diff options
author | Denys Haryachyy <garyachy@users.noreply.github.com> | 2024-01-24 16:31:47 +0200 |
---|---|---|
committer | Denys Haryachyy <garyachy@gmail.com> | 2024-02-14 18:47:23 +0200 |
commit | f40a354daba1141a60dbb10b862672ea11270de8 (patch) | |
tree | 5a35484a9755cab98024f72f6a1b64e2b3d76208 /src | |
parent | e81f27ffb2a698737eae607b111d0611d221222f (diff) |
ikev2: dump state and profile name in CLI and API
Type: improvement
Change-Id: Ide4b45da99e3a67376281f6438997f3148be08e5
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/ikev2/ikev2.api | 23 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_api.c | 116 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_cli.c | 7 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_test.c | 74 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_types.api | 37 |
5 files changed, 255 insertions, 2 deletions
diff --git a/src/plugins/ikev2/ikev2.api b/src/plugins/ikev2/ikev2.api index ff9ed72e888..58b7fc05d9e 100644 --- a/src/plugins/ikev2/ikev2.api +++ b/src/plugins/ikev2/ikev2.api @@ -76,6 +76,16 @@ define ikev2_sa_dump option status = "in_progress"; }; +/** \brief Dump all SAs + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define ikev2_sa_v2_dump +{ + u32 client_index; + u32 context; +}; + /** \brief Details about IKE SA @param context - sender context, to match reply w/ request @param retval - return code @@ -90,6 +100,19 @@ define ikev2_sa_details option status = "in_progress"; }; +/** \brief Details about IKE SA + @param context - sender context, to match reply w/ request + @param retval - return code + @param sa - SA data +*/ +define ikev2_sa_v2_details +{ + u32 context; + i32 retval; + + vl_api_ikev2_sa_v2_t sa; +}; + /** \brief Dump child SA of specific SA @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/plugins/ikev2/ikev2_api.c b/src/plugins/ikev2/ikev2_api.c index 6485b6d85c1..975212d4f92 100644 --- a/src/plugins/ikev2/ikev2_api.c +++ b/src/plugins/ikev2/ikev2_api.c @@ -207,6 +207,32 @@ ikev2_copy_stats (vl_api_ikev2_sa_stats_t *dst, const ikev2_stats_t *src) dst->n_sa_auth_req = src->n_sa_auth_req; } +static vl_api_ikev2_state_t +ikev2_state_encode (ikev2_state_t state) +{ + switch (state) + { + case IKEV2_STATE_UNKNOWN: + return UNKNOWN; + case IKEV2_STATE_SA_INIT: + return SA_INIT; + case IKEV2_STATE_DELETED: + return DELETED; + case IKEV2_STATE_AUTH_FAILED: + return AUTH_FAILED; + case IKEV2_STATE_AUTHENTICATED: + return AUTHENTICATED; + case IKEV2_STATE_NOTIFY_AND_DELETE: + return NOTIFY_AND_DELETE; + case IKEV2_STATE_TS_UNACCEPTABLE: + return TS_UNACCEPTABLE; + case IKEV2_STATE_NO_PROPOSAL_CHOSEN: + return NO_PROPOSAL_CHOSEN; + } + + return UNKNOWN; +} + static void send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index) { @@ -293,6 +319,96 @@ vl_api_ikev2_sa_dump_t_handler (vl_api_ikev2_sa_dump_t * mp) } } +static void +send_sa_v2 (ikev2_sa_t *sa, vl_api_ikev2_sa_v2_dump_t *mp, u32 api_sa_index) +{ + ikev2_main_t *km = &ikev2_main; + vl_api_ikev2_sa_v2_details_t *rmp = 0; + int rv = 0; + ikev2_sa_transform_t *tr; + ikev2_profile_t *p; + p = pool_elt_at_index (km->profiles, sa->profile_index); + + REPLY_MACRO2_ZERO (VL_API_IKEV2_SA_V2_DETAILS, { + vl_api_ikev2_sa_v2_t *rsa = &rmp->sa; + vl_api_ikev2_keys_t *k = &rsa->keys; + + int size_data = sizeof (rsa->profile_name) - 1; + if (vec_len (p->name) < size_data) + size_data = vec_len (p->name); + clib_memcpy (rsa->profile_name, p->name, size_data); + + rsa->state = ikev2_state_encode (sa->state); + + rsa->sa_index = api_sa_index; + ip_address_encode2 (&sa->iaddr, &rsa->iaddr); + ip_address_encode2 (&sa->raddr, &rsa->raddr); + rsa->ispi = sa->ispi; + rsa->rspi = sa->rspi; + cp_id (&rsa->i_id, &sa->i_id); + cp_id (&rsa->r_id, &sa->r_id); + + tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); + if (tr) + cp_sa_transform (&rsa->encryption, tr); + + tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); + if (tr) + cp_sa_transform (&rsa->prf, tr); + + tr = + ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); + if (tr) + cp_sa_transform (&rsa->integrity, tr); + + tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); + if (tr) + cp_sa_transform (&rsa->dh, tr); + + k->sk_d_len = vec_len (sa->sk_d); + clib_memcpy (&k->sk_d, sa->sk_d, k->sk_d_len); + + k->sk_ai_len = vec_len (sa->sk_ai); + clib_memcpy (&k->sk_ai, sa->sk_ai, k->sk_ai_len); + + k->sk_ar_len = vec_len (sa->sk_ar); + clib_memcpy (&k->sk_ar, sa->sk_ar, k->sk_ar_len); + + k->sk_ei_len = vec_len (sa->sk_ei); + clib_memcpy (&k->sk_ei, sa->sk_ei, k->sk_ei_len); + + k->sk_er_len = vec_len (sa->sk_er); + clib_memcpy (&k->sk_er, sa->sk_er, k->sk_er_len); + + k->sk_pi_len = vec_len (sa->sk_pi); + clib_memcpy (&k->sk_pi, sa->sk_pi, k->sk_pi_len); + + k->sk_pr_len = vec_len (sa->sk_pr); + clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len); + + ikev2_copy_stats (&rsa->stats, &sa->stats); + + vl_api_ikev2_sa_v2_t_endian (rsa); + }); +} + +static void +vl_api_ikev2_sa_v2_dump_t_handler (vl_api_ikev2_sa_v2_dump_t *mp) +{ + ikev2_main_t *km = &ikev2_main; + ikev2_main_per_thread_data_t *tkm; + ikev2_sa_t *sa; + + vec_foreach (tkm, km->per_thread_data) + { + pool_foreach (sa, tkm->sas) + { + u32 api_sa_index = + ikev2_encode_sa_index (sa - tkm->sas, tkm - km->per_thread_data); + send_sa_v2 (sa, mp, api_sa_index); + } + } +} static void send_child_sa (ikev2_child_sa_t * child, diff --git a/src/plugins/ikev2/ikev2_cli.c b/src/plugins/ikev2/ikev2_cli.c index 285a8993311..e5516f834f4 100644 --- a/src/plugins/ikev2/ikev2_cli.c +++ b/src/plugins/ikev2/ikev2_cli.c @@ -136,6 +136,11 @@ format_ikev2_sa (u8 * s, va_list * va) ikev2_child_sa_t *child; u32 indent = 1; + ikev2_main_t *km = &ikev2_main; + ikev2_profile_t *p; + + p = pool_elt_at_index (km->profiles, sa->profile_index); + s = format (s, "iip %U ispi %lx rip %U rspi %lx", format_ip_address, &sa->iaddr, sa->ispi, format_ip_address, &sa->raddr, sa->rspi); @@ -156,6 +161,8 @@ format_ikev2_sa (u8 * s, va_list * va) tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); s = format (s, "%U", format_ikev2_sa_transform, tr); + s = format (s, "\n profile: %v", p->name); + if (sa->state <= IKEV2_STATE_NO_PROPOSAL_CHOSEN) { s = format (s, "\n state: %s", stateNames[sa->state]); diff --git a/src/plugins/ikev2/ikev2_test.c b/src/plugins/ikev2/ikev2_test.c index 9f572813565..18d01dc6ffb 100644 --- a/src/plugins/ikev2/ikev2_test.c +++ b/src/plugins/ikev2/ikev2_test.c @@ -396,8 +396,78 @@ vl_api_ikev2_sa_details_t_handler (vl_api_ikev2_sa_details_t * mp) ip_address_decode2 (&sa->iaddr, &iaddr); ip_address_decode2 (&sa->raddr, &raddr); - fformat (vam->ofp, "profile index %d sa index: %d\n", - mp->sa.profile_index, mp->sa.sa_index); + fformat (vam->ofp, "profile index %u sa index: %d\n", mp->sa.profile_index, + mp->sa.sa_index); + fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address, + &iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi); + fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption); + fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->prf); + fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->integrity); + fformat (vam->ofp, "%U \n", format_ikev2_sa_transform, &sa->dh); + + fformat (vam->ofp, " SK_d %U\n", format_hex_bytes, k->sk_d, k->sk_d_len); + + fformat (vam->ofp, " SK_a i:%U\n r:%U\n", format_hex_bytes, + k->sk_ai, k->sk_ai_len, format_hex_bytes, k->sk_ar, k->sk_ar_len); + + fformat (vam->ofp, " SK_e i:%U\n r:%U\n", format_hex_bytes, + k->sk_ei, k->sk_ei_len, format_hex_bytes, k->sk_er, k->sk_er_len); + + fformat (vam->ofp, " SK_p i:%U\n r:%U\n", format_hex_bytes, + k->sk_pi, k->sk_pi_len, format_hex_bytes, k->sk_pr, k->sk_pr_len); + + fformat (vam->ofp, " identifier (i) %U\n", format_ikev2_id_type_and_data, + &sa->i_id); + fformat (vam->ofp, " identifier (r) %U\n", format_ikev2_id_type_and_data, + &sa->r_id); + + vam->result_ready = 1; +} + +static int +api_ikev2_sa_v2_dump (vat_main_t *vam) +{ + ikev2_test_main_t *im = &ikev2_test_main; + vl_api_ikev2_sa_v2_dump_t *mp; + vl_api_control_ping_t *mp_ping; + int ret; + + /* Construct the API message */ + M (IKEV2_SA_V2_DUMP, mp); + + /* send it... */ + S (mp); + + /* Use a control ping for synchronization */ + if (!im->ping_id) + im->ping_id = vl_msg_api_get_msg_index ((u8 *) (VL_API_CONTROL_PING_CRC)); + mp_ping = vl_msg_api_alloc_as_if_client (sizeof (*mp_ping)); + mp_ping->_vl_msg_id = htons (im->ping_id); + mp_ping->client_index = vam->my_client_index; + vam->result_ready = 0; + + S (mp_ping); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +static void +vl_api_ikev2_sa_v2_details_t_handler (vl_api_ikev2_sa_v2_details_t *mp) +{ + vat_main_t *vam = ikev2_test_main.vat_main; + vl_api_ikev2_sa_v2_t *sa = &mp->sa; + ip_address_t iaddr; + ip_address_t raddr; + vl_api_ikev2_keys_t *k = &sa->keys; + vl_api_ikev2_sa_v2_t_endian (sa); + + ip_address_decode2 (&sa->iaddr, &iaddr); + ip_address_decode2 (&sa->raddr, &raddr); + + fformat (vam->ofp, "profile name %s sa index: %d\n", mp->sa.profile_name, + mp->sa.sa_index); fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address, &iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi); fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption); diff --git a/src/plugins/ikev2/ikev2_types.api b/src/plugins/ikev2/ikev2_types.api index b279026c2b9..f0e50165501 100644 --- a/src/plugins/ikev2/ikev2_types.api +++ b/src/plugins/ikev2/ikev2_types.api @@ -138,6 +138,18 @@ typedef ikev2_sa_stats u16 n_init_sa_retransmit; }; +enum ikev2_state +{ + UNKNOWN, + SA_INIT, + DELETED, + AUTH_FAILED, + AUTHENTICATED, + NOTIFY_AND_DELETE, + TS_UNACCEPTABLE, + NO_PROPOSAL_CHOSEN, +}; + typedef ikev2_sa { u32 sa_index; @@ -161,3 +173,28 @@ typedef ikev2_sa vl_api_ikev2_sa_stats_t stats; }; + +typedef ikev2_sa_v2 +{ + u32 sa_index; + string profile_name[64]; + vl_api_ikev2_state_t state; + + u64 ispi; + u64 rspi; + vl_api_address_t iaddr; + vl_api_address_t raddr; + + vl_api_ikev2_keys_t keys; + + /* ID */ + vl_api_ikev2_id_t i_id; + vl_api_ikev2_id_t r_id; + + vl_api_ikev2_sa_transform_t encryption; + vl_api_ikev2_sa_transform_t integrity; + vl_api_ikev2_sa_transform_t prf; + vl_api_ikev2_sa_transform_t dh; + + vl_api_ikev2_sa_stats_t stats; +};
\ No newline at end of file |