19 #include <vpp/app/version.h> 30 #include <openssl/sha.h> 33 #define IKEV2_LIVENESS_RETRIES 3 34 #define IKEV2_LIVENESS_PERIOD_CHECK 30 42 #define ikev2_set_state(sa, v) do { \ 44 ikev2_elog_sa_state("ispi %lx SA state changed to " #v, sa->ispi); \ 60 s =
format (s,
"ikev2: sw_if_index %d, next index %d",
67 #define foreach_ikev2_error \ 68 _(PROCESSED, "IKEv2 packets processed") \ 69 _(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \ 70 _(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \ 71 _(IKE_REQ_RETRANSMIT, "IKE request retransmit") \ 72 _(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \ 73 _(NOT_IKEV2, "Non IKEv2 packets received") \ 74 _(BAD_LENGTH, "Bad packet length") 78 #define _(sym,str) IKEV2_ERROR_##sym, 85 #define _(sym,string) string, 127 if (td->
type == IKEV2_TRANSFORM_TYPE_ENCR)
130 || t->
attrs[1] != 14)
148 u8 mandatory_bitmap, optional_bitmap;
152 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
153 (1 << IKEV2_TRANSFORM_TYPE_PRF) | (1 << IKEV2_TRANSFORM_TYPE_DH);
154 optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_INTEG);
158 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
159 (1 << IKEV2_TRANSFORM_TYPE_ESN);
160 optional_bitmap = mandatory_bitmap |
161 (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
165 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) |
166 (1 << IKEV2_TRANSFORM_TYPE_ESN);
167 optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH);
182 if ((1 << transform->
type) & bitmap)
187 bitmap |= 1 << transform->
type;
194 if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
195 (bitmap & ~optional_bitmap) == 0)
199 RAND_bytes ((
u8 *) & rv->
spi, sizeof (rv->
spi));
239 if (proposal && proposal->
spi == spi && proposal->
protocol_id == prot_id)
362 if (sa->
dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
370 if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->
dh_group == t2->dh_type)
379 sa->
dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
386 RAND_bytes ((
u8 *) & sa->
ispi, 8);
395 RAND_bytes ((
u8 *) & sa->
rspi, 8);
414 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;}) 441 if (sa->
dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
449 if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->
dh_group == t2->dh_type)
458 sa->
dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
475 u16 integ_key_len = 0, salt_len = 0;
485 integ_key_len = tr_integ->
key_len;
487 salt_len =
sizeof (
u32);
495 vec_add2 (s, tmp, 2 *
sizeof (*spi));
497 spi[0] = clib_host_to_net_u64 (sa->
ispi);
498 spi[1] = clib_host_to_net_u64 (sa->
rspi);
524 pos += integ_key_len;
529 pos += integ_key_len;
535 pos += tr_encr->
key_len + salt_len;
540 pos += tr_encr->
key_len + salt_len;
560 u16 integ_key_len = 0;
572 integ_key_len = ctr_integ->
key_len;
574 salt_len =
sizeof (
u32);
580 int len = ctr_encr->
key_len * 2 + integ_key_len * 2 + salt_len * 2;
614 pos += integ_key_len;
631 u8 buf[8 + 8 + 4 + 2];
638 SHA1 (buf,
sizeof (buf), res);
647 u8 payload = ike->nextpayload;
651 clib_net_to_host_u64 (ike->ispi),
652 clib_net_to_host_u64 (ike->rspi), sa->
iaddr.
as_u32);
654 sa->
ispi = clib_net_to_host_u64 (ike->ispi);
662 ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
663 u32 plen = clib_net_to_host_u16 (ikep->length);
665 if (plen <
sizeof (ike_payload_header_t))
675 ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
676 sa->
dh_group = clib_net_to_host_u16 (ke->dh_group);
688 if (n->
msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
697 " behind NAT", sa->
ispi);
702 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP)
711 " (self) behind NAT", sa->
ispi);
733 payload = ikep->nextpayload;
745 u8 payload = ike->nextpayload;
747 sa->
ispi = clib_net_to_host_u64 (ike->ispi);
748 sa->
rspi = clib_net_to_host_u64 (ike->rspi);
751 "from %d.%d.%d.%d", sa->
ispi, sa->
rspi,
760 ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
761 u32 plen = clib_net_to_host_u16 (ikep->length);
763 if (plen <
sizeof (ike_payload_header_t))
774 clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1);
779 ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
780 sa->
dh_group = clib_net_to_host_u16 (ke->dh_group);
792 if (n->
msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
801 " behind NAT, unsupported", sa->
ispi);
806 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP)
816 " (self) behind NAT", sa->
ispi);
838 payload = ikep->nextpayload;
851 ike_payload_header_t *ikep = 0;
859 int is_aead = tr_encr->
encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
867 ikep = (ike_payload_header_t *) & ike->payload[p];
868 plen = clib_net_to_host_u16 (ikep->length);
870 if (plen <
sizeof (*ikep))
875 last_payload = *payload;
888 *payload = ikep->nextpayload;
904 u8 *aad = (
u8 *) ike;
905 u32 aad_len = ikep->payload - aad;
906 u8 *tag = ikep->payload + plen;
909 plen, aad, aad_len, tag);
920 if (plen <
sizeof (*ikep) + tr_integ->
key_trunc)
923 plen = plen -
sizeof (*ikep) - tr_integ->
key_trunc;
925 if (memcmp (hmac, &ikep->payload[plen], tr_integ->
key_trunc))
969 if (!ikev2_is_id_equal (&tmp->i_id, &sa->i_id)
970 || !ikev2_is_id_equal(&tmp->r_id, &sa->r_id))
973 if (sa->rspi != tmp->rspi)
974 vec_add1(delete, tmp - km->per_thread_data[thread_index].sas);
978 for (i = 0; i <
vec_len (
delete); i++)
998 u8 payload = ike->nextpayload;
1000 ike_payload_header_t *ikep;
1004 "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
1005 clib_host_to_net_u64 (ike->rspi),
1017 goto cleanup_and_exit;
1023 first_child_sa = &sa->
childs[0];
1036 ikep = (ike_payload_header_t *) & plaintext[p];
1037 plen = clib_net_to_host_u16 (ikep->length);
1039 if (plen <
sizeof (ike_payload_header_t))
1040 goto cleanup_and_exit;
1057 ike_id_payload_header_t *
id = (ike_id_payload_header_t *) ikep;
1065 ike_id_payload_header_t *
id = (ike_id_payload_header_t *) ikep;
1073 ike_auth_payload_header_t *
a = (ike_auth_payload_header_t *) ikep;
1091 if (n->
msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
1124 payload = ikep->nextpayload;
1134 ike_header_t * ike,
u32 len)
1137 u8 payload = ike->nextpayload;
1139 ike_payload_header_t *ikep;
1144 "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
1145 clib_host_to_net_u64 (ike->rspi), sa->
iaddr.
as_u32);
1150 goto cleanup_and_exit;
1156 ikep = (ike_payload_header_t *) & plaintext[p];
1157 plen = clib_net_to_host_u16 (ikep->length);
1159 if (plen <
sizeof (ike_payload_header_t))
1160 goto cleanup_and_exit;
1165 if (n->
msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
1188 payload = ikep->nextpayload;
1198 ike_header_t * ike,
u32 len)
1201 u8 payload = ike->nextpayload;
1206 ike_payload_header_t *ikep;
1215 "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
1216 clib_host_to_net_u64 (ike->rspi), sa->
raddr.
as_u32);
1221 goto cleanup_and_exit;
1227 ikep = (ike_payload_header_t *) & plaintext[p];
1228 plen = clib_net_to_host_u16 (ikep->length);
1230 if (plen <
sizeof (ike_payload_header_t))
1231 goto cleanup_and_exit;
1240 if (n->
msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
1272 goto cleanup_and_exit;
1276 payload = ikep->nextpayload;
1307 goto cleanup_and_exit;
1391 ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0;
1397 if (sa->is_initiator)
1421 if (ikev2_ts_cmp(p_tsi, ts))
1423 vec_add1 (tsi, ts[0]);
1445 sa->childs[0].tsi = tsi;
1446 sa->childs[0].tsr = tsr;
1461 u8 *authmsg, *key_pad, *psk = 0, *
auth = 0;
1468 if (!(sa->
i_auth.
method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1472 "unsupported authentication method %u",
1501 if (!ikev2_is_id_equal (&p->rem_id, id_rem)
1502 || !ikev2_is_id_equal (&p->loc_id, id_loc))
1505 if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1507 if (!p->auth.data ||
1508 p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1511 psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
1512 auth = ikev2_calc_prf(tr_prf, psk, authmsg);
1514 if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
1516 ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1523 else if (sa_auth->
method == IKEV2_AUTH_METHOD_RSA_SIG)
1525 if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
1528 if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1)
1530 ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
1543 sa->udp_encap = sel_p->udp_encap;
1544 sa->ipsec_over_udp_port = sel_p->ipsec_over_udp_port;
1550 if (!sa->is_initiator)
1553 sa->r_id.data =
vec_dup (sel_p->loc_id.data);
1554 sa->r_id.type = sel_p->loc_id.type;
1555 sa->i_id.data =
vec_dup (sel_p->rem_id.data);
1556 sa->i_id.type = sel_p->rem_id.type;
1560 if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1563 sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
1565 else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
1568 sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
1574 sa->childs[0].r_proposals =
1578 if (~0 != sel_p->tun_itf)
1580 sa->is_tun_itf_set = 1;
1581 sa->tun_itf = sel_p->tun_itf;
1587 ikev2_elog_uint (IKEV2_LOG_ERROR,
"authentication failed, no matching " 1588 "profile found! ispi %lx", sa->ispi);
1600 u8 *authmsg, *key_pad, *psk = 0;
1607 if (!(sa->
i_auth.
method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1611 "unsupported authentication method %u",
1621 if (sa->
i_auth.
method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1626 else if (sa->
i_auth.
method == IKEV2_AUTH_METHOD_RSA_SIG)
1640 return (0x80000000 | (ti << 24) | (sai << 12) | ci);
1646 return (0xc0000000 | (ti << 24) | (sai << 12) | ci);
1683 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
1684 TUNNEL_MODE_P2P, &sw_if_index);
1686 if (rv == VNET_API_ERROR_IF_ALREADY_EXISTS)
1703 "loc:%d.%d.%d.%d rem:%d.%d.%d.%d",
1730 (a->
flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
1743 u32 child_index,
u8 is_rekey)
1779 a.
flags = IPSEC_SA_FLAG_USE_ANTI_REPLAY;
1782 a.
flags |= IPSEC_SA_FLAG_IS_TUNNEL;
1783 a.
flags |= IPSEC_SA_FLAG_UDP_ENCAP;
1786 a.
flags |= IPSEC_SA_FLAG_UDP_ENCAP;
1791 a.
flags |= IPSEC_SA_FLAG_USE_ESN;
1801 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128;
1804 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192;
1807 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256;
1815 else if (tr->
encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16
1821 encr_type = IPSEC_CRYPTO_ALG_AES_GCM_128;
1824 encr_type = IPSEC_CRYPTO_ALG_AES_GCM_192;
1827 encr_type = IPSEC_CRYPTO_ALG_AES_GCM_256;
1856 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
1857 integ_type = IPSEC_INTEG_ALG_SHA_256_128;
1859 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
1860 integ_type = IPSEC_INTEG_ALG_SHA_384_192;
1862 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
1863 integ_type = IPSEC_INTEG_ALG_SHA_512_256;
1865 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
1866 integ_type = IPSEC_INTEG_ALG_SHA1_96;
1881 integ_type = IPSEC_INTEG_ALG_NONE;
1935 if (thread_index & 0xffffffc0)
1938 if (child_index & 0xfffff000 || sa_index & 0xfffff000)
1964 remote_sa_id |=
mask;
1976 (
u8 *) & a,
sizeof (a));
2008 ipip_tunnel_key_t
key = {
2032 if (~0 != sw_if_index)
2076 ike_payload_header_t *ph;
2094 IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
2097 else if (sa->
dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
2103 IKEV2_TRANSFORM_TYPE_DH);
2106 data[0] = (tr_dh->
dh_type >> 8) & 0xff;
2107 data[1] = (tr_dh->
dh_type) & 0xff;
2110 IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD,
2121 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2129 ike->rspi = clib_host_to_net_u64 (sa->
rspi);
2134 u8 *nat_detection_sha1 =
2136 clib_host_to_net_u64 (sa->
rspi),
2140 IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
2141 nat_detection_sha1);
2143 nat_detection_sha1 =
2145 clib_host_to_net_u64 (sa->
rspi),
2148 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
2149 nat_detection_sha1);
2167 IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED,
2181 IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
2193 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2250 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2268 *(
u32 *) data = clib_host_to_net_u32 (notify.
spi);
2297 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2305 IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
2314 tlen =
sizeof (*ike);
2330 ike->length = clib_host_to_net_u32 (tlen);
2343 plen =
sizeof (*ph);
2344 ph = (ike_payload_header_t *) & ike->payload[0];
2348 tr_encr->
encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
2360 ph->length = clib_host_to_net_u16 (plen);
2361 ike->length = clib_host_to_net_u32 (tlen);
2366 ph->payload, (
u8 *) ike,
2367 sizeof (*ike) +
sizeof (*ph),
2368 ph->payload + plen - sizeof (*ph) -
2379 sizeof (*ike), integ, tr_integ->
key_trunc);
2403 if (sa->ispi == clib_net_to_host_u64(ike->ispi) &&
2404 sa->iaddr.as_u32 == iaddr.as_u32 &&
2405 sa->raddr.as_u32 == raddr.as_u32)
2408 u8 payload = ike->nextpayload;
2410 while (p < rlen && payload!= IKEV2_PAYLOAD_NONE) {
2411 ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
2412 u32 plen = clib_net_to_host_u16(ikep->length);
2414 if (plen < sizeof(ike_payload_header_t))
2417 if (payload == IKEV2_PAYLOAD_NONCE)
2419 if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep)))
2422 if (sa->state == IKEV2_STATE_SA_INIT)
2424 ike_header_t * tmp = (ike_header_t*)sa->last_sa_init_res_packet_data;
2425 u32 slen = clib_net_to_host_u32(tmp->length);
2426 ike->ispi = tmp->ispi;
2427 ike->rspi = tmp->rspi;
2428 ike->nextpayload = tmp->nextpayload;
2429 ike->version = tmp->version;
2430 ike->exchange = tmp->exchange;
2431 ike->flags = tmp->flags;
2432 ike->msgid = tmp->msgid;
2433 ike->length = tmp->length;
2434 clib_memcpy_fast(ike->payload, tmp->payload, slen - sizeof(*ike));
2435 ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
2436 "ispi %lx IKE_SA_INIT retransmit " 2437 "from %d.%d.%d.%d to %d.%d.%d.%d",
2439 raddr.as_u32, iaddr.as_u32);
2445 ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
2446 "ispi %lx IKE_SA_INIT ignore " 2447 "from %d.%d.%d.%d to %d.%d.%d.%d",
2449 raddr.as_u32, iaddr.as_u32);
2454 payload = ikep->nextpayload;
2468 u32 msg_id = clib_net_to_host_u32 (ike->msgid);
2481 u32 slen = clib_net_to_host_u32 (tmp->length);
2482 ike->ispi = tmp->ispi;
2483 ike->rspi = tmp->rspi;
2484 ike->nextpayload = tmp->nextpayload;
2485 ike->version = tmp->version;
2486 ike->exchange = tmp->exchange;
2487 ike->flags = tmp->flags;
2488 ike->msgid = tmp->msgid;
2489 ike->length = tmp->length;
2535 u32 n_left_from, *from, *to_next;
2544 while (n_left_from > 0)
2550 while (n_left_from > 0 && n_left_to_next > 0)
2562 int is_req = 0, has_non_esp_marker = 0;
2570 n_left_to_next -= 1;
2578 ptr +=
sizeof (*ip40);
2580 ptr +=
sizeof (*udp0);
2581 ike0 = (ike_header_t *) ptr;
2595 if (*((
u32 *) ike0) == 0)
2598 (ike_header_t *) ((
u8 *) ike0 +
2601 has_non_esp_marker = 1;
2604 if (clib_net_to_host_u32 (ike0->length) != rlen)
2607 IKEV2_ERROR_BAD_LENGTH, 1);
2614 IKEV2_ERROR_NOT_IKEV2, 1);
2625 if (ike0->rspi == 0)
2639 IKEV2_ERROR_IKE_SA_INIT_IGNORE
2641 IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT,
2734 clib_net_to_host_u64 (ike0->rspi));
2747 IKEV2_ERROR_IKE_REQ_IGNORE
2749 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2781 clib_net_to_host_u64 (ike0->rspi));
2794 IKEV2_ERROR_IKE_REQ_IGNORE
2796 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2844 clib_net_to_host_u64 (ike0->rspi));
2857 IKEV2_ERROR_IKE_REQ_IGNORE
2859 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
2897 "received from %d.%d.%d.%d to %d.%d.%d.%d",
2905 if (slen && ~0 != slen)
2927 if (!has_non_esp_marker)
2933 if (has_non_esp_marker)
2963 && (b0->
flags & VLIB_BUFFER_IS_TRACED)))
2971 n_left_to_next, bi0, next0);
2978 IKEV2_ERROR_PROCESSED, frame->
n_vectors);
2986 .vector_size =
sizeof (
u32),
3011 vec_add2 (*proposals, proposal, 1);
3019 if (td->
type == IKEV2_TRANSFORM_TYPE_ENCR
3024 attr[0] = clib_host_to_net_u16 (14 | (1 << 15));
3025 attr[1] = clib_host_to_net_u16 (td->
key_len << 3);
3040 if (IKEV2_TRANSFORM_INTEG_TYPE_NONE != ts->
integ_alg)
3046 if (td->
type == IKEV2_TRANSFORM_TYPE_INTEG
3057 (
"Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
3069 if (td->
type == IKEV2_TRANSFORM_TYPE_PRF
3070 && td->
prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
3113 if (td->
type == IKEV2_TRANSFORM_TYPE_ESN)
3169 udp0->
dst_port = clib_host_to_net_u16 (dst_port);
3170 udp0->
src_port = clib_host_to_net_u16 (src_port);
3209 EVP_PKEY_free (km->
pkey);
3211 if (km->
pkey == NULL)
3235 return VNET_API_ERROR_UDP_PORT_TAKEN;
3290 ike0->ispi = clib_host_to_net_u64 (sa->
ispi);
3291 ike0->rspi = clib_host_to_net_u64 (sa->
rspi);
3341 if (sa->profile_index != ~0 && pi == sa->profile_index)
3342 vec_add1 (del_sai, sa - tkm->sas);
3409 u8 * auth_data,
u8 data_hex_format)
3428 p->
auth.
hex = data_hex_format;
3430 if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG)
3448 if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR
3449 && id_type < IKEV2_ID_TYPE_ID_KEY_ID)
3618 return VNET_API_ERROR_INVALID_VALUE;
3623 return VNET_API_ERROR_VALUE_EXIST;
3631 return VNET_API_ERROR_IKE_NO_PORT;
3634 return VNET_API_ERROR_INVALID_VALUE;
3709 int len =
sizeof (ike_header_t);
3721 char *errmsg =
"buffer alloc failure";
3765 u8 *nat_detection_sha1 =
3767 clib_host_to_net_u64 (sa.
rspi),
3772 nat_detection_sha1);
3774 nat_detection_sha1 =
3776 clib_host_to_net_u64 (sa.
rspi),
3778 clib_host_to_net_u16 (sa.
dst_port));
3780 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
3781 nat_detection_sha1);
3785 u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
3788 IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
3796 ike0->length = clib_host_to_net_u32 (len);
3803 ike0->ispi = clib_host_to_net_u64 (sa.
ispi);
3837 "%d.%d.%d.%d", clib_host_to_net_u64 (sa0->
ispi), 0,
3862 ike0->ispi = clib_host_to_net_u64 (sa->
ispi);
3863 ike0->rspi = clib_host_to_net_u64 (sa->
rspi);
3897 fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
3907 if (!fchild || !fsa)
3937 if (sa->ispi == ispi)
3976 ike0->ispi = clib_host_to_net_u64 (sa->
ispi);
3977 ike0->rspi = clib_host_to_net_u64 (sa->
rspi);
3986 RAND_bytes ((
u8 *) & proposals[0].
spi,
sizeof (proposals[0].spi));
3987 rekey->
spi = proposals[0].
spi;
4014 fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
4024 if (!fchild || !fsa)
4056 for (thread_id = 0; thread_id < tm->
n_vlib_mains; thread_id++)
4063 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 4064 ptd->
evp_ctx = EVP_CIPHER_CTX_new ();
4067 EVP_CIPHER_CTX_init (&ptd->_evp_ctx);
4068 ptd->
evp_ctx = &ptd->_evp_ctx;
4069 HMAC_CTX_init (&(ptd->_hmac_ctx));
4094 .runs_after =
VLIB_INITS(
"ipsec_init",
"ipsec_punt_init"),
4148 if (~0 == sw_if_index)
4150 ip46_address_t local_ip;
4151 ip46_address_t remote_ip;
4164 ipip_tunnel_key_t
key = {
4211 if (period == 0 || max_retries == 0)
4239 fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
4249 ipsec_sa->stat_index, &counts);
4251 if (fsa && fsa->profile_index != ~0 && fsa->is_initiator)
4254 if (fchild && p && p->lifetime_maxdata)
4256 if (!fchild->is_expired && counts.bytes > p->lifetime_maxdata)
4258 fchild->time_to_expiration = now;
4273 sa = pool_elt_at_index (km->sais, sai);
4274 if (sa->init_response_received)
4278 if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
4281 vlib_buffer_t * b = vlib_get_buffer (km->vlib_main, bi0);
4282 clib_memcpy_fast (vlib_buffer_get_current (b),
4283 sa->last_sa_init_req_packet_data,
4284 vec_len (sa->last_sa_init_req_packet_data));
4285 ikev2_send_ike (km->vlib_main, &sa->iaddr, &sa->raddr, bi0,
4286 vec_len (sa->last_sa_init_req_packet_data),
4287 ikev2_get_port (sa), IKEV2_PORT, sa->sw_if_index);
4312 ike0->ispi = clib_host_to_net_u64 (sa->
ispi);
4313 ike0->rspi = clib_host_to_net_u64 (sa->
rspi);
4380 u32 *to_be_deleted = 0;
4384 ikev2_child_sa_t *c;
4386 if (sa->old_remote_id_present && 0 > sa->old_id_expiration)
4388 sa->old_remote_id_present = 0;
4396 req_sent |= ikev2_mngr_process_child_sa(sa, c, del_old_ids);
4407 u8 reinitiate = (sa->is_initiator && sa->profile_index != ~0);
4433 ikev2_mngr_process_ipsec_sa(sa);
4455 "ikev2-manager-process",
4459 .version = VPP_BUILD_VER,
4460 .description =
"Internet Key Exchange (IKEv2) Protocol",
ikev2_main_per_thread_data_t * per_thread_data
ipip_tunnel_t * ipip_tunnel_db_find(const ipip_tunnel_key_t *key)
#define ikev2_elog_exchange(_format, _ispi, _rspi, _addr)
vlib_log_class_t vlib_log_register_class(char *class, char *subclass)
static int ikev2_create_tunnel_interface(vlib_main_t *vm, u32 thread_index, ikev2_sa_t *sa, ikev2_child_sa_t *child, u32 sa_index, u32 child_index, u8 is_rekey)
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index, VLIB_BUFFER_IS_TRACED: trace this buffer.
void ikev2_payload_add_nonce(ikev2_payload_chain_t *c, u8 *nonce)
static u8 * format_ikev2_trace(u8 *s, va_list *args)
static void ikev2_process_create_child_sa_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike, u32 len)
#define hash_set(h, key, value)
#define IKEV2_PAYLOAD_NONCE
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
void ikev2_payload_add_notify(ikev2_payload_chain_t *c, u16 msg_type, u8 *data)
ikev2_transforms_set ike_ts
static int ikev2_delete_tunnel_interface(vnet_main_t *vnm, ikev2_sa_t *sa, ikev2_child_sa_t *child)
static u32 ikev2_retransmit_resp(ikev2_sa_t *sa, ike_header_t *ike, u32 rlen)
static u8 ikev2_mngr_process_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *csa, u8 del_old_ids)
static f64 vlib_process_wait_for_event_or_clock(vlib_main_t *vm, f64 dt)
Suspend a cooperative multi-tasking thread Waits for an event, or for the indicated number of seconds...
ikev2_transform_integ_type_t
#define hash_unset(h, key)
static u32 ikev2_retransmit_sa_init(ike_header_t *ike, ip4_address_t iaddr, ip4_address_t raddr, u32 rlen)
static void ikev2_del_sa_init(u64 ispi)
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
int ikev2_encrypt_data(ikev2_main_per_thread_data_t *ptd, ikev2_sa_t *sa, ikev2_sa_transform_t *tr_encr, v8 *src, u8 *dst)
A representation of a IPIP tunnel.
ip_interface_address_t * if_address_pool
Pool of addresses that are assigned to interfaces.
void ikev2_payload_add_sa(ikev2_payload_chain_t *c, ikev2_sa_proposal_t *proposals)
static u32 ikev2_generate_message(ikev2_sa_t *sa, ike_header_t *ike, void *user, udp_header_t *udp)
vnet_main_t * vnet_get_main(void)
clib_error_t * ikev2_set_profile_udp_encap(vlib_main_t *vm, u8 *name)
static void ikev2_process_sa_init_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike, udp_header_t *udp, u32 len)
static void ikev2_profile_free(ikev2_profile_t *p)
static void ikev2_calc_keys(ikev2_sa_t *sa)
ikev2_sa_proposal_t * ikev2_parse_sa_payload(ike_payload_header_t *ikep)
#define IKEV2_PAYLOAD_NONE
ikev2_profile_t * profiles
vl_api_ip_port_and_mask_t dst_port
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
static void * ip_interface_address_get_address(ip_lookup_main_t *lm, ip_interface_address_t *a)
#define clib_memcpy_fast(a, b, c)
u32 current_remote_id_mask
ikev2_ts_t * ikev2_parse_ts_payload(ike_payload_header_t *ikep)
uword mhash_unset(mhash_t *h, void *key, uword *old_value)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
static void ikev2_sa_free_child_sa(ikev2_child_sa_t *c)
v8 * ikev2_calc_prf(ikev2_sa_transform_t *tr, v8 *key, v8 *data)
static f64 vlib_time_now(vlib_main_t *vm)
void vnet_sw_interface_admin_up(vnet_main_t *vnm, u32 sw_if_index)
#define ikev2_elog_peers(_level, _format, _ip1, _ip2)
static void ikev2_complete_sa_data(ikev2_sa_t *sa, ikev2_sa_t *sai)
#define ikev2_elog_error(_msg)
static vlib_node_registration_t ikev2_mngr_process_node
(constructor) VLIB_REGISTER_NODE (ikev2_mngr_process_node)
#define IKEV2_EXCHANGE_SA_INIT
static void ikev2_delete_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
u16 current_length
Nbytes between current data and the end of this buffer.
#define IKEV2_PAYLOAD_VENDOR
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Combined counter to hold both packets and byte differences.
clib_error_t * ikev2_set_profile_tunnel_interface(vlib_main_t *vm, u8 *name, u32 sw_if_index)
int vlib_punt_hdl_t
Typedef for a client handle.
#define vec_add2(V, P, N)
Add N elements to end of vector V, return pointer to new elements in P.
static void mhash_init_vec_string(mhash_t *h, uword n_value_bytes)
static void ikev2_send_ike(vlib_main_t *vm, ip4_address_t *src, ip4_address_t *dst, u32 bi0, u32 len, u16 src_port, u16 dst_port, u32 sw_if_index)
static udp_dst_port_info_t * udp_get_dst_port_info(udp_main_t *um, udp_dst_port_t dst_port, u8 is_ip4)
ip_lookup_main_t lookup_main
vl_api_ip4_address_t iaddr
#define IKEV2_GCM_ICV_SIZE
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
void ikev2_payload_add_ke(ikev2_payload_chain_t *c, u16 dh_group, u8 *dh_data)
static void ikev2_generate_sa_init_data(ikev2_sa_t *sa)
clib_error_t * ikev2_set_liveness_params(u32 period, u32 max_retries)
#define IKEV2_PAYLOAD_TSR
#define vec_validate_aligned(V, I, A)
Make sure vector is long enough for given index (no header, specified alignment)
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index, u16 src_port, u16 dst_port)
int ipip_add_tunnel(ipip_transport_t transport, u32 instance, ip46_address_t *src, ip46_address_t *dst, u32 fib_index, tunnel_encap_decap_flags_t flags, ip_dscp_t dscp, tunnel_mode_t tmode, u32 *sw_if_indexp)
static_always_inline int ikev2_mngr_process_responder_sas(ikev2_sa_t *sa)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static void ikev2_delete_sa(ikev2_sa_t *sa)
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
u8 * last_sa_init_res_packet_data
vnet_api_error_t ikev2_set_profile_ipsec_udp_port(vlib_main_t *vm, u8 *name, u16 port, u8 is_set)
ikev2_notify_t * ikev2_parse_notify_payload(ike_payload_header_t *ikep)
u8 init_response_received
static void ikev2_cleanup_profile_sessions(ikev2_main_t *km, ikev2_profile_t *p)
ikev2_sa_transform_t * ikev2_sa_get_td_for_type(ikev2_sa_proposal_t *p, ikev2_transform_type_t type)
static void ikev2_process_informational_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike, u32 len)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
#define vlib_worker_thread_barrier_sync(X)
vlib_node_registration_t ip4_lookup_node
(constructor) VLIB_REGISTER_NODE (ip4_lookup_node)
#define clib_memcpy(d, s, n)
static void ikev2_mngr_process_ipsec_sa(ipsec_sa_t *ipsec_sa)
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
ikev2_transform_dh_type_t
u8 * ikev2_decrypt_aead_data(ikev2_main_per_thread_data_t *ptd, ikev2_sa_t *sa, ikev2_sa_transform_t *tr_encr, u8 *data, int data_len, u8 *aad, u32 aad_len, u8 *tag)
ikev2_child_sa_t * ikev2_sa_get_child(ikev2_sa_t *sa, u32 spi, ikev2_protocol_id_t prot_id, int by_initiator)
#define static_always_inline
#define IKEV2_PAYLOAD_DELETE
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
ikev2_sa_proposal_t * r_proposals
void ikev2_generate_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
#define VLIB_INIT_FUNCTION(x)
static uword vlib_process_get_events(vlib_main_t *vm, uword **data_vector)
Return the first event type which has occurred and a vector of per-event data of that type...
EVP_PKEY * ikev2_load_cert_file(u8 *file)
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
#define IKEV2_LIVENESS_PERIOD_CHECK
int ipsec_tun_protect_del(u32 sw_if_index, const ip_address_t *nh)
static ikev2_sa_transform_t * ikev2_find_transform_data(ikev2_sa_transform_t *t)
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
EVP_PKEY * ikev2_load_key_file(u8 *file)
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
static u8 * ikev2_decrypt_sk_payload(ikev2_sa_t *sa, ike_header_t *ike, u8 *payload, u32 len)
ipsec_crypto_alg_t encr_type
void ikev2_parse_vendor_payload(ike_payload_header_t *ikep)
#define hash_foreach(key_var, value_var, h, body)
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
static_always_inline u8 * ikev2_compute_nat_sha1(u64 ispi, u64 rspi, u32 ip, u16 port)
ipsec_integ_alg_t integ_type
vlib_frame_t * vlib_get_frame_to_node(vlib_main_t *vm, u32 to_node_index)
#define clib_error_return(e, args...)
static u32 ikev2_get_new_ike_header_buff(vlib_main_t *vm, ike_header_t **ike)
int ipsec_sa_unlock_id(u32 id)
void ikev2_payload_add_id(ikev2_payload_chain_t *c, ikev2_id_t *id, u8 type)
#define IKEV2_PAYLOAD_NOTIFY
void vl_api_rpc_call_main_thread(void *fp, u8 *data, u32 data_length)
static void ikev2_sa_match_ts(ikev2_sa_t *sa)
ikev2_sa_proposal_t * i_proposals
static void ikev2_sa_auth(ikev2_sa_t *sa)
#define vec_resize(V, N)
Resize a vector (no header, unspecified alignment) Add N elements to end of given vector V...
#define ikev2_set_state(sa, v)
#define ikev2_payload_destroy_chain(V)
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, u32 crypto_key_size)
static void ikev2_del_sa_init_from_main(u64 *ispi)
ikev2_sa_transform_t * transforms
vlib_punt_hdl_t vlib_punt_client_register(const char *who)
Register a new clinet.
#define IKEV2_EXCHANGE_CREATE_CHILD_SA
static void ikev2_initial_contact_cleanup(ikev2_sa_t *sa)
ikev2_responder_t responder
vl_api_fib_path_type_t type
int ikev2_set_log_level(ikev2_log_level_t log_level)
static ikev2_profile_t * ikev2_profile_index_by_name(u8 *name)
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
u8 * ikev2_calc_prfplus(ikev2_sa_transform_t *tr, u8 *key, u8 *seed, int len)
static u32 ikev2_mk_local_sa_id(u32 sai, u32 ci, u32 ti)
static clib_error_t * ikev2_set_initiator_proposals(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_transforms_set *ts, ikev2_sa_proposal_t **proposals, int is_ike)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
void ikev2_cli_reference(void)
u8 * last_sa_init_req_packet_data
#define IKEV2_PAYLOAD_IDR
static_always_inline u32 ikev2_flip_alternate_sa_bit(u32 id)
#define ikev2_log_debug(...)
uword mhash_set_mem(mhash_t *h, void *key, uword *new_value, uword *old_value)
static __clib_warn_unused_result u32 vlib_buffer_alloc(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Allocate buffers into supplied array.
static void ikev2_process_auth_req(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike, u32 len)
ikev2_sa_proposal_t * i_proposals
void vlib_put_frame_to_node(vlib_main_t *vm, u32 to_node_index, vlib_frame_t *f)
#define IKEV2_HDR_FLAG_RESPONSE
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
mhash_t profile_index_by_name
ikev2_sa_transform_t * supported_transforms
#define pool_put(P, E)
Free an object E in pool P.
#define vec_dup(V)
Return copy of vector (no header, no alignment)
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
static_always_inline int ikev2_insert_non_esp_marker(ike_header_t *ike, int len)
static void ikev2_rekey_child_sa_internal(vlib_main_t *vm, ikev2_sa_t *sa, ikev2_child_sa_t *csa)
#define vec_del1(v, i)
Delete the element at index I.
#define IKEV2_PAYLOAD_FLAG_CRITICAL
static void ikev2_sa_auth_init(ikev2_sa_t *sa)
static_always_inline ikev2_main_per_thread_data_t * ikev2_get_per_thread_data()
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
static void ikev2_process_pending_sa_init(ikev2_main_t *km)
static void ikev2_initiate_delete_ike_sa_internal(vlib_main_t *vm, ikev2_main_per_thread_data_t *tkm, ikev2_sa_t *sa)
#define IKEV2_EXCHANGE_INFORMATIONAL
void ikev2_payload_add_delete(ikev2_payload_chain_t *c, ikev2_delete_t *d)
static u32 ikev2_mk_remote_sa_id(u32 sai, u32 ci, u32 ti)
vl_api_ip_port_and_mask_t src_port
#define IKEV2_HDR_FLAG_INITIATOR
static void ikev2_add_tunnel_from_main(ikev2_add_ipsec_tunnel_args_t *a)
static uword ikev2_mngr_process_fn(vlib_main_t *vm, vlib_node_runtime_t *rt, vlib_frame_t *f)
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
vlib_punt_reason_t ipsec_punt_reason[IPSEC_PUNT_N_REASONS]
#define VLIB_REGISTER_NODE(x,...)
#define ikev2_elog_uint(_level, _format, _val)
static_always_inline uword vlib_get_thread_index(void)
static void vlib_get_combined_counter(const vlib_combined_counter_main_t *cm, u32 index, vlib_counter_t *result)
Get the value of a combined counter, never called in the speed path Scrapes the entire set of per-thr...
static void ikev2_sa_del_child_sa(ikev2_sa_t *sa, ikev2_child_sa_t *child)
ikev2_auth_method_t method
ikev2_transform_encr_type_t
#define clib_memcmp(s1, s2, m1)
sll srl srl sll sra u16x4 i
static vlib_punt_hdl_t punt_hdl
#define vec_free(V)
Free vector's memory (no header).
void udp_unregister_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u8 is_ip4)
static_always_inline vnet_api_error_t ikev2_register_udp_port(ikev2_profile_t *p, u16 port)
#define IKEV2_LIVENESS_RETRIES
static uword ikev2_node_fn(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
static_always_inline u16 ikev2_get_port(ikev2_sa_t *sa)
static_always_inline void ikev2_unregister_udp_port(ikev2_profile_t *p)
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
#define ikev2_log_error(...)
ikev2_sa_proposal_t * r_proposals
vlib_main_t vlib_node_runtime_t * node
static u8 * ikev2_sa_generate_authmsg(ikev2_sa_t *sa, int is_responder)
static void ikev2_calc_child_keys(ikev2_sa_t *sa, ikev2_child_sa_t *child)
#define hash_set1(h, key)
enum ikev2_log_level_t_ ikev2_log_level_t
u32 * if_address_pool_index_by_sw_if_index
Head of doubly linked list of interface addresses for each software interface.
#define hash_create(elts, value_bytes)
void ikev2_payload_add_auth(ikev2_payload_chain_t *c, ikev2_auth_t *auth)
ikev2_protocol_id_t protocol_id
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
u16 cached_next_index
Next frame index that vector arguments were last enqueued to last time this node ran.
static_always_inline int ikev2_is_id_equal(ikev2_id_t *i1, ikev2_id_t *i2)
v8 * ikev2_decrypt_data(ikev2_main_per_thread_data_t *ptd, ikev2_sa_t *sa, ikev2_sa_transform_t *tr_encr, u8 *data, int len)
static uword * mhash_get(mhash_t *h, const void *key)
f64 liveness_period_check
void ikev2_sa_free_proposal_vector(ikev2_sa_proposal_t **v)
#define IKEV2_PAYLOAD_AUTH
#define ikev2_payload_new_chain(V)
ikev2_sa_proposal_t * r_proposal
static void ikev2_process_sa_init_resp(vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike, udp_header_t *udp, u32 len)
void ikev2_complete_dh(ikev2_sa_t *sa, ikev2_sa_transform_t *t)
#define vec_append(v1, v2)
Append v2 after v1.
int ikev2_encrypt_aead_data(ikev2_main_per_thread_data_t *ptd, ikev2_sa_t *sa, ikev2_sa_transform_t *tr_encr, v8 *src, u8 *dst, u8 *aad, u32 aad_len, u8 *tag)
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
static vlib_node_registration_t ikev2_node
(constructor) VLIB_REGISTER_NODE (ikev2_node)
ikev2_log_level_t log_level
ikev2_sa_proposal_t * i_proposal
vlib_node_registration_t ipsec4_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_tun_input_node)
#define IKEV2_PAYLOAD_TSI
struct _vlib_node_registration vlib_node_registration_t
u8 * last_res_packet_data
static char * ikev2_error_strings[]
void vnet_sw_interface_admin_down(vnet_main_t *vnm, u32 sw_if_index)
#define clib_atomic_bool_cmp_and_swap(addr, old, new)
int vlib_punt_register(vlib_punt_hdl_t client, vlib_punt_reason_t reason, const char *node_name)
Register a node to receive particular punted buffers.
vl_api_ip4_address_t start_addr
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
void ikev2_payload_chain_add_padding(ikev2_payload_chain_t *c, int bs)
vlib_main_t vlib_node_runtime_t vlib_frame_t * frame
VLIB buffer representation.
#define IKEV2_PAYLOAD_IDI
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
#define ikev2_elog_uint_peers(_level, _format, _val, _ip1, _ip2)
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
ikev2_child_sa_t * childs
vlib_log_class_t log_class
int ipip_del_tunnel(u32 sw_if_index)
Linear Congruential Random Number Generator.
#define IKEV2_EXCHANGE_IKE_AUTH
vl_api_ip4_address_t raddr
static int ikev2_ts_cmp(ikev2_ts_t *ts1, ikev2_ts_t *ts2)
clib_error_t * ikev2_init(vlib_main_t *vm)
vl_api_ip4_address_t end_addr
static u32 random_u32(u32 *seed)
32-bit random number generator
void vlib_worker_thread_barrier_release(vlib_main_t *vm)
ip4_main_t ip4_main
Global ip4 main structure.
static vlib_thread_main_t * vlib_get_thread_main()
#define vec_foreach(var, vec)
Vector iterator.
static void ikev2_sa_free_all_child_sa(ikev2_child_sa_t **childs)
u16 flags
Copy of main node flags.
void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
static ikev2_sa_proposal_t * ikev2_select_proposal(ikev2_sa_proposal_t *proposals, ikev2_protocol_id_t prot_id)
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
ikev2_transforms_set esp_ts
#define VLIB_NODE_FLAG_TRACE
void ikev2_crypto_init(ikev2_main_t *km)
static void ikev2_del_tunnel_from_main(ikev2_del_ipsec_tunnel_args_t *a)
#define CLIB_CACHE_LINE_BYTES
void ikev2_payload_add_ts(ikev2_payload_chain_t *c, ikev2_ts_t *ts, u8 type)
static void ikev2_sa_free_all_vec(ikev2_sa_t *sa)
static void ikev2_send_informational_request(ikev2_sa_t *sa)
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
#define IPSEC_UDP_PORT_NONE
static u16 ip4_header_checksum(ip4_header_t *i)
u8 * ikev2_calc_sign(EVP_PKEY *pkey, u8 *data)
v8 * ikev2_calc_integr(ikev2_sa_transform_t *tr, v8 *key, u8 *data, int len)
static void ip46_address_set_ip4(ip46_address_t *ip46, const ip4_address_t *ip)
vl_api_interface_index_t sw_if_index
u8 * format_ikev2_id_type(u8 *s, va_list *args)
#define foreach_ikev2_error
static void ikev2_init_sa(vlib_main_t *vm, ikev2_sa_t *sa)
#define IKEV2_GCM_IV_SIZE
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)
void ikev2_payload_add_notify_2(ikev2_payload_chain_t *c, u16 msg_type, u8 *data, ikev2_notify_t *notify)
ikev2_delete_t * ikev2_parse_delete_payload(ike_payload_header_t *ikep)