summaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2/ikev2.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/ikev2/ikev2.c')
-rw-r--r--src/plugins/ikev2/ikev2.c210
1 files changed, 93 insertions, 117 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 03448b939f2..ee0b11ea4b0 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -37,7 +37,7 @@ static int ikev2_delete_tunnel_interface (vnet_main_t * vnm,
#define ikev2_set_state(sa, v) do { \
(sa)->state = v; \
- clib_warning("sa state changed to " #v); \
+ ikev2_elog_sa_state("ispi %lx SA state changed to " #v, sa->ispi); \
} while(0);
typedef struct
@@ -171,9 +171,6 @@ ikev2_select_proposal (ikev2_sa_proposal_t * proposals,
}
}
- clib_warning ("bitmap is %x mandatory is %x optional is %x",
- bitmap, mandatory_bitmap, optional_bitmap);
-
if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
(bitmap & ~optional_bitmap) == 0)
{
@@ -346,8 +343,6 @@ ikev2_generate_sa_init_data (ikev2_sa_t * sa)
if (!t)
{
- clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
- vec_len (sa->i_dh_data));
sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
return;
}
@@ -421,8 +416,6 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
if (!t)
{
- clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group,
- vec_len (sa->i_dh_data));
sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
return;
}
@@ -596,13 +589,10 @@ ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa,
u32 len = clib_net_to_host_u32 (ike->length);
u8 payload = ike->nextpayload;
- clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
- "exchange %x flags %x msgid %x length %u",
- clib_net_to_host_u64 (ike->ispi),
- clib_net_to_host_u64 (ike->rspi),
- payload, ike->version,
- ike->exchange, ike->flags,
- clib_net_to_host_u32 (ike->msgid), len);
+ ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT request received "
+ "from %d.%d.%d.%d",
+ clib_net_to_host_u64 (ike->ispi),
+ clib_net_to_host_u64 (ike->rspi), sa->iaddr.as_u32);
sa->ispi = clib_net_to_host_u64 (ike->ispi);
@@ -646,8 +636,8 @@ ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa,
}
else
{
- clib_warning ("unknown payload %u flags %x length %u", payload,
- ikep->flags, plen);
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
+ payload);
if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
{
ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
@@ -671,17 +661,13 @@ ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa,
u32 len = clib_net_to_host_u32 (ike->length);
u8 payload = ike->nextpayload;
- clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
- "exchange %x flags %x msgid %x length %u",
- clib_net_to_host_u64 (ike->ispi),
- clib_net_to_host_u64 (ike->rspi),
- payload, ike->version,
- ike->exchange, ike->flags,
- clib_net_to_host_u32 (ike->msgid), len);
-
sa->ispi = clib_net_to_host_u64 (ike->ispi);
sa->rspi = clib_net_to_host_u64 (ike->rspi);
+ ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT response received "
+ "from %d.%d.%d.%d", sa->ispi, sa->rspi,
+ sa->raddr.as_u32);
+
/* store whole IKE payload - needed for PSK auth */
vec_free (sa->last_sa_init_res_packet_data);
vec_add (sa->last_sa_init_res_packet_data, ike, len);
@@ -728,8 +714,8 @@ ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa,
}
else
{
- clib_warning ("unknown payload %u flags %x length %u", payload,
- ikep->flags, plen);
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
+ payload);
if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
{
ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
@@ -767,13 +753,12 @@ ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload)
if (*payload == IKEV2_PAYLOAD_SK)
{
- clib_warning ("received IKEv2 payload SK, len %u", plen - 4);
last_payload = *payload;
}
else
{
- clib_warning ("unknown payload %u flags %x length %u", payload,
- ikep->flags, plen);
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
+ *payload);
if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
{
sa->unsupported_cp = *payload;
@@ -787,7 +772,7 @@ ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload)
if (last_payload != IKEV2_PAYLOAD_SK)
{
- clib_warning ("Last payload must be SK");
+ ikev2_elog_error ("Last payload must be SK");
return 0;
}
@@ -799,7 +784,7 @@ ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload)
if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
{
- clib_warning ("message integrity check failed");
+ ikev2_elog_error ("message integrity check failed");
vec_free (hmac);
return 0;
}
@@ -845,6 +830,9 @@ ikev2_initial_contact_cleanup (ikev2_sa_t * sa)
vec_free (delete);
sa->initial_contact = 0;
+
+ km->log_level = IKEV2_LOG_ERROR;
+ km->log_class = vlib_log_register_class ("ikev2", 0);
}
static void
@@ -852,20 +840,16 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
{
ikev2_child_sa_t *first_child_sa;
int p = 0;
- u32 len = clib_net_to_host_u32 (ike->length);
u8 payload = ike->nextpayload;
u8 *plaintext = 0;
-
ike_payload_header_t *ikep;
u32 plen;
- clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
- "exchange %x flags %x msgid %x length %u",
- clib_net_to_host_u64 (ike->ispi),
- clib_net_to_host_u64 (ike->rspi),
- payload, ike->version,
- ike->exchange, ike->flags,
- clib_net_to_host_u32 (ike->msgid), len);
+ ikev2_elog_exchange ("ispi %lx rspi %lx EXCHANGE_IKE_AUTH received "
+ "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
+ clib_host_to_net_u64 (ike->rspi),
+ sa->is_initiator ? sa->raddr.as_u32 : sa->
+ iaddr.as_u32);
ikev2_calc_keys (sa);
@@ -902,7 +886,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
if (payload == IKEV2_PAYLOAD_SA) /* 33 */
{
- clib_warning ("received payload SA, len %u", plen - sizeof (*ikep));
if (sa->is_initiator)
{
ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals);
@@ -921,9 +904,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
sa->i_id.type = id->id_type;
vec_free (sa->i_id.data);
vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
-
- clib_warning ("received payload IDi, len %u id_type %u",
- plen - sizeof (*id), id->id_type);
}
else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */
{
@@ -932,9 +912,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
sa->r_id.type = id->id_type;
vec_free (sa->r_id.data);
vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
-
- clib_warning ("received payload IDr len %u id_type %u",
- plen - sizeof (*id), id->id_type);
}
else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */
{
@@ -952,9 +929,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
vec_free (sa->i_auth.data);
vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a));
}
-
- clib_warning ("received payload AUTH, len %u auth_type %u",
- plen - sizeof (*a), a->auth_method);
}
else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
{
@@ -971,25 +945,18 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
}
else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */
{
- clib_warning ("received payload TSi, len %u",
- plen - sizeof (*ikep));
-
vec_free (first_child_sa->tsi);
first_child_sa->tsi = ikev2_parse_ts_payload (ikep);
}
else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */
{
- clib_warning ("received payload TSr, len %u",
- plen - sizeof (*ikep));
-
vec_free (first_child_sa->tsr);
first_child_sa->tsr = ikev2_parse_ts_payload (ikep);
}
else
{
- clib_warning ("unknown payload %u flags %x length %u data %u",
- payload, ikep->flags, plen - 4,
- format_hex_bytes, ikep->payload, plen - 4);
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
+ payload);
if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
{
@@ -1012,20 +979,14 @@ ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa,
ike_header_t * ike)
{
int p = 0;
- u32 len = clib_net_to_host_u32 (ike->length);
u8 payload = ike->nextpayload;
u8 *plaintext = 0;
-
ike_payload_header_t *ikep;
u32 plen;
- clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
- "exchange %x flags %x msgid %x length %u",
- clib_net_to_host_u64 (ike->ispi),
- clib_net_to_host_u64 (ike->rspi),
- payload, ike->version,
- ike->exchange, ike->flags,
- clib_net_to_host_u32 (ike->msgid), len);
+ ikev2_elog_exchange ("ispi %lx rspi %lx INFORMATIONAL received "
+ "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
+ clib_host_to_net_u64 (ike->rspi), sa->iaddr.as_u32);
plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
@@ -1059,10 +1020,8 @@ ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa,
}
else
{
- clib_warning ("unknown payload %u flags %x length %u data %u",
- payload, ikep->flags, plen - 4,
- format_hex_bytes, ikep->payload, plen - 4);
-
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
+ payload);
if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
{
sa->unsupported_cp = payload;
@@ -1083,7 +1042,6 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa,
ike_header_t * ike)
{
int p = 0;
- u32 len = clib_net_to_host_u32 (ike->length);
u8 payload = ike->nextpayload;
u8 *plaintext = 0;
u8 rekeying = 0;
@@ -1097,13 +1055,9 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa,
ikev2_sa_proposal_t *proposal = 0;
ikev2_child_sa_t *child_sa;
- clib_warning ("ispi %lx rspi %lx nextpayload %x version %x "
- "exchange %x flags %x msgid %x length %u",
- clib_net_to_host_u64 (ike->ispi),
- clib_net_to_host_u64 (ike->rspi),
- payload, ike->version,
- ike->exchange, ike->flags,
- clib_net_to_host_u32 (ike->msgid), len);
+ ikev2_elog_exchange ("ispi %lx rspi %lx CREATE_CHILD_SA received "
+ "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
+ clib_host_to_net_u64 (ike->rspi), sa->raddr.as_u32);
plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload);
@@ -1154,10 +1108,8 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa,
}
else
{
- clib_warning ("unknown payload %u flags %x length %u data %u",
- payload, ikep->flags, plen - 4,
- format_hex_bytes, ikep->payload, plen - 4);
-
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
+ payload);
if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
{
sa->unsupported_cp = payload;
@@ -1194,7 +1146,8 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa,
child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
if (!child_sa)
{
- clib_warning ("child SA spi %lx not found", n->spi);
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "child SA spi %lx not found",
+ n->spi);
goto cleanup_and_exit;
}
vec_add2 (sa->rekey, rekey, 1);
@@ -1356,8 +1309,9 @@ ikev2_sa_auth (ikev2_sa_t * sa)
if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
{
- clib_warning ("unsupported authentication method %u",
- sa->i_auth.method);
+ ikev2_elog_uint (IKEV2_LOG_ERROR,
+ "unsupported authentication method %u",
+ sa->i_auth.method);
ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
return;
}
@@ -1457,6 +1411,8 @@ ikev2_sa_auth (ikev2_sa_t * sa)
}
else
{
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "authentication failed, no matching "
+ "profile found! ispi %lx", sa->ispi);
ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
}
vec_free (psk);
@@ -1478,8 +1434,9 @@ ikev2_sa_auth_init (ikev2_sa_t * sa)
if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
{
- clib_warning ("unsupported authentication method %u",
- sa->i_auth.method);
+ ikev2_elog_uint (IKEV2_LOG_ERROR,
+ "unsupported authentication method %u",
+ sa->i_auth.method);
ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
return;
}
@@ -1558,9 +1515,9 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
if (rv)
{
- clib_warning ("installing ipip tunnel failed! loc:%U rem:%U",
- format_ip4_address, &a->local_ip,
- format_ip4_address, &a->remote_ip);
+ ikev2_elog_peers (IKEV2_LOG_ERROR, "installing ipip tunnel failed! "
+ "loc:%d.%d.%d.%d rem:%d.%d.%d.%d",
+ a->local_ip.ip4.as_u32, a->remote_ip.ip4.as_u32);
return;
}
@@ -1771,10 +1728,10 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm,
}
if (thread_index & 0xffffffc0)
- clib_warning ("error: thread index exceeds max range 0x3f!");
+ ikev2_elog_error ("error: thread index exceeds max range 0x3f!");
if (child_index & 0xfffff000 || sa_index & 0xfffff000)
- clib_warning ("error: sa/child index exceeds max range 0xfff!");
+ ikev2_elog_error ("error: sa/child index exceeds max range 0xfff!");
child->local_sa_id =
a.local_sa_id =
@@ -2174,17 +2131,21 @@ ikev2_retransmit_sa_init (ike_header_t * ike,
ike->length = tmp->length;
clib_memcpy_fast(ike->payload, tmp->payload,
clib_net_to_host_u32(tmp->length) - sizeof(*ike));
- clib_warning("IKE_SA_INIT retransmit from %U to %U",
- format_ip4_address, &raddr,
- format_ip4_address, &iaddr);
+ ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
+ "ispi %lx IKE_SA_INIT retransmit "
+ "from %d.%d.%d.%d to %d.%d.%d.%d",
+ ike->ispi,
+ raddr.as_u32, iaddr.as_u32);
return 1;
}
/* else ignore req */
else
{
- clib_warning("IKE_SA_INIT ignore from %U to %U",
- format_ip4_address, &raddr,
- format_ip4_address, &iaddr);
+ ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
+ "ispi %lx IKE_SA_INIT ignore "
+ "from %d.%d.%d.%d to %d.%d.%d.%d",
+ ike->ispi,
+ raddr.as_u32, iaddr.as_u32);
return -1;
}
}
@@ -2226,21 +2187,17 @@ ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
ike->length = tmp->length;
clib_memcpy_fast (ike->payload, tmp->payload,
clib_net_to_host_u32 (tmp->length) - sizeof (*ike));
- clib_warning ("IKE msgid %u retransmit from %U to %U",
- msg_id,
- format_ip4_address, &sa->raddr,
- format_ip4_address, &sa->iaddr);
+ ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE retransmit msgid %d",
+ msg_id, sa->raddr.as_u32, sa->iaddr.as_u32);
return 1;
}
/* old req ignore */
else
{
- clib_warning ("IKE msgid %u req ignore from %U to %U",
- msg_id,
- format_ip4_address, &sa->raddr,
- format_ip4_address, &sa->iaddr);
- return -1;
+ ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE req ignore msgid %d",
+ msg_id, sa->raddr.as_u32, sa->iaddr.as_u32);
}
+ return -1;
}
@@ -2583,10 +2540,11 @@ ikev2_node_fn (vlib_main_t * vm,
}
else
{
- clib_warning ("IKEv2 exchange %u packet received from %U to %U",
- ike0->exchange,
- format_ip4_address, ip40->src_address.as_u8,
- format_ip4_address, ip40->dst_address.as_u8);
+ ikev2_elog_uint_peers (IKEV2_LOG_WARNING, "IKEv2 exchange %d "
+ "received from %d.%d.%d.%d to %d.%d.%d.%d",
+ ike0->exchange,
+ ip40->src_address.as_u32,
+ ip40->dst_address.as_u32);
}
dispatch0:
@@ -2717,7 +2675,7 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
}
if (error)
{
- clib_warning
+ ikev2_elog_error
("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
r = clib_error_return (0, "Unsupported algorithm");
return r;
@@ -3256,6 +3214,9 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len);
+ ikev2_elog_exchange ("ispi %lx rspi %lx IKEV2_EXCHANGE_SA_INIT sent to "
+ "%d.%d.%d.%d", clib_host_to_net_u64 (sa0->ispi), 0,
+ p->responder.ip4.as_u32);
}
return 0;
@@ -3548,8 +3509,8 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
else if (csa->rekey_retries > 0)
{
csa->rekey_retries--;
- clib_warning ("Rekeying Child SA 0x%x, retries left %d",
- csa->i_proposals->spi, csa->rekey_retries);
+ ikev2_log_debug ("Rekeying Child SA 0x%x, retries left %d",
+ csa->i_proposals->spi, csa->rekey_retries);
if (csa->rekey_retries == 0)
{
csa->rekey_retries = -1;
@@ -3568,6 +3529,21 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
return res;
}
+int
+ikev2_set_log_level (ikev2_log_level_t log_level)
+{
+ ikev2_main_t *km = &ikev2_main;
+
+ if (log_level >= IKEV2_LOG_MAX)
+ {
+ ikev2_log_error ("unknown logging level %d", log_level);
+ return -1;
+ }
+
+ km->log_level = log_level;
+ return 0;
+}
+
static void
ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
{