 / 8; - tr->dh_p = (const char *) &modp_dh_4096_prime; - tr->dh_g = (const char *) &modp_dh_4096_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_3072; - tr->key_len = 3072 / 8; - tr->dh_p = (const char *) &modp_dh_3072_prime; - tr->dh_g = (const char *) &modp_dh_3072_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_2048; - tr->key_len = 2048 / 8; - tr->dh_p = (const char *) &modp_dh_2048_prime; - tr->dh_g = (const char *) &modp_dh_2048_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_1536; - tr->key_len = 1536 / 8; - tr->dh_p = (const char *) &modp_dh_1536_prime; - tr->dh_g = (const char *) &modp_dh_1536_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_1024; - tr->key_len = 1024 / 8; - tr->dh_p = (const char *) &modp_dh_1024_prime; - tr->dh_g = (const char *) &modp_dh_1024_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_DH; - tr->dh_type = IKEV2_TRANSFORM_DH_TYPE_MODP_768; - tr->key_len = 768 / 8; - tr->dh_p = (const char *) &modp_dh_768_prime; - tr->dh_g = (const char *) &modp_dh_768_generator; - tr->dh_group = IKEV2_DH_GROUP_MODP; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_ESN; - tr->esn_type = IKEV2_TRANSFORM_ESN_TYPE_ESN; - - vec_add2 (km->supported_transforms, tr, 1); - tr->type = IKEV2_TRANSFORM_TYPE_ESN; - tr->esn_type = IKEV2_TRANSFORM_ESN_TYPE_NO_ESN; -} - - - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ikev2_format.c b/src/vnet/ipsec/ikev2_format.c deleted file mode 100644 index 4d7a007f80d..00000000000 --- a/src/vnet/ipsec/ikev2_format.c +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <vnet/vnet.h> -#include <vnet/api_errno.h> -#include <vnet/ip/ip.h> -#include <vnet/interface.h> - -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/ikev2.h> -#include <vnet/ipsec/ikev2_priv.h> - -u8 * -format_ikev2_sa_transform (u8 * s, va_list * args) -{ - ikev2_sa_transform_t *tr = va_arg (*args, ikev2_sa_transform_t *); - - if (!tr) - return s; - - if (tr->type >= IKEV2_TRANSFORM_NUM_TYPES) - return s; - - s = format (s, "%U:", format_ikev2_transform_type, tr->type); - - switch (tr->type) - { - case IKEV2_TRANSFORM_TYPE_ENCR: - s = format (s, "%U", format_ikev2_transform_encr_type, tr->encr_type); - break; - case IKEV2_TRANSFORM_TYPE_PRF: - s = format (s, "%U", format_ikev2_transform_prf_type, tr->prf_type); - break; - case IKEV2_TRANSFORM_TYPE_INTEG: - s = format (s, "%U", format_ikev2_transform_integ_type, tr->integ_type); - break; - case IKEV2_TRANSFORM_TYPE_DH: - s = format (s, "%U", format_ikev2_transform_dh_type, tr->dh_type); - break; - case IKEV2_TRANSFORM_TYPE_ESN: - s = format (s, "%U", format_ikev2_transform_esn_type, tr->esn_type); - break; - default: - break; - } - - if (tr->type == IKEV2_TRANSFORM_TYPE_ENCR && - tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC && tr->key_len) - s = format (s, "-%u", tr->key_len * 8); - else if (vec_len (tr->attrs) == 4 && tr->attrs[0] == 0x80 - && tr->attrs[1] == 0x0e) - s = format (s, "-%u", tr->attrs[2] * 256 + tr->attrs[3]); - else if (vec_len (tr->attrs)) - s = format (s, "(unknown attr %U)", format_hex_bytes, - tr->attrs, vec_len (tr->attrs)); - - return s; -} - -#define MACRO_FORMAT(lc) \ -u8 * format_ikev2_##lc (u8 * s, va_list * args) \ -{ \ - u32 i = va_arg (*args, u32); \ - char * t = 0; \ - switch (i) { \ - foreach_ikev2_##lc \ - default: \ - return format (s, "unknown (%u)", i); \ - } \ - s = format (s, "%s", t); \ - return s; \ -} - -#define MACRO_UNFORMAT(lc) \ -uword \ -unformat_ikev2_##lc (unformat_input_t * input, \ - va_list * args) \ -{ \ - u32 * r = va_arg (*args, u32 *); \ - if (0) ; \ - foreach_ikev2_##lc \ - else \ - return 0; \ - return 1; \ -} - -#define _(v,f,str) case IKEV2_AUTH_METHOD_##f: t = str; break; -MACRO_FORMAT (auth_method) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_AUTH_METHOD_##f; - MACRO_UNFORMAT (auth_method) -#undef _ -#define _(v,f,str) case IKEV2_TRANSFORM_TYPE_##f: t = str; break; - MACRO_FORMAT (transform_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_TRANSFORM_TYPE_##f; - MACRO_UNFORMAT (transform_type) -#undef _ -#define _(v,f) case IKEV2_NOTIFY_MSG_##f: t = #f; break; - MACRO_FORMAT (notify_msg_type) -#undef _ -#define _(v,f,str) case IKEV2_ID_TYPE_##f: t = str; break; - MACRO_FORMAT (id_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_ID_TYPE_##f; - MACRO_UNFORMAT (id_type) -#undef _ -#define _(v,f,str) case IKEV2_TRANSFORM_ENCR_TYPE_##f: t = str; break; - MACRO_FORMAT (transform_encr_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_TRANSFORM_ENCR_TYPE_##f; - MACRO_UNFORMAT (transform_encr_type) -#undef _ -#define _(v,f,str) case IKEV2_TRANSFORM_PRF_TYPE_##f: t = str; break; - MACRO_FORMAT (transform_prf_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_TRANSFORM_PRF_TYPE_##f; - MACRO_UNFORMAT (transform_prf_type) -#undef _ -#define _(v,f,str) case IKEV2_TRANSFORM_INTEG_TYPE_##f: t = str; break; - MACRO_FORMAT (transform_integ_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_TRANSFORM_INTEG_TYPE_##f; - MACRO_UNFORMAT (transform_integ_type) -#undef _ -#define _(v,f,str) case IKEV2_TRANSFORM_DH_TYPE_##f: t = str; break; - MACRO_FORMAT (transform_dh_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_TRANSFORM_DH_TYPE_##f; - MACRO_UNFORMAT (transform_dh_type) -#undef _ -#define _(v,f,str) case IKEV2_TRANSFORM_ESN_TYPE_##f: t = str; break; - MACRO_FORMAT (transform_esn_type) -#undef _ -#define _(v,f,str) else if (unformat (input, str)) *r = IKEV2_TRANSFORM_ESN_TYPE_##f; - MACRO_UNFORMAT (transform_esn_type) -#undef _ -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ikev2_payload.c b/src/vnet/ipsec/ikev2_payload.c deleted file mode 100644 index 3aae6d3a1f4..00000000000 --- a/src/vnet/ipsec/ikev2_payload.c +++ /dev/null @@ -1,550 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <ctype.h> - -#include <vnet/vnet.h> -#include <vnet/api_errno.h> -#include <vnet/ip/ip.h> -#include <vnet/interface.h> - -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/ikev2.h> -#include <vnet/ipsec/ikev2_priv.h> - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct - { - u8 nextpayload; - u8 flags; - u16 length; - u8 protocol_id; - u8 spi_size; - u16 msg_type; - u8 payload[0];}) ike_notify_payload_header_t; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct - { - u8 ts_type; - u8 protocol_id; - u16 selector_len; - u16 start_port; - u16 end_port; - ip4_address_t start_addr; - ip4_address_t end_addr;}) ikev2_ts_payload_entry_t; -/* *INDENT-OFF* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct - { - u8 nextpayload; - u8 flags; - u16 length; - u8 num_ts; - u8 reserved[3]; - ikev2_ts_payload_entry_t ts[0];}) - ike_ts_payload_header_t; -/* *INDENT-OFF* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u8 last_or_more; - u8 reserved; - u16 proposal_len; - u8 proposal_num; - u8 protocol_id; - u8 spi_size; - u8 num_transforms; u32 spi[0]; -}) ike_sa_proposal_data_t; -/* *INDENT-OFF* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u8 last_or_more; - u8 reserved; - u16 transform_len; - u8 transform_type; - u8 reserved2; - u16 transform_id; - u8 attributes[0]; -}) ike_sa_transform_data_t; -/* *INDENT-OFF* */ - -/* *INDENT-OFF* */ -typedef CLIB_PACKED (struct { - u8 nextpayload; - u8 flags; - u16 length; - u8 protocol_id; - u8 spi_size; - u16 num_of_spi; - u32 spi[0]; -}) ike_delete_payload_header_t; -/* *INDENT-OFF* */ - -static ike_payload_header_t * -ikev2_payload_add_hdr (ikev2_payload_chain_t * c, u8 payload_type, int len) -{ - ike_payload_header_t *hdr = - (ike_payload_header_t *) & c->data[c->last_hdr_off]; - u8 *tmp; - - if (c->data) - hdr->nextpayload = payload_type; - else - c->first_payload_type = payload_type; - - c->last_hdr_off = vec_len (c->data); - vec_add2 (c->data, tmp, len); - hdr = (ike_payload_header_t *) tmp; - clib_memset (hdr, 0, len); - - hdr->length = clib_host_to_net_u16 (len); - - return hdr; -} - -static void -ikev2_payload_add_data (ikev2_payload_chain_t * c, u8 * data) -{ - u16 len; - ike_payload_header_t *hdr; - - vec_append (c->data, data); - hdr = (ike_payload_header_t *) & c->data[c->last_hdr_off]; - len = clib_net_to_host_u16 (hdr->length); - hdr->length = clib_host_to_net_u16 (len + vec_len (data)); -} - -void -ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type, u8 * data) -{ - ikev2_payload_add_notify_2(c, msg_type, data, 0); -} - -void -ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type, - u8 * data, ikev2_notify_t * notify) -{ - ike_notify_payload_header_t *n; - - n = - (ike_notify_payload_header_t *) ikev2_payload_add_hdr (c, - IKEV2_PAYLOAD_NOTIFY, - sizeof (*n)); - n->msg_type = clib_host_to_net_u16 (msg_type); - if (notify) - { - n->protocol_id = notify->protocol_id; - if (notify->spi) - { - n->spi_size = 4; - } - } - ikev2_payload_add_data (c, data); -} - -void -ikev2_payload_add_sa (ikev2_payload_chain_t * c, - ikev2_sa_proposal_t * proposals) -{ - ike_payload_header_t *ph; - ike_sa_proposal_data_t *prop; - ike_sa_transform_data_t *tr; - ikev2_sa_proposal_t *p; - ikev2_sa_transform_t *t; - - u8 *tmp; - u8 *pr_data = 0; - u8 *tr_data = 0; - - ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_SA, sizeof (*ph)); - - vec_foreach (p, proposals) - { - int spi_size = (p->protocol_id == IKEV2_PROTOCOL_ESP) ? 4 : 0; - pr_data = vec_new (u8, sizeof (ike_sa_proposal_data_t) + spi_size); - prop = (ike_sa_proposal_data_t *) pr_data; - prop->last_or_more = proposals - p + 1 < vec_len (proposals) ? 2 : 0; - prop->protocol_id = p->protocol_id; - prop->proposal_num = p->proposal_num; - prop->spi_size = spi_size; - prop->num_transforms = vec_len (p->transforms); - - if (spi_size) - prop->spi[0] = clib_host_to_net_u32 (p->spi); - - DBG_PLD ("proposal num %u protocol_id %u last_or_more %u spi_size %u%s%U", - prop->proposal_num, prop->protocol_id, prop->last_or_more, - prop->spi_size, prop->spi_size ? " spi_data " : "", - format_hex_bytes, prop->spi, prop->spi_size); - - vec_foreach (t, p->transforms) - { - vec_add2 (tr_data, tmp, sizeof (*tr) + vec_len (t->attrs)); - tr = (ike_sa_transform_data_t *) tmp; - tr->last_or_more = - ((t - p->transforms) + 1 < vec_len (p->transforms)) ? 3 : 0; - tr->transform_type = t->type; - tr->transform_id = clib_host_to_net_u16 (t->transform_id); - tr->transform_len = - clib_host_to_net_u16 (sizeof (*tr) + vec_len (t->attrs)); - - if (vec_len (t->attrs) > 0) - clib_memcpy_fast (tr->attributes, t->attrs, vec_len (t->attrs)); - - DBG_PLD - ("transform type %U transform_id %u last_or_more %u attr_size %u%s%U", - format_ikev2_transform_type, tr->transform_type, t->transform_id, - tr->last_or_more, vec_len (t->attrs), - vec_len (t->attrs) ? " attrs " : "", format_hex_bytes, - tr->attributes, vec_len (t->attrs)); - } - - prop->proposal_len = - clib_host_to_net_u16 (vec_len (tr_data) + vec_len (pr_data)); - ikev2_payload_add_data (c, pr_data); - ikev2_payload_add_data (c, tr_data); - vec_free (pr_data); - vec_free (tr_data); - } -} - -void -ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group, u8 * dh_data) -{ - ike_ke_payload_header_t *ke; - ke = (ike_ke_payload_header_t *) ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_KE, - sizeof (*ke)); - - ke->dh_group = clib_host_to_net_u16 (dh_group); - ikev2_payload_add_data (c, dh_data); -} - -void -ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce) -{ - ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_NONCE, - sizeof (ike_payload_header_t)); - ikev2_payload_add_data (c, nonce); -} - -void -ikev2_payload_add_id (ikev2_payload_chain_t * c, ikev2_id_t * id, u8 type) -{ - ike_id_payload_header_t *idp; - idp = - (ike_id_payload_header_t *) ikev2_payload_add_hdr (c, type, - sizeof (*idp)); - - idp->id_type = id->type; - ikev2_payload_add_data (c, id->data); -} - -void -ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d) -{ - ike_delete_payload_header_t *dp; - u16 num_of_spi = vec_len (d); - ikev2_delete_t *d2; - dp = - (ike_delete_payload_header_t *) ikev2_payload_add_hdr (c, - IKEV2_PAYLOAD_DELETE, - sizeof (*dp)); - - if (d[0].protocol_id == IKEV2_PROTOCOL_IKE) - { - dp->protocol_id = 1; - } - else - { - dp->protocol_id = d[0].protocol_id; - dp->spi_size = 4; - dp->num_of_spi = clib_host_to_net_u16 (num_of_spi); - vec_foreach (d2, d) - { - u8 *data = vec_new (u8, 4); - u32 spi = clib_host_to_net_u32 (d2->spi); - clib_memcpy (data, &spi, 4); - ikev2_payload_add_data (c, data); - vec_free (data); - } - } -} - -void -ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth) -{ - ike_auth_payload_header_t *ap; - ap = - (ike_auth_payload_header_t *) ikev2_payload_add_hdr (c, - IKEV2_PAYLOAD_AUTH, - sizeof (*ap)); - - ap->auth_method = auth->method; - ikev2_payload_add_data (c, auth->data); -} - -void -ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts, u8 type) -{ - ike_ts_payload_header_t *tsh; - ikev2_ts_t *ts2; - u8 *data = 0, *tmp; - - tsh = - (ike_ts_payload_header_t *) ikev2_payload_add_hdr (c, type, - sizeof (*tsh)); - tsh->num_ts = vec_len (ts); - - vec_foreach (ts2, ts) - { - ASSERT (ts2->ts_type == 7); /*TS_IPV4_ADDR_RANGE */ - ikev2_ts_payload_entry_t *entry; - vec_add2 (data, tmp, sizeof (*entry)); - entry = (ikev2_ts_payload_entry_t *) tmp; - entry->ts_type = ts2->ts_type; - entry->protocol_id = ts2->protocol_id; - entry->selector_len = clib_host_to_net_u16 (16); - entry->start_port = clib_host_to_net_u16 (ts2->start_port); - entry->end_port = clib_host_to_net_u16 (ts2->end_port); - entry->start_addr.as_u32 = ts2->start_addr.as_u32; - entry->end_addr.as_u32 = ts2->end_addr.as_u32; - } - - ikev2_payload_add_data (c, data); - vec_free (data); -} - -void -ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs) -{ - u8 *tmp __attribute__ ((unused)); - u8 pad_len = (vec_len (c->data) / bs + 1) * bs - vec_len (c->data); - vec_add2 (c->data, tmp, pad_len); - c->data[vec_len (c->data) - 1] = pad_len - 1; -} - -ikev2_sa_proposal_t * -ikev2_parse_sa_payload (ike_payload_header_t * ikep) -{ - ikev2_sa_proposal_t *v = 0; - ikev2_sa_proposal_t *proposal; - ikev2_sa_transform_t *transform; - - u32 plen = clib_net_to_host_u16 (ikep->length); - - ike_sa_proposal_data_t *sap; - int proposal_ptr = 0; - - do - { - sap = (ike_sa_proposal_data_t *) & ikep->payload[proposal_ptr]; - int i; - int transform_ptr; - - DBG_PLD ("proposal num %u len %u last_or_more %u id %u " - "spi_size %u num_transforms %u", - sap->proposal_num, clib_net_to_host_u16 (sap->proposal_len), - sap->last_or_more, sap->protocol_id, sap->spi_size, - sap->num_transforms); - - /* IKE proposal should not have SPI */ - if (sap->protocol_id == IKEV2_PROTOCOL_IKE && sap->spi_size != 0) - goto data_corrupted; - - /* IKE proposal should not have SPI */ - if (sap->protocol_id == IKEV2_PROTOCOL_ESP && sap->spi_size != 4) - goto data_corrupted; - - transform_ptr = proposal_ptr + sizeof (*sap) + sap->spi_size; - - vec_add2 (v, proposal, 1); - proposal->proposal_num = sap->proposal_num; - proposal->protocol_id = sap->protocol_id; - - if (sap->spi_size == 4) - { - proposal->spi = clib_net_to_host_u32 (sap->spi[0]); - } - - for (i = 0; i < sap->num_transforms; i++) - { - ike_sa_transform_data_t *tr = - (ike_sa_transform_data_t *) & ikep->payload[transform_ptr]; - u16 tlen = clib_net_to_host_u16 (tr->transform_len); - - if (tlen < sizeof (*tr)) - goto data_corrupted; - - vec_add2 (proposal->transforms, transform, 1); - - transform->type = tr->transform_type; - transform->transform_id = clib_net_to_host_u16 (tr->transform_id); - if (tlen > sizeof (*tr)) - vec_add (transform->attrs, tr->attributes, tlen - sizeof (*tr)); - - DBG_PLD - ("transform num %u len %u last_or_more %u type %U id %u%s%U", i, - tlen, tr->last_or_more, format_ikev2_sa_transform, transform, - clib_net_to_host_u16 (tr->transform_id), - tlen > sizeof (*tr) ? " attrs " : "", format_hex_bytes, - tr->attributes, tlen - sizeof (*tr)); - - transform_ptr += tlen; - } - - proposal_ptr += clib_net_to_host_u16 (sap->proposal_len); - } - while (proposal_ptr < (plen - sizeof (*ikep)) && sap->last_or_more == 2); - - /* data validation */ - if (proposal_ptr != (plen - sizeof (*ikep)) || sap->last_or_more) - goto data_corrupted; - - return v; - -data_corrupted: - DBG_PLD ("SA payload data corrupted"); - ikev2_sa_free_proposal_vector (&v); - return 0; -} - -ikev2_ts_t * -ikev2_parse_ts_payload (ike_payload_header_t * ikep) -{ - ike_ts_payload_header_t *tsp = (ike_ts_payload_header_t *) ikep; - ikev2_ts_t *r = 0, *ts; - u8 i; - - for (i = 0; i < tsp->num_ts; i++) - { - if (tsp->ts[i].ts_type != 7) /* TS_IPV4_ADDR_RANGE */ - { - DBG_PLD ("unsupported TS type received (%u)", tsp->ts[i].ts_type); - continue; - } - - vec_add2 (r, ts, 1); - ts->ts_type = tsp->ts[i].ts_type; - ts->protocol_id = tsp->ts[i].protocol_id; - ts->start_port = tsp->ts[i].start_port; - ts->end_port = tsp->ts[i].end_port; - ts->start_addr.as_u32 = tsp->ts[i].start_addr.as_u32; - ts->end_addr.as_u32 = tsp->ts[i].end_addr.as_u32; - } - return r; -} - -ikev2_notify_t * -ikev2_parse_notify_payload (ike_payload_header_t * ikep) -{ - ike_notify_payload_header_t *n = (ike_notify_payload_header_t *) ikep; - u32 plen = clib_net_to_host_u16 (ikep->length); - ikev2_notify_t *r = 0; - u32 spi; - - DBG_PLD ("msg_type %U len %u%s%U", - format_ikev2_notify_msg_type, clib_net_to_host_u16 (n->msg_type), - plen, plen > sizeof (*n) ? " data " : "", - format_hex_bytes, n->payload, plen - sizeof (*n)); - - r = vec_new (ikev2_notify_t, 1); - r->msg_type = clib_net_to_host_u16 (n->msg_type); - r->protocol_id = n->protocol_id; - - if (n->spi_size == 4) - { - clib_memcpy (&spi, n->payload, n->spi_size); - r->spi = clib_net_to_host_u32 (spi); - DBG_PLD ("spi %lx", r->spi); - } - else if (n->spi_size == 0) - { - r->spi = 0; - } - else - { - clib_warning ("invalid SPI Size %d", n->spi_size); - } - - if (plen > (sizeof (*n) + n->spi_size)) - { - vec_add (r->data, n->payload + n->spi_size, - plen - sizeof (*n) - n->spi_size); - } - - return r; -} - -void -ikev2_parse_vendor_payload (ike_payload_header_t * ikep) -{ - u32 plen = clib_net_to_host_u16 (ikep->length); - int i; - int is_string = 1; - - for (i = 0; i < plen - 4; i++) - if (!isprint (ikep->payload[i])) - is_string = 0; - - DBG_PLD ("len %u data %s:%U", - plen, - is_string ? "string" : "hex", - is_string ? format_ascii_bytes : format_hex_bytes, - ikep->payload, plen - sizeof (*ikep)); -} - -ikev2_delete_t * -ikev2_parse_delete_payload (ike_payload_header_t * ikep) -{ - ike_delete_payload_header_t *d = (ike_delete_payload_header_t *) ikep; - u32 plen = clib_net_to_host_u16 (ikep->length); - ikev2_delete_t *r = 0, *del; - u16 num_of_spi = clib_net_to_host_u16 (d->num_of_spi); - u16 i = 0; - - DBG_PLD ("protocol_id %u spi_size %u num_of_spi %u len %u%s%U", - d->protocol_id, d->spi_size, num_of_spi, - plen, plen > sizeof (d) ? " data " : "", - format_hex_bytes, d->spi, plen - sizeof (*d)); - - if (d->protocol_id == IKEV2_PROTOCOL_IKE) - { - r = vec_new (ikev2_delete_t, 1); - r->protocol_id = 1; - } - else - { - r = vec_new (ikev2_delete_t, num_of_spi); - vec_foreach (del, r) - { - del->protocol_id = d->protocol_id; - del->spi = clib_net_to_host_u32 (d->spi[i++]); - } - } - - return r; -} - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ikev2_priv.h b/src/vnet/ipsec/ikev2_priv.h deleted file mode 100644 index b396965a0bb..00000000000 --- a/src/vnet/ipsec/ikev2_priv.h +++ /dev/null @@ -1,362 +0,0 @@ -/* - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#ifndef __included_ikev2_priv_h__ -#define __included_ikev2_priv_h__ - -#include <vnet/vnet.h> -#include <vnet/ip/ip.h> -#include <vnet/ethernet/ethernet.h> - -#include <vnet/ipsec/ikev2.h> - -#include <vppinfra/hash.h> -#include <vppinfra/elog.h> -#include <vppinfra/error.h> - -#include <openssl/rand.h> -#include <openssl/dh.h> -#include <openssl/hmac.h> -#include <openssl/evp.h> - -#define IKEV2_DEBUG_PAYLOAD 1 - -#if IKEV2_DEBUG_PAYLOAD == 1 -#define DBG_PLD(my_args...) clib_warning(my_args) -#else -#define DBG_PLD(my_args...) -#endif - -typedef enum -{ - IKEV2_STATE_UNKNOWN, - IKEV2_STATE_SA_INIT, - IKEV2_STATE_DELETED, - IKEV2_STATE_AUTH_FAILED, - IKEV2_STATE_AUTHENTICATED, - IKEV2_STATE_NOTIFY_AND_DELETE, - IKEV2_STATE_TS_UNACCEPTABLE, - IKEV2_STATE_NO_PROPOSAL_CHOSEN, -} ikev2_state_t; - -typedef struct -{ - ikev2_auth_method_t method:8; - u8 *data; - u8 hex; /* hex encoding of the shared secret */ - EVP_PKEY *key; -} ikev2_auth_t; - -typedef enum -{ - IKEV2_DH_GROUP_MODP = 0, - IKEV2_DH_GROUP_ECP = 1, -} ikev2_dh_group_t; - -typedef struct -{ - ikev2_transform_type_t type; - union - { - u16 transform_id; - ikev2_transform_encr_type_t encr_type:16; - ikev2_transform_prf_type_t prf_type:16; - ikev2_transform_integ_type_t integ_type:16; - ikev2_transform_dh_type_t dh_type:16; - ikev2_transform_esn_type_t esn_type:16; - }; - u8 *attrs; - u16 key_len; - u16 key_trunc; - u16 block_size; - u8 dh_group; - int nid; - const char *dh_p; - const char *dh_g; - const void *md; - const void *cipher; -} ikev2_sa_transform_t; - -typedef struct -{ - u8 proposal_num; - ikev2_protocol_id_t protocol_id:8; - u32 spi; - ikev2_sa_transform_t *transforms; -} ikev2_sa_proposal_t; - -typedef struct -{ - u8 ts_type; - u8 protocol_id; - u16 selector_len; - u16 start_port; - u16 end_port; - ip4_address_t start_addr; - ip4_address_t end_addr; -} ikev2_ts_t; - -typedef struct -{ - u32 sw_if_index; - ip4_address_t ip4; -} ikev2_responder_t; - -typedef struct -{ - ikev2_transform_encr_type_t crypto_alg; - ikev2_transform_integ_type_t integ_alg; - ikev2_transform_dh_type_t dh_type; - u32 crypto_key_size; -} ikev2_transforms_set; - - -typedef struct -{ - ikev2_id_type_t type:8; - u8 *data; -} ikev2_id_t; - -typedef struct -{ - /* sa proposals vectors */ - ikev2_sa_proposal_t *i_proposals; - ikev2_sa_proposal_t *r_proposals; - - /* Traffic Selectors */ - ikev2_ts_t *tsi; - ikev2_ts_t *tsr; - - /* keys */ - u8 *sk_ai; - u8 *sk_ar; - u8 *sk_ei; - u8 *sk_er; - - /* lifetime data */ - f64 time_to_expiration; - u8 is_expired; - i8 rekey_retries; -} ikev2_child_sa_t; - -typedef struct -{ - u8 protocol_id; - u32 spi; /*for ESP and AH SPI size is 4, for IKE size is 0 */ -} ikev2_delete_t; - -typedef struct -{ - u8 protocol_id; - u32 spi; - u32 ispi; - ikev2_sa_proposal_t *i_proposal; - ikev2_sa_proposal_t *r_proposal; - ikev2_ts_t *tsi; - ikev2_ts_t *tsr; -} ikev2_rekey_t; - -typedef struct -{ - u16 msg_type; - u8 protocol_id; - u32 spi; - u8 *data; -} ikev2_notify_t; - -typedef struct -{ - u8 *name; - u8 is_enabled; - - ikev2_auth_t auth; - ikev2_id_t loc_id; - ikev2_id_t rem_id; - ikev2_ts_t loc_ts; - ikev2_ts_t rem_ts; - ikev2_responder_t responder; - ikev2_transforms_set ike_ts; - ikev2_transforms_set esp_ts; - u64 lifetime; - u64 lifetime_maxdata; - u32 lifetime_jitter; - u32 handover; -} ikev2_profile_t; - -typedef struct -{ - ikev2_state_t state; - u8 unsupported_cp; - u8 initial_contact; - ip4_address_t iaddr; - ip4_address_t raddr; - u64 ispi; - u64 rspi; - u8 *i_nonce; - u8 *r_nonce; - - /* DH data */ - u16 dh_group; - u8 *dh_shared_key; - u8 *dh_private_key; - u8 *i_dh_data; - u8 *r_dh_data; - - /* sa proposals vectors */ - ikev2_sa_proposal_t *i_proposals; - ikev2_sa_proposal_t *r_proposals; - - /* keys */ - u8 *sk_d; - u8 *sk_ai; - u8 *sk_ar; - u8 *sk_ei; - u8 *sk_er; - u8 *sk_pi; - u8 *sk_pr; - - /* auth */ - ikev2_auth_t i_auth; - ikev2_auth_t r_auth; - - /* ID */ - ikev2_id_t i_id; - ikev2_id_t r_id; - - /* pending deletes */ - ikev2_delete_t *del; - - /* pending rekeyings */ - ikev2_rekey_t *rekey; - - /* packet data */ - u8 *last_sa_init_req_packet_data; - u8 *last_sa_init_res_packet_data; - - /* retransmit */ - u32 last_msg_id; - u8 *last_res_packet_data; - - u8 is_initiator; - u32 last_init_msg_id; - ikev2_profile_t *profile; - - ikev2_child_sa_t *childs; -} ikev2_sa_t; - - -typedef struct -{ - /* pool of IKEv2 Security Associations */ - ikev2_sa_t *sas; - - /* hash */ - uword *sa_by_rspi; -} ikev2_main_per_thread_data_t; - -typedef struct -{ - /* pool of IKEv2 profiles */ - ikev2_profile_t *profiles; - - /* vector of supported transform types */ - ikev2_sa_transform_t *supported_transforms; - - /* hash */ - mhash_t profile_index_by_name; - - /* local private key */ - EVP_PKEY *pkey; - - /* convenience */ - vlib_main_t *vlib_main; - vnet_main_t *vnet_main; - - /* pool of IKEv2 Security Associations created in initiator mode */ - ikev2_sa_t *sais; - /* hash */ - uword *sa_by_ispi; - - ikev2_main_per_thread_data_t *per_thread_data; - -} ikev2_main_t; - -extern ikev2_main_t ikev2_main; - -void ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v); -ikev2_sa_transform_t *ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p, - ikev2_transform_type_t type); - -/* ikev2_crypto.c */ -v8 *ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data); -u8 *ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed, - int len); -v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data, - int len); -v8 *ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len); -int ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst); -void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t); -void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t); -int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data); -u8 *ikev2_calc_sign (EVP_PKEY * pkey, u8 * data); -EVP_PKEY *ikev2_load_cert_file (u8 * file); -EVP_PKEY *ikev2_load_key_file (u8 * file); -void ikev2_crypto_init (ikev2_main_t * km); - -/* ikev2_payload.c */ -typedef struct -{ - u8 first_payload_type; - u16 last_hdr_off; - u8 *data; -} ikev2_payload_chain_t; - -#define ikev2_payload_new_chain(V) vec_validate (V, 0) -#define ikev2_payload_destroy_chain(V) do { \ - vec_free((V)->data); \ - vec_free(V); \ -} while (0) - -void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type, - u8 * data); -void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type, - u8 * data, ikev2_notify_t * notify); -void ikev2_payload_add_sa (ikev2_payload_chain_t * c, - ikev2_sa_proposal_t * proposals); -void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group, - u8 * dh_data); -void ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce); -void ikev2_payload_add_id (ikev2_payload_chain_t * c, ikev2_id_t * id, - u8 type); -void ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth); -void ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts, - u8 type); -void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d); -void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs); -void ikev2_parse_vendor_payload (ike_payload_header_t * ikep); -ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep); -ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep); -ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep); -ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep); - -#endif /* __included_ikev2_priv_h__ */ - - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 91d21d4dce9..1928372c585 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -328,253 +328,6 @@ autoreply define ipsec_sa_set_key vl_api_key_t integrity_key; }; -/** \brief IKEv2: Add/delete profile - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param is_add - Add IKEv2 profile if non-zero, else delete -*/ -autoreply define ikev2_profile_add_del -{ - u32 client_index; - u32 context; - - u8 name[64]; - u8 is_add; -}; - -/** \brief IKEv2: Set IKEv2 profile authentication method - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig) - @param is_hex - Authentication data in hex format if non-zero, else string - @param data_len - Authentication data length - @param data - Authentication data (for rsa-sig cert file path) -*/ -autoreply define ikev2_profile_set_auth -{ - u32 client_index; - u32 context; - - u8 name[64]; - u8 auth_method; - u8 is_hex; - u32 data_len; - u8 data[data_len]; -}; - -/** \brief IKEv2: Set IKEv2 profile local/remote identification - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param is_local - Identification is local if non-zero, else remote - @param id_type - Identification type - @param data_len - Identification data length - @param data - Identification data -*/ -autoreply define ikev2_profile_set_id -{ - u32 client_index; - u32 context; - - u8 name[64]; - u8 is_local; - u8 id_type; - u32 data_len; - u8 data[data_len]; -}; - -/** \brief IKEv2: Set IKEv2 profile traffic selector parameters - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param is_local - Traffic selector is local if non-zero, else remote - @param proto - Traffic selector IP protocol (if zero not relevant) - @param start_port - The smallest port number allowed by traffic selector - @param end_port - The largest port number allowed by traffic selector - @param start_addr - The smallest address included in traffic selector - @param end_addr - The largest address included in traffic selector -*/ -autoreply define ikev2_profile_set_ts -{ - u32 client_index; - u32 context; - - u8 name[64]; - u8 is_local; - u8 proto; - u16 start_port; - u16 end_port; - u32 start_addr; - u32 end_addr; -}; - -/** \brief IKEv2: Set IKEv2 local RSA private key - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param key_file - Key file absolute path -*/ -autoreply define ikev2_set_local_key -{ - u32 client_index; - u32 context; - - u8 key_file[256]; -}; - -/** \brief IKEv2: Set IKEv2 responder interface and IP address - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param sw_if_index - interface index - @param address - interface address -*/ -autoreply define ikev2_set_responder -{ - u32 client_index; - u32 context; - - u8 name[64]; - u32 sw_if_index; - u8 address[4]; -}; - -/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296) - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param crypto_alg - encryption algorithm - @param crypto_key_size - encryption key size - @param integ_alg - integrity algorithm - @param dh_group - Diffie-Hellman group - -*/ -autoreply define ikev2_set_ike_transforms -{ - u32 client_index; - u32 context; - - u8 name[64]; - u32 crypto_alg; - u32 crypto_key_size; - u32 integ_alg; - u32 dh_group; -}; - -/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296) - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param crypto_alg - encryption algorithm - @param crypto_key_size - encryption key size - @param integ_alg - integrity algorithm - @param dh_group - Diffie-Hellman group - -*/ -autoreply define ikev2_set_esp_transforms -{ - u32 client_index; - u32 context; - - u8 name[64]; - u32 crypto_alg; - u32 crypto_key_size; - u32 integ_alg; - u32 dh_group; -}; - -/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - @param lifetime - SA maximum life time in seconds (0 to disable) - @param lifetime_jitter - Jitter added to prevent simultaneous rekeying - @param handover - Hand over time - @param lifetime_maxdata - SA maximum life time in bytes (0 to disable) - -*/ -autoreply define ikev2_set_sa_lifetime -{ - u32 client_index; - u32 context; - - u8 name[64]; - u64 lifetime; - u32 lifetime_jitter; - u32 handover; - u64 lifetime_maxdata; -}; - -/** \brief IKEv2: Initiate the SA_INIT exchange - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param name - IKEv2 profile name - -*/ -autoreply define ikev2_initiate_sa_init -{ - u32 client_index; - u32 context; - - u8 name[64]; -}; - -/** \brief IKEv2: Initiate the delete IKE SA exchange - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param ispi - IKE SA initiator SPI - -*/ -autoreply define ikev2_initiate_del_ike_sa -{ - u32 client_index; - u32 context; - - u64 ispi; -}; - -/** \brief IKEv2: Initiate the delete Child SA exchange - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param ispi - Child SA initiator SPI - -*/ -autoreply define ikev2_initiate_del_child_sa -{ - u32 client_index; - u32 context; - - u32 ispi; -}; - -/** \brief IKEv2: Initiate the rekey Child SA exchange - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - - @param ispi - Child SA initiator SPI - -*/ -autoreply define ikev2_initiate_rekey_child_sa -{ - u32 client_index; - u32 context; - - u32 ispi; -}; - /** \brief IPsec: Get SPD interfaces @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 0ad11ba842e..a512d0094a6 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -22,7 +22,6 @@ #include <vnet/udp/udp.h> #include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/ikev2.h> #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> @@ -293,9 +292,6 @@ ipsec_init (vlib_main_t * vm) ipsec_proto_init (); - if ((error = ikev2_init (vm))) - return error; - return 0; } diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 4b4ce4e1770..33634c9b3a2 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -30,7 +30,6 @@ #if WITH_LIBSSL > 0 #include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/ikev2.h> #endif /* IPSEC */ #define vl_typedefs /* define message structures */ @@ -62,19 +61,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ -_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \ -_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \ -_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \ -_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \ -_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \ -_(IKEV2_SET_RESPONDER, ikev2_set_responder) \ -_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \ -_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \ -_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \ -_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \ -_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \ -_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \ -_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa) \ _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) @@ -841,329 +827,6 @@ vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); } - -static void -vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp) -{ - vl_api_ikev2_profile_add_del_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - error = ikev2_add_del_profile (vm, tmp, mp->is_add); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY); -} - -static void - vl_api_ikev2_profile_set_auth_t_handler - (vl_api_ikev2_profile_set_auth_t * mp) -{ - vl_api_ikev2_profile_set_auth_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - int data_len = ntohl (mp->data_len); - u8 *tmp = format (0, "%s", mp->name); - u8 *data = vec_new (u8, data_len); - clib_memcpy (data, mp->data, data_len); - error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex); - vec_free (tmp); - vec_free (data); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY); -} - -static void -vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp) -{ - vl_api_ikev2_profile_add_del_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - int data_len = ntohl (mp->data_len); - u8 *data = vec_new (u8, data_len); - clib_memcpy (data, mp->data, data_len); - error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local); - vec_free (tmp); - vec_free (data); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY); -} - -static void -vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp) -{ - vl_api_ikev2_profile_set_ts_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port, - mp->end_port, (ip4_address_t) mp->start_addr, - (ip4_address_t) mp->end_addr, mp->is_local); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY); -} - -static void -vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp) -{ - vl_api_ikev2_profile_set_ts_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - error = ikev2_set_local_key (vm, mp->key_file); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY); -} - -static void -vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp) -{ - vl_api_ikev2_set_responder_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - ip4_address_t ip4; - clib_memcpy (&ip4, mp->address, sizeof (ip4)); - - error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY); -} - -static void -vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t * - mp) -{ - vl_api_ikev2_set_ike_transforms_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - - error = - ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg, - mp->dh_group, mp->crypto_key_size); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY); -} - -static void -vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t * - mp) -{ - vl_api_ikev2_set_esp_transforms_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - - error = - ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg, - mp->dh_group, mp->crypto_key_size); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY); -} - -static void -vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp) -{ - vl_api_ikev2_set_sa_lifetime_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - - error = - ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter, - mp->handover, mp->lifetime_maxdata); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY); -} - -static void -vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp) -{ - vl_api_ikev2_initiate_sa_init_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - - error = ikev2_initiate_sa_init (vm, tmp); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY); -} - -static void -vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t - * mp) -{ - vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - error = ikev2_initiate_delete_ike_sa (vm, mp->ispi); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY); -} - -static void - vl_api_ikev2_initiate_del_child_sa_t_handler - (vl_api_ikev2_initiate_del_child_sa_t * mp) -{ - vl_api_ikev2_initiate_del_child_sa_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - error = ikev2_initiate_delete_child_sa (vm, mp->ispi); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY); -} - -static void - vl_api_ikev2_initiate_rekey_child_sa_t_handler - (vl_api_ikev2_initiate_rekey_child_sa_t * mp) -{ - vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - error = ikev2_initiate_rekey_child_sa (vm, mp->ispi); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY); -} - -/* - * ipsec_api_hookup - * Add vpe's API message handlers to the table. - * vlib has already mapped shared memory and - * added the client registration handlers. - * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process() - */ -#define vl_msg_name_crc_list -#include <vnet/vnet_all_api_h.h> -#undef vl_msg_name_crc_list - -static void -setup_message_id_table (api_main_t * am) -{ -#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id); - foreach_vl_msg_name_crc_ipsec; -#undef _ -} - static void vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp) { @@ -1257,6 +920,25 @@ done: REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY); } +/* + * ipsec_api_hookup + * Add vpe's API message handlers to the table. + * vlib has already mapped shared memory and + * added the client registration handlers. + * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process() + */ +#define vl_msg_name_crc_list +#include <vnet/vnet_all_api_h.h> +#undef vl_msg_name_crc_list + +static void +setup_message_id_table (api_main_t * am) +{ +#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id); + foreach_vl_msg_name_crc_ipsec; +#undef _ +} + static clib_error_t * ipsec_api_hookup (vlib_main_t * vm) { |