2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vlib/unix/plugin.h>
18 #include <vlibmemory/api.h>
19 #include <vpp/app/version.h>
20 #include <vnet/vnet.h>
21 #include <vppinfra/error.h>
22 #include <vppinfra/random.h>
23 #include <vnet/udp/udp.h>
24 #include <vnet/ipsec/ipsec.h>
25 #include <vnet/ipsec/ipsec_tun.h>
26 #include <vnet/ipip/ipip.h>
27 #include <plugins/ikev2/ikev2.h>
28 #include <plugins/ikev2/ikev2_priv.h>
29 #include <plugins/dns/dns.h>
30 #include <openssl/sha.h>
31 #include <vnet/ipsec/ipsec_punt.h>
32 #include <plugins/ikev2/ikev2.api_enum.h>
34 #define IKEV2_LIVENESS_RETRIES 3
35 #define IKEV2_LIVENESS_PERIOD_CHECK 30
37 ikev2_main_t ikev2_main;
39 static int ikev2_delete_tunnel_interface (vnet_main_t * vnm,
41 ikev2_child_sa_t * child);
43 #define ikev2_set_state(sa, v, ...) do { \
45 ikev2_elog_sa_state("ispi %lx SA state changed to " #v __VA_ARGS__, sa->ispi); \
55 format_ikev2_trace (u8 * s, va_list * args)
57 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
58 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
59 ikev2_trace_t *t = va_arg (*args, ikev2_trace_t *);
61 s = format (s, "ikev2: sw_if_index %d, next index %d",
62 t->sw_if_index, t->next_index);
66 #define IKEV2_GENERATE_SA_INIT_OK_str ""
67 #define IKEV2_GENERATE_SA_INIT_OK_ERR_NO_DH_STR \
68 "no DH group configured for IKE proposals!"
69 #define IKEV2_GENERATE_SA_INIT_OK_ERR_UNSUPP_STR \
70 "DH group not supported!"
74 IKEV2_GENERATE_SA_INIT_OK,
75 IKEV2_GENERATE_SA_INIT_ERR_NO_DH,
76 IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH,
77 } ikev2_generate_sa_error_t;
80 format_ikev2_gen_sa_error (u8 * s, va_list * args)
82 ikev2_generate_sa_error_t e = va_arg (*args, ikev2_generate_sa_error_t);
85 case IKEV2_GENERATE_SA_INIT_OK:
87 case IKEV2_GENERATE_SA_INIT_ERR_NO_DH:
88 s = format (s, IKEV2_GENERATE_SA_INIT_OK_ERR_NO_DH_STR);
90 case IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH:
91 s = format (s, IKEV2_GENERATE_SA_INIT_OK_ERR_UNSUPP_STR);
99 IKEV2_NEXT_IP4_LOOKUP,
100 IKEV2_NEXT_IP4_ERROR_DROP,
106 IKEV2_NEXT_IP6_LOOKUP,
107 IKEV2_NEXT_IP6_ERROR_DROP,
111 typedef u32 ikev2_non_esp_marker;
114 ikev2_get_port (ikev2_sa_t *sa)
116 return ikev2_natt_active (sa) ? IKEV2_PORT_NATT : IKEV2_PORT;
120 ikev2_insert_non_esp_marker (ike_header_t *ike, int len)
122 memmove ((u8 *) ike + sizeof (ikev2_non_esp_marker), ike, len);
123 clib_memset (ike, 0, sizeof (ikev2_non_esp_marker));
124 return len + sizeof (ikev2_non_esp_marker);
127 static ikev2_sa_transform_t *
128 ikev2_find_transform_data (ikev2_sa_transform_t * t)
130 ikev2_main_t *km = &ikev2_main;
131 ikev2_sa_transform_t *td;
133 vec_foreach (td, km->supported_transforms)
135 if (td->type != t->type)
138 if (td->transform_id != t->transform_id)
141 if (td->type == IKEV2_TRANSFORM_TYPE_ENCR)
143 if (vec_len (t->attrs) != 4 || t->attrs[0] != 0x80
144 || t->attrs[1] != 14)
147 if (((t->attrs[2] << 8 | t->attrs[3]) / 8) != td->key_len)
155 static ikev2_sa_proposal_t *
156 ikev2_select_proposal (ikev2_sa_proposal_t * proposals,
157 ikev2_protocol_id_t prot_id)
159 ikev2_sa_proposal_t *rv = 0;
160 ikev2_sa_proposal_t *proposal;
161 ikev2_sa_transform_t *transform, *new_t;
162 u8 mandatory_bitmap, optional_bitmap;
164 if (prot_id == IKEV2_PROTOCOL_IKE)
166 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
167 (1 << IKEV2_TRANSFORM_TYPE_PRF) | (1 << IKEV2_TRANSFORM_TYPE_DH);
168 optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_INTEG);
170 else if (prot_id == IKEV2_PROTOCOL_ESP)
172 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_ENCR) |
173 (1 << IKEV2_TRANSFORM_TYPE_ESN);
174 optional_bitmap = mandatory_bitmap |
175 (1 << IKEV2_TRANSFORM_TYPE_INTEG) | (1 << IKEV2_TRANSFORM_TYPE_DH);
177 else if (prot_id == IKEV2_PROTOCOL_AH)
179 mandatory_bitmap = (1 << IKEV2_TRANSFORM_TYPE_INTEG) |
180 (1 << IKEV2_TRANSFORM_TYPE_ESN);
181 optional_bitmap = mandatory_bitmap | (1 << IKEV2_TRANSFORM_TYPE_DH);
186 vec_add2 (rv, proposal, 1);
188 vec_foreach (proposal, proposals)
191 if (proposal->protocol_id != prot_id)
194 vec_foreach (transform, proposal->transforms)
196 if ((1 << transform->type) & bitmap)
199 if (ikev2_find_transform_data (transform))
201 bitmap |= 1 << transform->type;
202 vec_add2 (rv->transforms, new_t, 1);
203 clib_memcpy_fast (new_t, transform, sizeof (*new_t));
204 new_t->attrs = vec_dup (transform->attrs);
208 if ((bitmap & mandatory_bitmap) == mandatory_bitmap &&
209 (bitmap & ~optional_bitmap) == 0)
211 rv->proposal_num = proposal->proposal_num;
212 rv->protocol_id = proposal->protocol_id;
213 RAND_bytes ((u8 *) & rv->spi, sizeof (rv->spi));
214 if (rv->protocol_id != IKEV2_PROTOCOL_IKE)
215 rv->spi &= 0xffffffff;
220 vec_free (rv->transforms);
229 ikev2_sa_transform_t *
230 ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p,
231 ikev2_transform_type_t type)
233 ikev2_sa_transform_t *t;
238 vec_foreach (t, p->transforms)
241 return ikev2_find_transform_data (t);
247 ikev2_sa_get_child (ikev2_sa_t * sa, u32 spi, ikev2_protocol_id_t prot_id,
251 vec_foreach (c, sa->childs)
253 ikev2_sa_proposal_t *proposal =
254 by_initiator ? &c->i_proposals[0] : &c->r_proposals[0];
255 if (proposal && proposal->spi == spi && proposal->protocol_id == prot_id)
263 ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v)
265 ikev2_sa_proposal_t *p;
266 ikev2_sa_transform_t *t;
273 vec_foreach (t, p->transforms)
277 vec_free (p->transforms);
283 ikev2_sa_free_child_sa (ikev2_child_sa_t * c)
285 ikev2_sa_free_proposal_vector (&c->r_proposals);
286 ikev2_sa_free_proposal_vector (&c->i_proposals);
296 ikev2_sa_free_all_child_sa (ikev2_child_sa_t ** childs)
299 vec_foreach (c, *childs) ikev2_sa_free_child_sa (c);
305 ikev2_sa_del_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * child)
307 ikev2_sa_free_child_sa (child);
308 vec_del1 (sa->childs, child - sa->childs);
312 ikev2_sa_free_all_vec (ikev2_sa_t * sa)
314 vec_free (sa->i_nonce);
315 vec_free (sa->r_nonce);
317 vec_free (sa->dh_shared_key);
318 vec_free (sa->dh_private_key);
319 vec_free (sa->i_dh_data);
320 vec_free (sa->r_dh_data);
322 ikev2_sa_free_proposal_vector (&sa->r_proposals);
323 ikev2_sa_free_proposal_vector (&sa->i_proposals);
326 vec_free (sa->sk_ai);
327 vec_free (sa->sk_ar);
328 vec_free (sa->sk_ei);
329 vec_free (sa->sk_er);
330 vec_free (sa->sk_pi);
331 vec_free (sa->sk_pr);
333 vec_free (sa->i_id.data);
334 vec_free (sa->r_id.data);
336 vec_free (sa->i_auth.data);
338 EVP_PKEY_free (sa->i_auth.key);
339 vec_free (sa->r_auth.data);
341 EVP_PKEY_free (sa->r_auth.key);
345 vec_free (sa->rekey);
347 vec_free (sa->last_sa_init_req_packet_data);
348 vec_free (sa->last_sa_init_res_packet_data);
350 vec_free (sa->last_res_packet_data);
352 ikev2_sa_free_all_child_sa (&sa->childs);
356 ikev2_delete_sa (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa)
360 ikev2_sa_free_all_vec (sa);
362 p = hash_get (ptd->sa_by_rspi, sa->rspi);
365 hash_unset (ptd->sa_by_rspi, sa->rspi);
366 pool_put (ptd->sas, sa);
370 static ikev2_generate_sa_error_t
371 ikev2_generate_sa_init_data (ikev2_sa_t * sa)
373 ikev2_sa_transform_t *t = 0, *t2;
374 ikev2_main_t *km = &ikev2_main;
376 if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
377 return IKEV2_GENERATE_SA_INIT_ERR_NO_DH;
379 /* check if received DH group is on our list of supported groups */
380 vec_foreach (t2, km->supported_transforms)
382 if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
391 sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
392 return IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH;
395 if (sa->is_initiator)
398 RAND_bytes ((u8 *) & sa->ispi, 8);
401 sa->i_nonce = vec_new (u8, IKEV2_NONCE_SIZE);
402 RAND_bytes ((u8 *) sa->i_nonce, IKEV2_NONCE_SIZE);
407 RAND_bytes ((u8 *) & sa->rspi, 8);
410 sa->r_nonce = vec_new (u8, vec_len (sa->i_nonce));
411 RAND_bytes ((u8 *) sa->r_nonce, vec_len (sa->i_nonce));
414 /* generate dh keys */
415 ikev2_generate_dh (sa, t);
417 return IKEV2_GENERATE_SA_INIT_OK;
421 ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
423 ikev2_sa_transform_t *t = 0, *t2;
424 ikev2_main_t *km = &ikev2_main;
426 /*move some data to the new SA */
427 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
428 sa->i_nonce = _(sai->i_nonce);
429 sa->i_dh_data = _(sai->i_dh_data);
430 sa->dh_private_key = _(sai->dh_private_key);
431 ip_address_copy (&sa->iaddr, &sai->iaddr);
432 ip_address_copy (&sa->raddr, &sai->raddr);
433 sa->is_initiator = sai->is_initiator;
434 sa->i_id.type = sai->i_id.type;
435 sa->r_id.type = sai->r_id.type;
436 sa->profile_index = sai->profile_index;
437 sa->tun_itf = sai->tun_itf;
438 sa->is_tun_itf_set = sai->is_tun_itf_set;
439 if (sai->natt_state == IKEV2_NATT_DISABLED)
440 sa->natt_state = IKEV2_NATT_DISABLED;
441 sa->i_id.data = _(sai->i_id.data);
442 sa->r_id.data = _(sai->r_id.data);
443 sa->i_auth.method = sai->i_auth.method;
444 sa->i_auth.hex = sai->i_auth.hex;
445 sa->i_auth.data = _(sai->i_auth.data);
446 sa->i_auth.key = _(sai->i_auth.key);
447 sa->last_sa_init_req_packet_data = _(sai->last_sa_init_req_packet_data);
448 sa->last_init_msg_id = sai->last_init_msg_id;
449 sa->childs = _(sai->childs);
450 sa->udp_encap = sai->udp_encap;
451 sa->ipsec_over_udp_port = sai->ipsec_over_udp_port;
452 sa->dst_port = sai->dst_port;
453 sa->sw_if_index = sai->sw_if_index;
457 if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
462 /* check if received DH group is on our list of supported groups */
463 vec_foreach (t2, km->supported_transforms)
465 if (t2->type == IKEV2_TRANSFORM_TYPE_DH && sa->dh_group == t2->dh_type)
474 sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
479 /* generate dh keys */
480 ikev2_complete_dh (sa, t);
485 ikev2_calc_keys_internal (ikev2_sa_t *sa, u8 *skeyseed)
488 /* calculate SKEYSEED = prf(Ni | Nr, g^ir) */
490 u16 integ_key_len = 0, salt_len = 0;
491 ikev2_sa_transform_t *tr_encr, *tr_prf, *tr_integ;
493 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
495 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
497 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
500 integ_key_len = tr_integ->key_len;
502 salt_len = sizeof (u32);
504 vec_append (s, sa->i_nonce);
505 vec_append (s, sa->r_nonce);
507 /* Calculate S = Ni | Nr | SPIi | SPIr */
509 vec_add2 (s, tmp, 2 * sizeof (*spi));
511 spi[0] = clib_host_to_net_u64 (sa->ispi);
512 spi[1] = clib_host_to_net_u64 (sa->rspi);
514 /* calculate PRFplus */
516 int len = tr_prf->key_trunc + /* SK_d */
517 integ_key_len * 2 + /* SK_ai, SK_ar */
518 tr_encr->key_len * 2 + /* SK_ei, SK_er */
519 tr_prf->key_len * 2 + /* SK_pi, SK_pr */
522 keymat = ikev2_calc_prfplus (tr_prf, skeyseed, s, len);
528 sa->sk_d = vec_new (u8, tr_prf->key_trunc);
529 clib_memcpy_fast (sa->sk_d, keymat + pos, tr_prf->key_trunc);
530 pos += tr_prf->key_trunc;
535 sa->sk_ai = vec_new (u8, integ_key_len);
536 clib_memcpy_fast (sa->sk_ai, keymat + pos, integ_key_len);
537 pos += integ_key_len;
540 sa->sk_ar = vec_new (u8, integ_key_len);
541 clib_memcpy_fast (sa->sk_ar, keymat + pos, integ_key_len);
542 pos += integ_key_len;
546 sa->sk_ei = vec_new (u8, tr_encr->key_len + salt_len);
547 clib_memcpy_fast (sa->sk_ei, keymat + pos, tr_encr->key_len + salt_len);
548 pos += tr_encr->key_len + salt_len;
551 sa->sk_er = vec_new (u8, tr_encr->key_len + salt_len);
552 clib_memcpy_fast (sa->sk_er, keymat + pos, tr_encr->key_len + salt_len);
553 pos += tr_encr->key_len + salt_len;
556 sa->sk_pi = vec_new (u8, tr_prf->key_len);
557 clib_memcpy_fast (sa->sk_pi, keymat + pos, tr_prf->key_len);
558 pos += tr_prf->key_len;
561 sa->sk_pr = vec_new (u8, tr_prf->key_len);
562 clib_memcpy_fast (sa->sk_pr, keymat + pos, tr_prf->key_len);
563 pos += tr_prf->key_len;
566 sa->keys_generated = 1;
570 ikev2_calc_keys_rekey (ikev2_sa_t *sa_new, ikev2_sa_t *sa_old)
572 u8 *s = 0, *skeyseed = 0;
573 ikev2_sa_transform_t *tr_prf =
574 ikev2_sa_get_td_for_type (sa_old->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
576 vec_append (s, sa_new->dh_shared_key);
577 vec_append (s, sa_new->i_nonce);
578 vec_append (s, sa_new->r_nonce);
579 skeyseed = ikev2_calc_prf (tr_prf, sa_old->sk_d, s);
581 ikev2_calc_keys_internal (sa_new, skeyseed);
588 ikev2_calc_keys (ikev2_sa_t *sa)
590 u8 *s = 0, *skeyseed = 0;
591 ikev2_sa_transform_t *tr_prf =
592 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
594 vec_append (s, sa->i_nonce);
595 vec_append (s, sa->r_nonce);
596 skeyseed = ikev2_calc_prf (tr_prf, s, sa->dh_shared_key);
598 ikev2_calc_keys_internal (sa, skeyseed);
605 ikev2_calc_child_keys (ikev2_sa_t *sa, ikev2_child_sa_t *child, u8 kex)
608 u16 integ_key_len = 0;
611 ikev2_sa_transform_t *tr_prf, *ctr_encr, *ctr_integ;
613 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
615 ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
617 ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
620 integ_key_len = ctr_integ->key_len;
622 salt_len = sizeof (u32);
625 vec_append (s, sa->dh_shared_key);
626 vec_append (s, sa->i_nonce);
627 vec_append (s, sa->r_nonce);
628 /* calculate PRFplus */
630 int len = ctr_encr->key_len * 2 + integ_key_len * 2 + salt_len * 2;
632 keymat = ikev2_calc_prfplus (tr_prf, sa->sk_d, s, len);
637 child->sk_ei = vec_new (u8, ctr_encr->key_len);
638 clib_memcpy_fast (child->sk_ei, keymat + pos, ctr_encr->key_len);
639 pos += ctr_encr->key_len;
644 child->sk_ai = vec_new (u8, ctr_integ->key_len);
645 clib_memcpy_fast (child->sk_ai, keymat + pos, ctr_integ->key_len);
646 pos += ctr_integ->key_len;
650 clib_memcpy (&child->salt_ei, keymat + pos, salt_len);
655 child->sk_er = vec_new (u8, ctr_encr->key_len);
656 clib_memcpy_fast (child->sk_er, keymat + pos, ctr_encr->key_len);
657 pos += ctr_encr->key_len;
662 child->sk_ar = vec_new (u8, integ_key_len);
663 clib_memcpy_fast (child->sk_ar, keymat + pos, integ_key_len);
664 pos += integ_key_len;
668 clib_memcpy (&child->salt_er, keymat + pos, salt_len);
678 ikev2_compute_nat_sha1 (u64 ispi, u64 rspi, ip_address_t *ia, u16 port)
680 const u32 max_buf_size =
681 sizeof (ispi) + sizeof (rspi) + sizeof (ip6_address_t) + sizeof (u16);
682 u8 buf[max_buf_size];
683 u8 *res = vec_new (u8, 20);
685 clib_memcpy_fast (&buf[0], &ispi, sizeof (ispi));
686 clib_memcpy_fast (&buf[8], &rspi, sizeof (rspi));
687 clib_memcpy_fast (&buf[8 + 8], ip_addr_bytes (ia), ip_address_size (ia));
688 clib_memcpy_fast (&buf[8 + 8 + ip_address_size (ia)], &port, sizeof (port));
689 SHA1 (buf, 2 * sizeof (ispi) + sizeof (port) + ip_address_size (ia), res);
694 ikev2_parse_ke_payload (const void *p, u32 rlen, ikev2_sa_t * sa,
697 const ike_ke_payload_header_t *ke = p;
698 u16 plen = clib_net_to_host_u16 (ke->length);
699 ASSERT (plen >= sizeof (*ke) && plen <= rlen);
700 if (sizeof (*ke) > rlen)
702 ikev2_elog_error ("KE: packet too small");
706 sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
707 vec_reset_length (ke_data[0]);
708 vec_add (ke_data[0], ke->payload, plen - sizeof (*ke));
713 ikev2_parse_nonce_payload (const void *p, u32 rlen, const u8 **nonce)
715 const ike_payload_header_t *ikep = p;
716 u16 plen = clib_net_to_host_u16 (ikep->length);
717 ASSERT (plen >= sizeof (*ikep) && plen <= rlen);
718 int len = plen - sizeof (*ikep);
719 ASSERT (len >= 16 && len <= 256);
720 if (PREDICT_FALSE (len < 16 || len > 256))
722 ikev2_elog_error ("NONCE: bad size");
725 *nonce = ikep->payload;
730 ikev2_check_payload_length (const ike_payload_header_t * ikep, int rlen,
733 if (sizeof (*ikep) > rlen)
735 ikev2_elog_error ("payload: packet too small");
738 *plen = clib_net_to_host_u16 (ikep->length);
739 if (*plen < sizeof (*ikep) || *plen > rlen)
741 ikev2_elog_error ("payload: bad size");
748 ikev2_process_sa_init_req (vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike,
749 udp_header_t *udp, u32 len, u32 sw_if_index)
752 u8 payload = ike->nextpayload;
753 ike_payload_header_t *ikep;
756 ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT request received "
757 "from ", clib_net_to_host_u64 (ike->ispi),
758 clib_net_to_host_u64 (ike->rspi),
759 ip_addr_v4 (&sa->iaddr).as_u32,
760 ip_addr_version (&sa->iaddr) == AF_IP4);
762 sa->ispi = clib_net_to_host_u64 (ike->ispi);
763 sa->sw_if_index = sw_if_index;
765 /* store whole IKE payload - needed for PSK auth */
766 vec_reset_length (sa->last_sa_init_req_packet_data);
767 vec_add (sa->last_sa_init_req_packet_data, ike, len);
769 if (len < sizeof (*ike))
771 ikev2_elog_error ("IKE_INIT request too small");
775 len -= sizeof (*ike);
776 while (p < len && payload != IKEV2_PAYLOAD_NONE)
778 ikep = (ike_payload_header_t *) & ike->payload[p];
779 int current_length = len - p;
780 if (!ikev2_check_payload_length (ikep, current_length, &plen))
783 if (payload == IKEV2_PAYLOAD_SA)
785 ikev2_sa_free_proposal_vector (&sa->i_proposals);
786 sa->i_proposals = ikev2_parse_sa_payload (ikep, current_length);
788 else if (payload == IKEV2_PAYLOAD_KE)
790 if (!ikev2_parse_ke_payload (ikep, current_length, sa,
794 else if (payload == IKEV2_PAYLOAD_NONCE)
798 vec_reset_length (sa->i_nonce);
799 if ((nonce_len = ikev2_parse_nonce_payload (ikep, current_length,
802 vec_add (sa->i_nonce, nonce, nonce_len);
804 else if (payload == IKEV2_PAYLOAD_NOTIFY)
807 ikev2_parse_notify_payload (ikep, current_length);
808 if (n->msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
810 u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi, 0, &sa->iaddr,
812 if (clib_memcmp (src_sha, n->data, vec_len (src_sha)))
814 if (sa->natt_state == IKEV2_NATT_ENABLED)
815 sa->natt_state = IKEV2_NATT_ACTIVE;
816 ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx initiator"
817 " behind NAT", sa->ispi);
821 else if (n->msg_type ==
822 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP)
824 u8 *dst_sha = ikev2_compute_nat_sha1 (ike->ispi, 0, &sa->raddr,
826 if (clib_memcmp (dst_sha, n->data, vec_len (dst_sha)))
828 if (sa->natt_state == IKEV2_NATT_ENABLED)
829 sa->natt_state = IKEV2_NATT_ACTIVE;
830 ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx responder"
831 " (self) behind NAT", sa->ispi);
837 else if (payload == IKEV2_PAYLOAD_VENDOR)
839 ikev2_parse_vendor_payload (ikep);
843 ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
845 if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
847 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
848 sa->unsupported_cp = payload;
853 payload = ikep->nextpayload;
857 ikev2_set_state (sa, IKEV2_STATE_SA_INIT);
862 ikev2_process_sa_init_resp (vlib_main_t * vm,
863 ikev2_sa_t * sa, ike_header_t * ike,
864 udp_header_t * udp, u32 len)
867 u8 payload = ike->nextpayload;
868 ike_payload_header_t *ikep;
871 sa->ispi = clib_net_to_host_u64 (ike->ispi);
872 sa->rspi = clib_net_to_host_u64 (ike->rspi);
874 ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT response received "
875 "from ", sa->ispi, sa->rspi,
876 ip_addr_v4 (&sa->raddr).as_u32,
877 ip_addr_version (&sa->raddr) == AF_IP4);
879 /* store whole IKE payload - needed for PSK auth */
880 vec_reset_length (sa->last_sa_init_res_packet_data);
881 vec_add (sa->last_sa_init_res_packet_data, ike, len);
883 if (sizeof (*ike) > len)
885 ikev2_elog_error ("IKE_INIT response too small");
889 len -= sizeof (*ike);
890 while (p < len && payload != IKEV2_PAYLOAD_NONE)
892 int current_length = len - p;
893 ikep = (ike_payload_header_t *) & ike->payload[p];
894 if (!ikev2_check_payload_length (ikep, current_length, &plen))
897 if (payload == IKEV2_PAYLOAD_SA)
899 ikev2_sa_free_proposal_vector (&sa->r_proposals);
900 sa->r_proposals = ikev2_parse_sa_payload (ikep, current_length);
903 ikev2_set_state (sa, IKEV2_STATE_SA_INIT);
905 clib_host_to_net_u32 (clib_net_to_host_u32 (ike->msgid) + 1);
908 else if (payload == IKEV2_PAYLOAD_KE)
910 if (!ikev2_parse_ke_payload (ikep, current_length, sa,
914 else if (payload == IKEV2_PAYLOAD_NONCE)
918 vec_reset_length (sa->r_nonce);
919 if ((nonce_len = ikev2_parse_nonce_payload (ikep, current_length,
922 vec_add (sa->r_nonce, nonce, nonce_len);
924 else if (payload == IKEV2_PAYLOAD_NOTIFY)
927 ikev2_parse_notify_payload (ikep, current_length);
928 if (n->msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
930 u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi, ike->rspi,
933 if (clib_memcmp (src_sha, n->data, vec_len (src_sha)))
935 ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx responder"
936 " behind NAT, unsupported", sa->ispi);
940 else if (n->msg_type ==
941 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP)
943 u8 *dst_sha = ikev2_compute_nat_sha1 (ike->ispi, ike->rspi,
946 if (clib_memcmp (dst_sha, n->data, vec_len (dst_sha)))
948 if (sa->natt_state == IKEV2_NATT_ENABLED)
949 sa->natt_state = IKEV2_NATT_ACTIVE;
950 ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx initiator"
951 " (self) behind NAT", sa->ispi);
957 else if (payload == IKEV2_PAYLOAD_VENDOR)
959 ikev2_parse_vendor_payload (ikep);
963 ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
965 if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
967 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
968 sa->unsupported_cp = payload;
973 payload = ikep->nextpayload;
979 ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike,
980 u8 * payload, u32 rlen, u32 * out_len)
982 ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
984 u8 last_payload = 0, *hmac = 0, *plaintext = 0;
985 ike_payload_header_t *ikep = 0;
988 ikev2_sa_transform_t *tr_integ;
989 ikev2_sa_transform_t *tr_encr;
991 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
993 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
994 int is_aead = tr_encr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
996 if (((!sa->sk_ar || !sa->sk_ai) && !is_aead) || (!sa->sk_ei || !sa->sk_er))
999 if (rlen <= sizeof (*ike))
1002 int len = rlen - sizeof (*ike);
1004 *payload != IKEV2_PAYLOAD_NONE && last_payload != IKEV2_PAYLOAD_SK)
1006 ikep = (ike_payload_header_t *) & ike->payload[p];
1007 int current_length = len - p;
1008 if (!ikev2_check_payload_length (ikep, current_length, &plen))
1011 if (*payload == IKEV2_PAYLOAD_SK)
1013 last_payload = *payload;
1017 ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
1019 if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1021 sa->unsupported_cp = *payload;
1026 *payload = ikep->nextpayload;
1030 if (last_payload != IKEV2_PAYLOAD_SK)
1032 ikev2_elog_error ("Last payload must be SK");
1038 if (plen < sizeof (*ikep) + IKEV2_GCM_ICV_SIZE)
1041 plen -= sizeof (*ikep) + IKEV2_GCM_ICV_SIZE;
1042 u8 *aad = (u8 *) ike;
1043 u32 aad_len = ikep->payload - aad;
1044 u8 *tag = ikep->payload + plen;
1046 int rc = ikev2_decrypt_aead_data (ptd, sa, tr_encr, ikep->payload,
1047 plen, aad, aad_len, tag, &dlen);
1051 plaintext = ikep->payload + IKEV2_GCM_IV_SIZE;
1056 if (rlen < tr_integ->key_trunc)
1060 ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ar : sa->sk_ai,
1061 (u8 *) ike, rlen - tr_integ->key_trunc);
1063 if (plen < sizeof (*ikep) + tr_integ->key_trunc)
1066 plen = plen - sizeof (*ikep) - tr_integ->key_trunc;
1068 if (clib_memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
1070 ikev2_elog_error ("message integrity check failed");
1076 int rc = ikev2_decrypt_data (ptd, sa, tr_encr, ikep->payload, plen,
1081 plaintext = ikep->payload + tr_encr->block_size;
1089 ikev2_is_id_equal (const ikev2_id_t *i1, const ikev2_id_t *i2)
1091 if (i1->type != i2->type)
1094 if (vec_len (i1->data) != vec_len (i2->data))
1097 if (clib_memcmp (i1->data, i2->data, vec_len (i1->data)))
1104 ikev2_initial_contact_cleanup_internal (ikev2_main_per_thread_data_t * ptd,
1107 ikev2_main_t *km = &ikev2_main;
1110 ikev2_child_sa_t *c;
1112 /* find old IKE SAs with the same authenticated identity */
1114 pool_foreach (tmp, ptd->sas) {
1115 if (!ikev2_is_id_equal (&tmp->i_id, &sa->i_id)
1116 || !ikev2_is_id_equal(&tmp->r_id, &sa->r_id))
1119 if (sa->rspi != tmp->rspi)
1120 vec_add1(delete, tmp - ptd->sas);
1124 for (i = 0; i < vec_len (delete); i++)
1126 tmp = pool_elt_at_index (ptd->sas, delete[i]);
1127 vec_foreach (c, tmp->childs)
1129 ikev2_delete_tunnel_interface (km->vnet_main, tmp, c);
1131 ikev2_delete_sa (ptd, tmp);
1135 sa->initial_contact = 0;
1139 ikev2_initial_contact_cleanup (ikev2_main_per_thread_data_t * ptd,
1142 ikev2_main_t *km = &ikev2_main;
1144 if (!sa->initial_contact)
1149 ikev2_initial_contact_cleanup_internal (ptd, sa);
1153 vec_foreach (ptd, km->per_thread_data)
1154 ikev2_initial_contact_cleanup_internal (ptd, sa);
1156 sa->initial_contact = 0;
1160 ikev2_parse_id_payload (const void *p, u16 rlen, ikev2_id_t * sa_id)
1162 const ike_id_payload_header_t *id = p;
1163 u16 plen = clib_net_to_host_u16 (id->length);
1164 if (plen < sizeof (*id) || plen > rlen)
1167 sa_id->type = id->id_type;
1168 vec_reset_length (sa_id->data);
1169 vec_add (sa_id->data, id->payload, plen - sizeof (*id));
1175 ikev2_parse_auth_payload (const void *p, u32 rlen, ikev2_auth_t * a)
1177 const ike_auth_payload_header_t *ah = p;
1178 u16 plen = clib_net_to_host_u16 (ah->length);
1180 a->method = ah->auth_method;
1181 vec_reset_length (a->data);
1182 vec_add (a->data, ah->payload, plen - sizeof (*ah));
1187 ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa,
1188 ike_header_t * ike, u32 len)
1191 ikev2_child_sa_t *first_child_sa;
1192 u8 payload = ike->nextpayload;
1194 ike_payload_header_t *ikep;
1198 ikev2_elog_exchange ("ispi %lx rspi %lx EXCHANGE_IKE_AUTH received "
1199 "from ", clib_host_to_net_u64 (ike->ispi),
1200 clib_host_to_net_u64 (ike->rspi),
1202 ip_addr_v4 (&sa->raddr).as_u32 :
1203 ip_addr_v4 (&sa->iaddr).as_u32,
1204 ip_addr_version (&sa->raddr) == AF_IP4);
1206 ikev2_calc_keys (sa);
1208 plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
1212 if (sa->unsupported_cp)
1214 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
1220 /* select or create 1st child SA */
1221 if (sa->is_initiator)
1223 first_child_sa = &sa->childs[0];
1227 ikev2_sa_free_all_child_sa (&sa->childs);
1228 vec_add2 (sa->childs, first_child_sa, 1);
1232 /* process encrypted payload */
1233 while (p < dlen && payload != IKEV2_PAYLOAD_NONE)
1235 ikep = (ike_payload_header_t *) & plaintext[p];
1236 int current_length = dlen - p;
1237 if (!ikev2_check_payload_length (ikep, current_length, &plen))
1240 if (payload == IKEV2_PAYLOAD_SA) /* 33 */
1242 if (sa->is_initiator)
1244 ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals);
1245 first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep,
1250 ikev2_sa_free_proposal_vector (&first_child_sa->i_proposals);
1251 first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep,
1255 else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */
1257 if (!ikev2_parse_id_payload (ikep, current_length, &sa->i_id))
1260 else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */
1262 if (!ikev2_parse_id_payload (ikep, current_length, &sa->r_id))
1265 else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */
1267 if (sa->is_initiator)
1269 if (!ikev2_parse_auth_payload (ikep, current_length,
1275 if (!ikev2_parse_auth_payload (ikep, current_length,
1280 else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
1283 ikev2_parse_notify_payload (ikep, current_length);
1284 if (n->msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
1286 sa->initial_contact = 1;
1290 else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
1292 ikev2_parse_vendor_payload (ikep);
1294 else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */
1296 vec_free (first_child_sa->tsi);
1297 first_child_sa->tsi = ikev2_parse_ts_payload (ikep, current_length);
1299 else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */
1301 vec_free (first_child_sa->tsr);
1302 first_child_sa->tsr = ikev2_parse_ts_payload (ikep, current_length);
1306 ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
1309 if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1311 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
1312 sa->unsupported_cp = payload;
1317 payload = ikep->nextpayload;
1324 ikev2_set_state (sa, IKEV2_STATE_DELETED, ": malformed IKE_AUTH");
1329 ikev2_process_informational_req (vlib_main_t * vm,
1330 ikev2_sa_t * sa, ike_header_t * ike, u32 len)
1333 u8 payload = ike->nextpayload;
1335 ike_payload_header_t *ikep;
1337 ikev2_notify_t *n = 0;
1339 sa->liveness_retries = 0;
1340 ikev2_elog_exchange ("ispi %lx rspi %lx INFORMATIONAL received "
1341 "from ", clib_host_to_net_u64 (ike->ispi),
1342 clib_host_to_net_u64 (ike->rspi),
1343 ip_addr_v4 (&sa->iaddr).as_u32,
1344 ip_addr_version (&sa->iaddr) == AF_IP4);
1346 plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
1351 /* process encrypted payload */
1353 while (p < dlen && payload != IKEV2_PAYLOAD_NONE)
1355 u32 current_length = dlen - p;
1356 if (p + sizeof (*ikep) > dlen)
1359 ikep = (ike_payload_header_t *) & plaintext[p];
1360 u16 plen = clib_net_to_host_u16 (ikep->length);
1362 if (plen < sizeof (*ikep) || plen > current_length)
1365 if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */
1367 n = ikev2_parse_notify_payload (ikep, current_length);
1370 if (n->msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
1371 ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
1374 else if (payload == IKEV2_PAYLOAD_DELETE) /* 42 */
1376 sa->del = ikev2_parse_delete_payload (ikep, current_length);
1378 else if (payload == IKEV2_PAYLOAD_VENDOR) /* 43 */
1380 ikev2_parse_vendor_payload (ikep);
1384 ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
1386 if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1388 sa->unsupported_cp = payload;
1392 payload = ikep->nextpayload;
1399 ikev2_process_create_child_sa_rekey (ikev2_sa_t *sa, ikev2_sa_t *sar,
1400 ikev2_rekey_t *rekey,
1401 ikev2_sa_proposal_t *proposal,
1402 ikev2_ts_t *tsi, ikev2_ts_t *tsr,
1403 const u8 *nonce, int nonce_len)
1405 ikev2_sa_transform_t *tr;
1407 rekey->i_proposal = proposal;
1408 rekey->r_proposal = ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
1413 ikev2_sa_get_td_for_type (rekey->r_proposal, IKEV2_TRANSFORM_TYPE_DH);
1415 if (!tr || tr->dh_type != sar->dh_group)
1417 rekey->notify_type = IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD;
1418 ikev2_sa_free_proposal_vector (&rekey->r_proposal);
1422 vec_free (sa->dh_shared_key);
1423 vec_free (sa->dh_private_key);
1424 vec_free (sa->i_dh_data);
1425 vec_free (sa->r_dh_data);
1427 sa->dh_group = sar->dh_group;
1428 sa->i_dh_data = sar->i_dh_data;
1431 ikev2_generate_dh (sa, tr);
1435 vec_reset_length (sa->i_nonce);
1436 vec_add (sa->i_nonce, nonce, nonce_len);
1438 vec_validate (sa->r_nonce, nonce_len - 1);
1439 RAND_bytes ((u8 *) sa->r_nonce, nonce_len);
1448 ikev2_complete_sa_rekey (ikev2_sa_t *sa_new, ikev2_sa_t *sa_old,
1449 ikev2_sa_rekey_t *sa_rekey)
1453 sa_new->new_child = 0;
1454 sa_new->sa_rekey = 0;
1455 sa_new->last_sa_init_req_packet_data = 0;
1456 sa_new->last_sa_init_res_packet_data = 0;
1457 sa_new->last_msg_id = ~0;
1458 sa_new->last_res_packet_data = 0;
1459 sa_new->last_init_msg_id = 0;
1460 clib_memset (&sa_new->stats, 0, sizeof (sa_new->stats));
1462 sa_new->ispi = sa_rekey->ispi;
1463 sa_new->rspi = sa_rekey->rspi;
1464 sa_new->i_nonce = sa_rekey->i_nonce;
1465 sa_new->r_nonce = sa_rekey->r_nonce;
1466 sa_new->dh_group = sa_rekey->dh_group;
1467 sa_new->dh_shared_key = sa_rekey->dh_shared_key;
1468 sa_new->dh_private_key = sa_rekey->dh_private_key;
1469 sa_new->i_dh_data = sa_rekey->i_dh_data;
1470 sa_new->r_dh_data = sa_rekey->r_dh_data;
1471 sa_new->i_proposals = sa_rekey->i_proposals;
1472 sa_new->r_proposals = sa_rekey->r_proposals;
1481 ikev2_calc_keys_rekey (sa_new, sa_old);
1483 sa_new->i_auth.data = vec_dup (sa_old->i_auth.data);
1484 sa_new->i_auth.key = sa_old->i_auth.key;
1485 if (sa_new->i_auth.key)
1486 EVP_PKEY_up_ref (sa_new->i_auth.key);
1488 sa_new->r_auth.data = vec_dup (sa_old->r_auth.data);
1489 sa_new->r_auth.key = sa_old->r_auth.key;
1490 if (sa_new->r_auth.key)
1491 EVP_PKEY_up_ref (sa_new->r_auth.key);
1493 sa_new->i_id.data = vec_dup (sa_old->i_id.data);
1494 sa_new->r_id.data = vec_dup (sa_old->r_id.data);
1496 sa_old->is_tun_itf_set = 0;
1497 sa_old->tun_itf = ~0;
1498 sa_old->old_id_expiration = 0;
1499 sa_old->current_remote_id_mask = 0;
1500 sa_old->old_remote_id = 0;
1501 sa_old->old_remote_id_present = 0;
1503 sa_old->sw_if_index = ~0;
1507 ikev2_process_sa_rekey (ikev2_sa_t *sa_new, ikev2_sa_t *sa_old,
1508 ikev2_sa_rekey_t *sa_rekey)
1510 ikev2_sa_transform_t *tr;
1512 if (ikev2_generate_sa_init_data (sa_new) != IKEV2_GENERATE_SA_INIT_OK)
1514 sa_rekey->notify_type = IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD;
1518 sa_new->r_proposals =
1519 ikev2_select_proposal (sa_new->i_proposals, IKEV2_PROTOCOL_IKE);
1521 tr = ikev2_sa_get_td_for_type (sa_new->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
1522 if (!tr || tr->dh_type != sa_new->dh_group)
1524 sa_rekey->notify_type = IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD;
1528 sa_rekey->notify_type = 0;
1529 sa_rekey->ispi = sa_new->i_proposals[0].spi;
1530 sa_rekey->rspi = sa_new->r_proposals[0].spi;
1531 sa_rekey->i_nonce = sa_new->i_nonce;
1532 sa_rekey->r_nonce = sa_new->r_nonce;
1533 sa_rekey->dh_group = sa_new->dh_group;
1534 sa_rekey->dh_shared_key = sa_new->dh_shared_key;
1535 sa_rekey->dh_private_key = sa_new->dh_private_key;
1536 sa_rekey->i_dh_data = sa_new->i_dh_data;
1537 sa_rekey->r_dh_data = sa_new->r_dh_data;
1538 sa_rekey->i_proposals = sa_new->i_proposals;
1539 sa_rekey->r_proposals = sa_new->r_proposals;
1541 sa_new->i_nonce = 0;
1542 sa_new->r_nonce = 0;
1543 sa_new->dh_shared_key = 0;
1544 sa_new->dh_private_key = 0;
1545 sa_new->i_dh_data = 0;
1546 sa_new->r_dh_data = 0;
1547 sa_new->i_proposals = 0;
1548 sa_new->r_proposals = 0;
1552 ikev2_process_create_child_sa_req (vlib_main_t * vm,
1553 ikev2_sa_t * sa, ike_header_t * ike,
1557 u8 payload = ike->nextpayload;
1559 ikev2_rekey_t *rekey;
1560 ike_payload_header_t *ikep;
1561 ikev2_notify_t *n = 0;
1562 ikev2_ts_t *tsi = 0;
1563 ikev2_ts_t *tsr = 0;
1564 ikev2_sa_proposal_t *proposal = 0;
1565 ikev2_child_sa_t *child_sa;
1568 const u8 *nonce = 0;
1572 clib_memset (&sar, 0, sizeof (sar));
1574 if (sa->is_initiator)
1575 src = ip_addr_v4 (&sa->raddr).as_u32;
1577 src = ip_addr_v4 (&sa->iaddr).as_u32;
1579 ikev2_elog_exchange ("ispi %lx rspi %lx CREATE_CHILD_SA received from",
1580 clib_host_to_net_u64 (ike->ispi),
1581 clib_host_to_net_u64 (ike->rspi), src,
1582 ip_addr_version (&sa->raddr) == AF_IP4);
1584 plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
1587 goto cleanup_and_exit;
1589 /* process encrypted payload */
1591 while (payload != IKEV2_PAYLOAD_NONE)
1593 ikep = (ike_payload_header_t *) & plaintext[p];
1594 int current_length = dlen - p;
1595 if (!ikev2_check_payload_length (ikep, current_length, &plen))
1596 goto cleanup_and_exit;
1598 if (payload == IKEV2_PAYLOAD_SA)
1600 proposal = ikev2_parse_sa_payload (ikep, current_length);
1602 else if (payload == IKEV2_PAYLOAD_KE)
1604 if (!ikev2_parse_ke_payload (ikep, current_length, &sar,
1606 goto cleanup_and_exit;
1608 else if (payload == IKEV2_PAYLOAD_NOTIFY)
1611 n0 = ikev2_parse_notify_payload (ikep, current_length);
1612 if (n0->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
1620 else if (payload == IKEV2_PAYLOAD_DELETE)
1622 sa->del = ikev2_parse_delete_payload (ikep, current_length);
1624 else if (payload == IKEV2_PAYLOAD_VENDOR)
1626 ikev2_parse_vendor_payload (ikep);
1628 else if (payload == IKEV2_PAYLOAD_NONCE)
1630 nonce_len = ikev2_parse_nonce_payload (ikep, current_length, &nonce);
1632 goto cleanup_and_exit;
1634 else if (payload == IKEV2_PAYLOAD_TSI)
1636 tsi = ikev2_parse_ts_payload (ikep, current_length);
1638 else if (payload == IKEV2_PAYLOAD_TSR)
1640 tsr = ikev2_parse_ts_payload (ikep, current_length);
1644 ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d",
1646 if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
1648 sa->unsupported_cp = payload;
1649 goto cleanup_and_exit;
1652 payload = ikep->nextpayload;
1656 if (!proposal || !nonce ||
1657 (proposal->protocol_id != IKEV2_PROTOCOL_ESP &&
1658 proposal->protocol_id != IKEV2_PROTOCOL_IKE))
1659 goto cleanup_and_exit;
1661 if (sa->is_initiator)
1664 if (vec_len (rekey) == 0)
1665 goto cleanup_and_exit;
1666 rekey->notify_type = 0;
1667 rekey->protocol_id = proposal->protocol_id;
1669 ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
1670 rekey->i_proposal->spi = rekey->spi;
1671 rekey->r_proposal = proposal;
1675 vec_reset_length (sa->r_nonce);
1676 vec_add (sa->r_nonce, nonce, nonce_len);
1677 child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1);
1680 child_sa->rekey_retries = 0;
1687 child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
1690 ikev2_elog_uint (IKEV2_LOG_ERROR, "child SA spi %lx not found",
1692 goto cleanup_and_exit;
1694 vec_add2 (sa->rekey, rekey, 1);
1695 rekey->notify_type = 0;
1697 rekey->protocol_id = n->protocol_id;
1698 rekey->spi = n->spi;
1699 if (sa->old_remote_id_present)
1701 rekey->notify_type = IKEV2_NOTIFY_MSG_TEMPORARY_FAILURE;
1702 vec_free (proposal);
1706 else if (!ikev2_process_create_child_sa_rekey (
1707 sa, &sar, rekey, proposal, tsi, tsr, nonce, nonce_len))
1709 vec_free (proposal);
1714 else if (proposal[0].protocol_id == IKEV2_PROTOCOL_IKE)
1716 ikev2_sa_rekey_t *sa_rekey;
1718 goto cleanup_and_exit;
1719 sar.i_proposals = proposal;
1720 vec_add (sar.i_nonce, nonce, nonce_len);
1721 vec_add2 (sa->sa_rekey, sa_rekey, 1);
1722 ikev2_process_sa_rekey (&sar, sa, sa_rekey);
1726 /* create new child SA */
1727 vec_add2 (sa->new_child, rekey, 1);
1728 rekey->notify_type = 0;
1730 if (!ikev2_process_create_child_sa_rekey (
1731 sa, &sar, rekey, proposal, tsi, tsr, nonce, nonce_len))
1733 vec_free (proposal);
1740 ikev2_sa_free_all_vec (&sar);
1745 vec_free (proposal);
1748 ikev2_sa_free_all_vec (&sar);
1753 ikev2_sa_generate_authmsg (ikev2_sa_t * sa, int is_responder)
1761 ikev2_sa_transform_t *tr_prf;
1764 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1770 nonce = sa->i_nonce;
1771 packet_data = sa->last_sa_init_res_packet_data;
1777 nonce = sa->r_nonce;
1778 packet_data = sa->last_sa_init_req_packet_data;
1781 data = vec_new (u8, 4);
1783 vec_append (data, id->data);
1785 u8 *id_hash = ikev2_calc_prf (tr_prf, key, data);
1786 vec_append (authmsg, packet_data);
1787 vec_append (authmsg, nonce);
1788 vec_append (authmsg, id_hash);
1796 ikev2_match_profile (const ikev2_profile_t *p, const ikev2_id_t *id_loc,
1797 const ikev2_id_t *id_rem, int is_initiator)
1799 /* on the initiator, IDi is always present and must match
1800 * however on the responder, IDr (which is our local id) is optional */
1801 if ((is_initiator || id_loc->type != 0) &&
1802 !ikev2_is_id_equal (&p->loc_id, id_loc))
1805 /* on the initiator, we might not have configured a specific remote id
1806 * however on the responder, the remote id should always be configured */
1807 if ((!is_initiator || p->rem_id.type != 0) &&
1808 !ikev2_is_id_equal (&p->rem_id, id_rem))
1815 ikev2_ts_cmp (ikev2_ts_t * ts1, ikev2_ts_t * ts2)
1817 if (ts1->ts_type == ts2->ts_type && ts1->protocol_id == ts2->protocol_id &&
1818 ts1->start_port == ts2->start_port && ts1->end_port == ts2->end_port &&
1819 !ip_address_cmp (&ts1->start_addr, &ts2->start_addr) &&
1820 !ip_address_cmp (&ts1->end_addr, &ts2->end_addr))
1827 ikev2_sa_match_ts (ikev2_sa_t * sa)
1829 ikev2_main_t *km = &ikev2_main;
1831 ikev2_ts_t *ts, *p_tsi, *p_tsr, *tsi = 0, *tsr = 0;
1832 ikev2_id_t *id_rem, *id_loc;
1835 pool_foreach (p, km->profiles) {
1837 if (sa->is_initiator)
1852 if (!ikev2_match_profile (p, id_loc, id_rem, sa->is_initiator))
1855 sa->profile_index = p - km->profiles;
1857 vec_foreach(ts, sa->childs[0].tsi)
1859 if (ikev2_ts_cmp(p_tsi, ts))
1861 vec_add1 (tsi, ts[0]);
1866 vec_foreach(ts, sa->childs[0].tsr)
1868 if (ikev2_ts_cmp(p_tsr, ts))
1870 vec_add1 (tsr, ts[0]);
1881 vec_free (sa->childs[0].tsi);
1882 vec_free (sa->childs[0].tsr);
1883 sa->childs[0].tsi = tsi;
1884 sa->childs[0].tsr = tsr;
1890 ikev2_set_state (sa, IKEV2_STATE_TS_UNACCEPTABLE);
1894 static ikev2_profile_t *
1895 ikev2_select_profile (ikev2_main_t *km, ikev2_sa_t *sa,
1896 ikev2_sa_transform_t *tr_prf, u8 *key_pad)
1898 ikev2_profile_t *ret = 0, *p;
1899 ikev2_id_t *id_rem, *id_loc;
1900 ikev2_auth_t *sa_auth;
1901 u8 *authmsg, *psk = 0, *auth = 0;
1903 authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator);
1905 if (sa->is_initiator)
1909 sa_auth = &sa->r_auth;
1915 sa_auth = &sa->i_auth;
1918 pool_foreach (p, km->profiles)
1920 if (!ikev2_match_profile (p, id_loc, id_rem, sa->is_initiator))
1923 if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1925 if (!p->auth.data ||
1926 p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
1929 psk = ikev2_calc_prf (tr_prf, p->auth.data, key_pad);
1930 auth = ikev2_calc_prf (tr_prf, psk, authmsg);
1932 if (!clib_memcmp (auth, sa_auth->data, vec_len (sa_auth->data)))
1934 ikev2_set_state (sa, IKEV2_STATE_AUTHENTICATED);
1941 ikev2_elog_uint (IKEV2_LOG_ERROR,
1942 "shared key mismatch! ispi %lx", sa->ispi);
1945 else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG)
1947 if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
1950 if (ikev2_verify_sign (p->auth.key, sa_auth->data, authmsg) == 1)
1952 ikev2_set_state (sa, IKEV2_STATE_AUTHENTICATED);
1958 ikev2_elog_uint (IKEV2_LOG_ERROR,
1959 "cert verification failed! ispi %lx", sa->ispi);
1968 ikev2_sa_auth (ikev2_sa_t *sa)
1970 ikev2_main_t *km = &ikev2_main;
1971 ikev2_profile_t *sel_p = 0;
1972 ikev2_sa_transform_t *tr_prf;
1973 u8 *psk, *authmsg, *key_pad;
1976 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
1978 /* only shared key and rsa signature */
1979 if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
1980 sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
1982 ikev2_elog_uint (IKEV2_LOG_ERROR, "unsupported authentication method %u",
1984 ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
1988 key_pad = format (0, "%s", IKEV2_KEY_PAD);
1989 sel_p = ikev2_select_profile (km, sa, tr_prf, key_pad);
1993 ASSERT (sa->state == IKEV2_STATE_AUTHENTICATED);
1994 sa->udp_encap = sel_p->udp_encap;
1995 sa->ipsec_over_udp_port = sel_p->ipsec_over_udp_port;
1997 if (!sa->is_initiator)
1999 vec_free (sa->r_id.data);
2000 sa->r_id.data = vec_dup (sel_p->loc_id.data);
2001 sa->r_id.type = sel_p->loc_id.type;
2002 sa->i_id.data = vec_dup (sel_p->rem_id.data);
2003 sa->i_id.type = sel_p->rem_id.type;
2005 /* generate our auth data */
2006 authmsg = ikev2_sa_generate_authmsg (sa, 1);
2007 if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
2009 vec_free (sa->r_auth.data);
2010 psk = ikev2_calc_prf (tr_prf, sel_p->auth.data, key_pad);
2011 sa->r_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
2012 sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
2015 else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
2017 vec_free (sa->r_auth.data);
2018 sa->r_auth.data = ikev2_calc_sign (km->pkey, authmsg);
2019 sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
2023 /* select transforms for 1st child sa */
2024 ikev2_sa_free_proposal_vector (&sa->childs[0].r_proposals);
2025 sa->childs[0].r_proposals =
2026 ikev2_select_proposal (sa->childs[0].i_proposals,
2027 IKEV2_PROTOCOL_ESP);
2029 if (~0 != sel_p->tun_itf)
2031 sa->is_tun_itf_set = 1;
2032 sa->tun_itf = sel_p->tun_itf;
2038 ikev2_elog_uint (IKEV2_LOG_ERROR, "authentication failed, no matching "
2039 "profile found! ispi %lx", sa->ispi);
2040 ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
2046 ikev2_sa_auth_init (ikev2_sa_t * sa)
2048 ikev2_main_t *km = &ikev2_main;
2049 u8 *authmsg, *key_pad, *psk = 0;
2050 ikev2_sa_transform_t *tr_prf;
2053 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
2055 /* only shared key and rsa signature */
2056 if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
2057 sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
2059 ikev2_elog_uint (IKEV2_LOG_ERROR,
2060 "unsupported authentication method %u",
2062 ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
2066 authmsg = ikev2_sa_generate_authmsg (sa, 0);
2068 if (sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
2070 key_pad = format (0, "%s", IKEV2_KEY_PAD);
2071 psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad);
2072 vec_free (sa->i_auth.data);
2073 sa->i_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
2074 sa->i_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
2078 else if (sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
2080 vec_free (sa->i_auth.data);
2081 sa->i_auth.data = ikev2_calc_sign (km->pkey, authmsg);
2082 sa->i_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
2088 ikev2_mk_local_sa_id (u32 sai, u32 ci, u32 ti)
2090 return (0x80000000 | (ti << 24) | (sai << 12) | ci);
2094 ikev2_mk_remote_sa_id (u32 sai, u32 ci, u32 ti)
2096 return (0xc0000000 | (ti << 24) | (sai << 12) | ci);
2106 ipsec_sa_flags_t flags;
2109 ipsec_crypto_alg_t encr_type;
2110 ipsec_integ_alg_t integ_type;
2111 ip_address_t local_ip;
2112 ip_address_t remote_ip;
2113 ipsec_key_t loc_ckey, rem_ckey, loc_ikey, rem_ikey;
2115 u32 old_remote_sa_id;
2116 u16 ipsec_over_udp_port;
2119 } ikev2_add_ipsec_tunnel_args_t;
2122 ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
2124 ikev2_main_t *km = &ikev2_main;
2128 .t_flags = TUNNEL_FLAG_NONE,
2129 .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
2131 .t_mode = TUNNEL_MODE_P2P,
2134 .t_src = a->remote_ip,
2135 .t_dst = a->local_ip,
2137 tunnel_t tun_out = {
2138 .t_flags = TUNNEL_FLAG_NONE,
2139 .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
2141 .t_mode = TUNNEL_MODE_P2P,
2144 .t_src = a->local_ip,
2145 .t_dst = a->remote_ip,
2148 if (~0 == a->sw_if_index)
2150 /* no tunnel associated with the SA/profile - create a new one */
2151 rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0, &ip_addr_46 (&a->local_ip),
2152 &ip_addr_46 (&a->remote_ip), 0,
2153 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
2154 TUNNEL_MODE_P2P, &sw_if_index);
2156 if (rv == VNET_API_ERROR_IF_ALREADY_EXISTS)
2158 if (hash_get (km->sw_if_indices, sw_if_index))
2159 /* interface is managed by IKE; proceed with updating SAs */
2162 hash_set1 (km->sw_if_indices, sw_if_index);
2166 sw_if_index = a->sw_if_index;
2167 vnet_sw_interface_admin_up (vnet_get_main (), sw_if_index);
2172 ikev2_elog_uint (IKEV2_LOG_ERROR,
2173 "installing ipip tunnel failed! local spi: %x",
2179 vec_add1 (sas_in, a->remote_sa_id);
2182 ipsec_tun_protect_del (sw_if_index, NULL);
2184 /* replace local SA immediately */
2185 ipsec_sa_unlock_id (a->local_sa_id);
2187 /* keep the old sa */
2188 vec_add1 (sas_in, a->old_remote_sa_id);
2191 rv = ipsec_sa_add_and_lock (a->local_sa_id, a->local_spi, IPSEC_PROTOCOL_ESP,
2192 a->encr_type, &a->loc_ckey, a->integ_type,
2193 &a->loc_ikey, a->flags, a->salt_local,
2194 a->src_port, a->dst_port, 0, &tun_out, NULL);
2198 rv = ipsec_sa_add_and_lock (
2199 a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type,
2200 &a->rem_ckey, a->integ_type, &a->rem_ikey,
2201 (a->flags | IPSEC_SA_FLAG_IS_INBOUND), a->salt_remote,
2202 a->ipsec_over_udp_port, a->ipsec_over_udp_port, 0, &tun_in, NULL);
2206 rv = ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
2213 ipsec_sa_unlock_id (a->remote_sa_id);
2215 ipsec_sa_unlock_id (a->local_sa_id);
2221 ikev2_create_tunnel_interface (vlib_main_t *vm, ikev2_sa_t *sa,
2222 ikev2_child_sa_t *child, u32 sa_index,
2223 u32 child_index, u8 is_rekey, u8 kex)
2225 u32 thread_index = vlib_get_thread_index ();
2226 ikev2_main_t *km = &ikev2_main;
2227 ipsec_crypto_alg_t encr_type;
2228 ipsec_integ_alg_t integ_type;
2229 ikev2_profile_t *p = 0;
2230 ikev2_sa_transform_t *tr;
2231 ikev2_sa_proposal_t *proposals;
2233 ikev2_add_ipsec_tunnel_args_t a;
2235 clib_memset (&a, 0, sizeof (a));
2237 if (!child->r_proposals)
2239 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2243 if (sa->is_initiator)
2245 ip_address_copy (&a.local_ip, &sa->iaddr);
2246 ip_address_copy (&a.remote_ip, &sa->raddr);
2247 proposals = child->r_proposals;
2248 a.local_spi = child->r_proposals[0].spi;
2249 a.remote_spi = child->i_proposals[0].spi;
2253 ip_address_copy (&a.local_ip, &sa->raddr);
2254 ip_address_copy (&a.remote_ip, &sa->iaddr);
2255 proposals = child->i_proposals;
2256 a.local_spi = child->i_proposals[0].spi;
2257 a.remote_spi = child->r_proposals[0].spi;
2260 a.flags = IPSEC_SA_FLAG_USE_ANTI_REPLAY;
2263 a.flags |= IPSEC_SA_FLAG_IS_TUNNEL;
2264 a.flags |= IPSEC_SA_FLAG_UDP_ENCAP;
2266 if (ikev2_natt_active (sa))
2267 a.flags |= IPSEC_SA_FLAG_UDP_ENCAP;
2268 a.is_rekey = is_rekey;
2270 tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN);
2271 if (tr && tr->esn_type)
2272 a.flags |= IPSEC_SA_FLAG_USE_ESN;
2274 tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ENCR);
2277 if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_CBC && tr->key_len)
2279 switch (tr->key_len)
2282 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_128;
2285 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_192;
2288 encr_type = IPSEC_CRYPTO_ALG_AES_CBC_256;
2291 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2296 else if (tr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16
2299 switch (tr->key_len)
2302 encr_type = IPSEC_CRYPTO_ALG_AES_GCM_128;
2305 encr_type = IPSEC_CRYPTO_ALG_AES_GCM_192;
2308 encr_type = IPSEC_CRYPTO_ALG_AES_GCM_256;
2311 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2319 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2325 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2328 a.encr_type = encr_type;
2332 tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_INTEG);
2335 switch (tr->integ_type)
2337 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_256_128:
2338 integ_type = IPSEC_INTEG_ALG_SHA_256_128;
2340 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_384_192:
2341 integ_type = IPSEC_INTEG_ALG_SHA_384_192;
2343 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA2_512_256:
2344 integ_type = IPSEC_INTEG_ALG_SHA_512_256;
2346 case IKEV2_TRANSFORM_INTEG_TYPE_AUTH_HMAC_SHA1_96:
2347 integ_type = IPSEC_INTEG_ALG_SHA1_96;
2350 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2356 ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
2362 integ_type = IPSEC_INTEG_ALG_NONE;
2365 a.integ_type = integ_type;
2366 ikev2_calc_child_keys (sa, child, kex);
2368 if (sa->is_initiator)
2370 ipsec_mk_key (&a.loc_ikey, child->sk_ai, vec_len (child->sk_ai));
2371 ipsec_mk_key (&a.rem_ikey, child->sk_ar, vec_len (child->sk_ar));
2372 ipsec_mk_key (&a.loc_ckey, child->sk_ei, vec_len (child->sk_ei));
2373 ipsec_mk_key (&a.rem_ckey, child->sk_er, vec_len (child->sk_er));
2376 a.salt_remote = child->salt_er;
2377 a.salt_local = child->salt_ei;
2379 a.dst_port = a.src_port = sa->ipsec_over_udp_port;
2383 ipsec_mk_key (&a.loc_ikey, child->sk_ar, vec_len (child->sk_ar));
2384 ipsec_mk_key (&a.rem_ikey, child->sk_ai, vec_len (child->sk_ai));
2385 ipsec_mk_key (&a.loc_ckey, child->sk_er, vec_len (child->sk_er));
2386 ipsec_mk_key (&a.rem_ckey, child->sk_ei, vec_len (child->sk_ei));
2389 a.salt_remote = child->salt_ei;
2390 a.salt_local = child->salt_er;
2393 ikev2_natt_active (sa) ? sa->dst_port : sa->ipsec_over_udp_port;
2394 a.src_port = sa->ipsec_over_udp_port;
2397 if (sa->is_initiator && sa->profile_index != ~0)
2398 p = pool_elt_at_index (km->profiles, sa->profile_index);
2400 if (p && p->lifetime)
2402 child->time_to_expiration = vlib_time_now (vm) + p->lifetime;
2403 if (p->lifetime_jitter)
2405 // This is not much better than rand(3), which Coverity warns
2406 // is unsuitable for security applications; random_u32 is
2407 // however fast. If this perturbance to the expiration time
2408 // needs to use a better RNG then we may need to use something
2409 // like /dev/urandom which has significant overhead.
2410 u32 rnd = (u32) (vlib_time_now (vm) * 1e6);
2411 rnd = random_u32 (&rnd);
2413 child->time_to_expiration += 1 + (rnd % p->lifetime_jitter);
2417 if (thread_index & 0xffffffc0)
2418 ikev2_elog_error ("error: thread index exceeds max range 0x3f!");
2420 if (child_index & 0xfffff000 || sa_index & 0xfffff000)
2421 ikev2_elog_error ("error: sa/child index exceeds max range 0xfff!");
2423 child->local_sa_id =
2425 ikev2_mk_local_sa_id (sa_index, child_index, thread_index);
2427 u32 remote_sa_id = ikev2_mk_remote_sa_id (sa_index, child_index,
2432 /* create a new remote SA ID to keep the old SA for a bit longer
2433 * so the peer has some time to swap their SAs */
2435 /* use most significat bit of child index part in id */
2437 if (sa->current_remote_id_mask)
2439 sa->old_remote_id = a.old_remote_sa_id = remote_sa_id | mask;
2440 sa->current_remote_id_mask = 0;
2444 sa->old_remote_id = a.old_remote_sa_id = remote_sa_id;
2445 sa->current_remote_id_mask = mask;
2446 remote_sa_id |= mask;
2448 sa->old_id_expiration = 3.0;
2449 sa->old_remote_id_present = 1;
2452 child->remote_sa_id = a.remote_sa_id = remote_sa_id;
2454 a.sw_if_index = (sa->is_tun_itf_set ? sa->tun_itf : ~0);
2455 a.ipsec_over_udp_port = sa->ipsec_over_udp_port;
2457 vl_api_rpc_call_main_thread (ikev2_add_tunnel_from_main,
2458 (u8 *) & a, sizeof (a));
2464 ip46_address_t local_ip;
2465 ip46_address_t remote_ip;
2469 } ikev2_del_ipsec_tunnel_args_t;
2472 ikev2_flip_alternate_sa_bit (u32 id)
2481 ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a)
2483 ikev2_main_t *km = &ikev2_main;
2484 ipip_tunnel_t *ipip = NULL;
2487 if (~0 == a->sw_if_index)
2490 ipip_tunnel_key_t key = {
2492 .dst = a->remote_ip,
2493 .transport = IPIP_TRANSPORT_IP4,
2498 ipip = ipip_tunnel_db_find (&key);
2502 sw_if_index = ipip->sw_if_index;
2503 hash_unset (km->sw_if_indices, ipip->sw_if_index);
2510 sw_if_index = a->sw_if_index;
2511 vnet_sw_interface_admin_down (vnet_get_main (), sw_if_index);
2514 if (~0 != sw_if_index)
2515 ipsec_tun_protect_del (sw_if_index, NULL);
2517 ipsec_sa_unlock_id (a->remote_sa_id);
2518 ipsec_sa_unlock_id (a->local_sa_id);
2519 ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (a->remote_sa_id));
2522 ipip_del_tunnel (ipip->sw_if_index);
2526 ikev2_delete_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
2527 ikev2_child_sa_t * child)
2529 ikev2_del_ipsec_tunnel_args_t a;
2531 clib_memset (&a, 0, sizeof (a));
2533 if (sa->is_initiator)
2535 ip_address_to_46 (&sa->iaddr, &a.local_ip);
2536 ip_address_to_46 (&sa->raddr, &a.remote_ip);
2540 ip_address_to_46 (&sa->raddr, &a.local_ip);
2541 ip_address_to_46 (&sa->iaddr, &a.remote_ip);
2544 a.remote_sa_id = child->remote_sa_id;
2545 a.local_sa_id = child->local_sa_id;
2546 a.sw_if_index = (sa->is_tun_itf_set ? sa->tun_itf : ~0);
2548 vl_api_rpc_call_main_thread (ikev2_del_tunnel_from_main, (u8 *) & a,
2554 ikev2_add_invalid_ke_payload (ikev2_sa_t *sa, ikev2_payload_chain_t *chain)
2556 u8 *data = vec_new (u8, 2);
2557 ikev2_sa_transform_t *tr_dh =
2558 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
2559 ASSERT (tr_dh && tr_dh->dh_type);
2560 data[0] = (tr_dh->dh_type >> 8) & 0xff;
2561 data[1] = (tr_dh->dh_type) & 0xff;
2562 ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD, data);
2567 ikev2_add_notify_payload (ikev2_sa_t *sa, ikev2_payload_chain_t *chain,
2570 if (notify_type == IKEV2_NOTIFY_MSG_INVALID_KE_PAYLOAD)
2571 ikev2_add_invalid_ke_payload (sa, chain);
2573 ikev2_payload_add_notify (chain, notify_type, 0);
2577 ikev2_add_create_child_resp (ikev2_sa_t *sa, ikev2_rekey_t *rekey,
2578 ikev2_payload_chain_t *chain)
2580 if (rekey->notify_type)
2582 ikev2_add_notify_payload (sa, chain, rekey->notify_type);
2586 ikev2_payload_add_sa (chain, rekey->r_proposal, 0);
2587 ikev2_payload_add_nonce (chain, sa->r_nonce);
2589 ikev2_payload_add_ke (chain, sa->dh_group, sa->r_dh_data);
2590 ikev2_payload_add_ts (chain, rekey->tsi, IKEV2_PAYLOAD_TSI);
2591 ikev2_payload_add_ts (chain, rekey->tsr, IKEV2_PAYLOAD_TSR);
2595 ikev2_generate_message (vlib_buffer_t *b, ikev2_sa_t *sa, ike_header_t *ike,
2596 void *user, udp_header_t *udp, ikev2_stats_t *stats)
2598 ikev2_main_t *km = &ikev2_main;
2599 u16 buffer_data_size = vlib_buffer_get_default_data_size (km->vlib_main);
2601 ike_payload_header_t *ph;
2605 ikev2_sa_transform_t *tr_encr, *tr_integ;
2607 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
2609 ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
2611 ikev2_payload_chain_t *chain = 0;
2612 ikev2_payload_new_chain (chain);
2614 if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
2616 if (sa->r_proposals == 0)
2618 ikev2_payload_add_notify (chain,
2619 IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
2620 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
2622 else if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
2624 ikev2_add_invalid_ke_payload (sa, chain);
2625 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
2627 else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
2629 u8 *data = vec_new (u8, 1);
2631 data[0] = sa->unsupported_cp;
2632 ikev2_payload_add_notify (chain,
2633 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2641 ike->rspi = clib_host_to_net_u64 (sa->rspi);
2642 ikev2_payload_add_sa (chain, sa->r_proposals, 0);
2643 ikev2_payload_add_ke (chain, sa->dh_group, sa->r_dh_data);
2644 ikev2_payload_add_nonce (chain, sa->r_nonce);
2646 u8 *nat_detection_sha1 =
2647 ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa->ispi),
2648 clib_host_to_net_u64 (sa->rspi),
2649 &sa->raddr, udp->dst_port);
2650 ikev2_payload_add_notify (chain,
2651 IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
2652 nat_detection_sha1);
2653 vec_free (nat_detection_sha1);
2654 nat_detection_sha1 =
2655 ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa->ispi),
2656 clib_host_to_net_u64 (sa->rspi),
2657 &sa->iaddr, udp->src_port);
2658 ikev2_payload_add_notify (chain,
2659 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
2660 nat_detection_sha1);
2661 vec_free (nat_detection_sha1);
2664 else if (ike->exchange == IKEV2_EXCHANGE_IKE_AUTH)
2666 if (sa->state == IKEV2_STATE_AUTHENTICATED)
2668 ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
2669 ikev2_payload_add_auth (chain, &sa->r_auth);
2670 ikev2_payload_add_sa (chain, sa->childs[0].r_proposals, 0);
2671 ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
2672 ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
2674 else if (sa->state == IKEV2_STATE_AUTH_FAILED)
2676 ikev2_payload_add_notify (chain,
2677 IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED,
2679 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
2681 else if (sa->state == IKEV2_STATE_TS_UNACCEPTABLE)
2683 ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_TS_UNACCEPTABLE,
2685 ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
2686 ikev2_payload_add_auth (chain, &sa->r_auth);
2688 else if (sa->state == IKEV2_STATE_NO_PROPOSAL_CHOSEN)
2690 ikev2_payload_add_notify (chain,
2691 IKEV2_NOTIFY_MSG_NO_PROPOSAL_CHOSEN, 0);
2692 ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
2693 ikev2_payload_add_auth (chain, &sa->r_auth);
2694 ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
2695 ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
2697 else if (sa->state == IKEV2_STATE_NOTIFY_AND_DELETE)
2699 u8 *data = vec_new (u8, 1);
2701 data[0] = sa->unsupported_cp;
2702 ikev2_payload_add_notify (chain,
2703 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2707 else if (sa->state == IKEV2_STATE_SA_INIT)
2709 ikev2_payload_add_id (chain, &sa->i_id, IKEV2_PAYLOAD_IDI);
2710 /* IDr is optional when sending INIT from the initiator */
2711 ASSERT (sa->r_id.type != 0 || sa->is_initiator);
2712 if (sa->r_id.type != 0)
2713 ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
2714 ikev2_payload_add_auth (chain, &sa->i_auth);
2715 ikev2_payload_add_sa (chain, sa->childs[0].i_proposals, 0);
2716 ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
2717 ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
2718 ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_INITIAL_CONTACT,
2723 ikev2_set_state (sa, IKEV2_STATE_DELETED, ": unexpected IKE_AUTH");
2727 else if (ike->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
2729 /* if pending delete */
2732 if (sa->del[0].protocol_id == IKEV2_PROTOCOL_IKE)
2734 if (ike_hdr_is_request (ike))
2735 ikev2_payload_add_delete (chain, sa->del);
2737 /* The response to a request that deletes the IKE SA is an empty
2738 INFORMATIONAL response. */
2739 ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
2741 /* The response to a request that deletes ESP or AH SAs will contain
2742 delete payloads for the paired SAs going in the other direction. */
2745 ikev2_payload_add_delete (chain, sa->del);
2750 /* received N(AUTHENTICATION_FAILED) */
2751 else if (sa->state == IKEV2_STATE_AUTH_FAILED)
2753 ikev2_set_state (sa, IKEV2_STATE_DELETED, ": auth failed");
2756 /* received unsupported critical payload */
2757 else if (sa->unsupported_cp)
2759 u8 *data = vec_new (u8, 1);
2761 data[0] = sa->unsupported_cp;
2762 ikev2_payload_add_notify (chain,
2763 IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
2766 sa->unsupported_cp = 0;
2769 /* else send empty response */
2771 if (ike_hdr_is_response (ike))
2773 ASSERT (stats != 0);
2774 stats->n_keepalives++;
2775 sa->stats.n_keepalives++;
2779 else if (ike->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
2781 if (sa->is_initiator)
2784 ikev2_sa_proposal_t *proposals = (ikev2_sa_proposal_t *) user;
2785 ikev2_notify_t notify;
2786 u8 *data = vec_new (u8, 4);
2787 clib_memset (¬ify, 0, sizeof (notify));
2788 notify.protocol_id = IKEV2_PROTOCOL_ESP;
2789 notify.spi = sa->childs[0].i_proposals->spi;
2790 *(u32 *) data = clib_host_to_net_u32 (notify.spi);
2792 ikev2_payload_add_sa (chain, proposals, 0);
2793 ikev2_payload_add_nonce (chain, sa->i_nonce);
2794 ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
2795 ikev2_payload_add_ts (chain, sa->childs[0].tsr, IKEV2_PAYLOAD_TSR);
2796 ikev2_payload_add_notify_2 (chain, IKEV2_NOTIFY_MSG_REKEY_SA, data,
2801 else if (vec_len (sa->rekey) > 0)
2803 ikev2_add_create_child_resp (sa, &sa->rekey[0], chain);
2804 vec_del1 (sa->rekey, 0);
2806 else if (vec_len (sa->new_child) > 0)
2808 ikev2_add_create_child_resp (sa, &sa->new_child[0], chain);
2809 vec_del1 (sa->new_child, 0);
2811 else if (vec_len (sa->sa_rekey) > 0)
2813 if (sa->sa_rekey[0].notify_type)
2814 ikev2_add_notify_payload (sa, chain, sa->sa_rekey[0].notify_type);
2817 ikev2_payload_add_sa (chain, sa->sa_rekey[0].r_proposals, 1);
2818 ikev2_payload_add_nonce (chain, sa->sa_rekey[0].r_nonce);
2819 ikev2_payload_add_ke (chain, sa->sa_rekey[0].dh_group,
2820 sa->sa_rekey[0].r_dh_data);
2822 vec_del1 (sa->sa_rekey, 0);
2824 else if (sa->unsupported_cp)
2826 u8 *data = vec_new (u8, 1);
2828 data[0] = sa->unsupported_cp;
2829 ikev2_payload_add_notify (
2830 chain, IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD, data);
2832 sa->unsupported_cp = 0;
2836 ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
2842 ike->version = IKE_VERSION_2;
2843 ike->nextpayload = IKEV2_PAYLOAD_SK;
2844 tlen = sizeof (*ike);
2846 if (sa->is_initiator)
2847 ike->flags |= IKEV2_HDR_FLAG_INITIATOR;
2849 if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
2851 tlen += vec_len (chain->data);
2852 ike->nextpayload = chain->first_payload_type;
2853 ike->length = clib_host_to_net_u32 (tlen);
2855 if (tlen + b->current_length + b->current_data > buffer_data_size)
2861 clib_memcpy_fast (ike->payload, chain->data, vec_len (chain->data));
2863 /* store whole IKE payload - needed for PSK auth */
2864 vec_reset_length (sa->last_sa_init_res_packet_data);
2865 vec_add (sa->last_sa_init_res_packet_data, ike, tlen);
2869 ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
2870 ikev2_payload_chain_add_padding (chain, tr_encr->block_size);
2873 plen = sizeof (*ph);
2874 ph = (ike_payload_header_t *) & ike->payload[0];
2875 ph->nextpayload = chain->first_payload_type;
2878 tr_encr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
2879 int iv_len = is_aead ? IKEV2_GCM_IV_SIZE : tr_encr->block_size;
2880 plen += vec_len (chain->data) + iv_len;
2882 /* add space for hmac/tag */
2884 plen += tr_integ->key_trunc;
2886 plen += IKEV2_GCM_ICV_SIZE;
2889 if (tlen + b->current_length + b->current_data > buffer_data_size)
2895 /* payload and total length */
2896 ph->length = clib_host_to_net_u16 (plen);
2897 ike->length = clib_host_to_net_u32 (tlen);
2901 if (!ikev2_encrypt_aead_data (ptd, sa, tr_encr, chain->data,
2902 ph->payload, (u8 *) ike,
2903 sizeof (*ike) + sizeof (*ph),
2904 ph->payload + plen - sizeof (*ph) -
2905 IKEV2_GCM_ICV_SIZE))
2913 if (!ikev2_encrypt_data
2914 (ptd, sa, tr_encr, chain->data, ph->payload))
2920 ikev2_calc_integr (tr_integ,
2921 sa->is_initiator ? sa->sk_ai : sa->sk_ar,
2922 (u8 *) ike, tlen - tr_integ->key_trunc);
2923 clib_memcpy_fast (ike->payload + tlen - tr_integ->key_trunc -
2924 sizeof (*ike), integ, tr_integ->key_trunc);
2927 /* store whole IKE payload - needed for retransmit */
2928 vec_reset_length (sa->last_res_packet_data);
2929 vec_add (sa->last_res_packet_data, ike, tlen);
2933 ikev2_payload_destroy_chain (chain);
2939 ikev2_retransmit_sa_init_one (ikev2_sa_t * sa, ike_header_t * ike,
2940 ip_address_t iaddr, ip_address_t raddr,
2945 u8 payload = ike->nextpayload;
2947 if (sa->ispi != clib_net_to_host_u64 (ike->ispi) ||
2948 ip_address_cmp (&sa->iaddr, &iaddr) ||
2949 ip_address_cmp (&sa->raddr, &raddr))
2954 while (p < rlen && payload != IKEV2_PAYLOAD_NONE)
2956 ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
2957 u32 plen = clib_net_to_host_u16 (ikep->length);
2959 if (plen < sizeof (ike_payload_header_t))
2962 if (payload == IKEV2_PAYLOAD_NONCE &&
2963 !clib_memcmp (sa->i_nonce, ikep->payload, plen - sizeof (*ikep)))
2965 /* req is retransmit */
2966 if (sa->state == IKEV2_STATE_SA_INIT)
2968 sa->stats.n_init_retransmit++;
2969 tmp = (ike_header_t *) sa->last_sa_init_res_packet_data;
2970 u32 slen = clib_net_to_host_u32 (tmp->length);
2971 ike->ispi = tmp->ispi;
2972 ike->rspi = tmp->rspi;
2973 ike->nextpayload = tmp->nextpayload;
2974 ike->version = tmp->version;
2975 ike->exchange = tmp->exchange;
2976 ike->flags = tmp->flags;
2977 ike->msgid = tmp->msgid;
2978 ike->length = tmp->length;
2979 clib_memcpy_fast (ike->payload, tmp->payload,
2980 slen - sizeof (*ike));
2981 ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
2982 "ispi %lx IKE_SA_INIT retransmit "
2983 "from %d.%d.%d.%d to %d.%d.%d.%d",
2985 ip_addr_v4 (&raddr).as_u32,
2986 ip_addr_v4 (&iaddr).as_u32);
2989 /* else ignore req */
2992 ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
2993 "ispi %lx IKE_SA_INIT ignore "
2994 "from %d.%d.%d.%d to %d.%d.%d.%d",
2996 ip_addr_v4 (&raddr).as_u32,
2997 ip_addr_v4 (&iaddr).as_u32);
3001 payload = ikep->nextpayload;
3009 ikev2_retransmit_sa_init (ike_header_t * ike, ip_address_t iaddr,
3010 ip_address_t raddr, u32 rlen)
3014 ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
3017 pool_foreach (sa, ptd->sas) {
3018 res = ikev2_retransmit_sa_init_one (sa, ike, iaddr, raddr, rlen);
3024 /* req is not retransmit */
3029 ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
3031 if (ike_hdr_is_response (ike))
3034 u32 msg_id = clib_net_to_host_u32 (ike->msgid);
3037 if (msg_id > sa->last_msg_id || sa->last_msg_id == ~0)
3039 sa->last_msg_id = msg_id;
3043 /* retransmitted req */
3044 if (msg_id == sa->last_msg_id)
3046 sa->stats.n_retransmit++;
3047 ike_header_t *tmp = (ike_header_t *) sa->last_res_packet_data;
3048 u32 slen = clib_net_to_host_u32 (tmp->length);
3049 ike->ispi = tmp->ispi;
3050 ike->rspi = tmp->rspi;
3051 ike->nextpayload = tmp->nextpayload;
3052 ike->version = tmp->version;
3053 ike->exchange = tmp->exchange;
3054 ike->flags = tmp->flags;
3055 ike->msgid = tmp->msgid;
3056 ike->length = tmp->length;
3057 clib_memcpy_fast (ike->payload, tmp->payload, slen - sizeof (*ike));
3058 ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE retransmit msgid %d",
3059 msg_id, ip_addr_v4 (&sa->raddr).as_u32,
3060 ip_addr_v4 (&sa->iaddr).as_u32);
3064 /* old req ignore */
3065 ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE req ignore msgid %d",
3066 msg_id, ip_addr_v4 (&sa->raddr).as_u32,
3067 ip_addr_v4 (&sa->iaddr).as_u32);
3072 ikev2_init_sa (vlib_main_t * vm, ikev2_sa_t * sa)
3074 ikev2_main_t *km = &ikev2_main;
3075 sa->liveness_period_check = vlib_time_now (vm) + km->liveness_period;
3076 sa->profile_index = ~0;
3080 ikev2_del_sa_init_from_main (u64 * ispi)
3082 ikev2_main_t *km = &ikev2_main;
3083 uword *p = hash_get (km->sa_by_ispi, *ispi);
3086 ikev2_sa_t *sai = pool_elt_at_index (km->sais, p[0]);
3087 hash_unset (km->sa_by_ispi, sai->ispi);
3088 ikev2_sa_free_all_vec (sai);
3089 pool_put (km->sais, sai);
3094 ikev2_del_sa_init (u64 ispi)
3096 vl_api_rpc_call_main_thread (ikev2_del_sa_init_from_main, (u8 *) & ispi,
3101 ikev2_rewrite_v6_addrs (ikev2_sa_t *sa, ip6_header_t *ih)
3103 if (sa->is_initiator)
3105 ip_address_copy_addr (&ih->dst_address, &sa->raddr);
3106 ip_address_copy_addr (&ih->src_address, &sa->iaddr);
3110 ip_address_copy_addr (&ih->dst_address, &sa->iaddr);
3111 ip_address_copy_addr (&ih->src_address, &sa->raddr);
3116 ikev2_rewrite_v4_addrs (ikev2_sa_t *sa, ip4_header_t *ih)
3118 if (sa->is_initiator)
3120 ip_address_copy_addr (&ih->dst_address, &sa->raddr);
3121 ip_address_copy_addr (&ih->src_address, &sa->iaddr);
3125 ip_address_copy_addr (&ih->dst_address, &sa->iaddr);
3126 ip_address_copy_addr (&ih->src_address, &sa->raddr);
3131 ikev2_set_ip_address (ikev2_sa_t *sa, const void *iaddr, const void *raddr,
3132 const ip_address_family_t af)
3134 ip_address_set (&sa->raddr, raddr, af);
3135 ip_address_set (&sa->iaddr, iaddr, af);
3139 ikev2_elog_uint_peers_addr (u32 exchange, ip4_header_t * ip4,
3140 ip6_header_t * ip6, u8 is_ip4)
3145 src = ip4->src_address.as_u32;
3146 dst = ip4->dst_address.as_u32;
3150 src = ip6->src_address.as_u32[3];
3151 dst = ip6->dst_address.as_u32[3];
3153 ikev2_elog_uint_peers (IKEV2_LOG_WARNING, "IKEv2 exchange %d "
3154 "received from %d.%d.%d.%d to %d.%d.%d.%d",
3155 exchange, src, dst);
3159 ikev2_generate_sa_init_data_and_log (ikev2_sa_t * sa)
3161 ikev2_generate_sa_error_t rc = ikev2_generate_sa_init_data (sa);
3163 if (PREDICT_TRUE (rc == IKEV2_GENERATE_SA_INIT_OK))
3166 if (rc == IKEV2_GENERATE_SA_INIT_ERR_NO_DH)
3167 ikev2_elog_error (IKEV2_GENERATE_SA_INIT_OK_ERR_NO_DH_STR);
3168 else if (rc == IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH)
3169 ikev2_elog_error (IKEV2_GENERATE_SA_INIT_OK_ERR_UNSUPP_STR);
3173 ikev2_update_stats (vlib_main_t *vm, u32 node_index, ikev2_stats_t *s)
3175 vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_KEEPALIVE,
3177 vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_REKEY_REQ,
3179 vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_INIT_SA_REQ,
3181 vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_IKE_AUTH_REQ,
3186 ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node,
3187 vlib_frame_t *frame, u8 is_ip4, u8 natt)
3189 u32 n_left = frame->n_vectors, *from;
3190 ikev2_main_t *km = &ikev2_main;
3191 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
3192 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
3193 ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
3194 ikev2_stats_t _stats, *stats = &_stats;
3197 /* no NAT traversal for ip6 */
3198 ASSERT (!natt || is_ip4);
3200 clib_memset_u16 (stats, 0, sizeof (stats[0]) / sizeof (u16));
3201 from = vlib_frame_vector_args (frame);
3202 vlib_get_buffers (vm, from, bufs, n_left);
3207 vlib_buffer_t *b0 = b[0];
3208 next[0] = is_ip4 ? IKEV2_NEXT_IP4_ERROR_DROP
3209 : IKEV2_NEXT_IP6_ERROR_DROP;
3210 ip4_header_t *ip40 = 0;
3211 ip6_header_t *ip60 = 0;
3214 ikev2_sa_t *sa0 = 0;
3215 ikev2_sa_t sa; /* temporary store for SA */
3222 u8 *ptr = vlib_buffer_get_current (b0);
3223 ip40 = (ip4_header_t *) ptr;
3224 ptr += sizeof (*ip40);
3225 udp0 = (udp_header_t *) ptr;
3226 ptr += sizeof (*udp0);
3227 ike0 = (ike_header_t *) ptr;
3228 ip_hdr_sz = sizeof (*ip40);
3232 u8 *ipx_hdr = b0->data + vnet_buffer (b0)->l3_hdr_offset;
3233 ike0 = vlib_buffer_get_current (b0);
3234 vlib_buffer_advance (b0, -sizeof (*udp0));
3235 udp0 = vlib_buffer_get_current (b0);
3239 ip40 = (ip4_header_t *) ipx_hdr;
3240 ip_hdr_sz = sizeof (*ip40);
3244 ip60 = (ip6_header_t *) ipx_hdr;
3245 ip_hdr_sz = sizeof (*ip60);
3247 vlib_buffer_advance (b0, -ip_hdr_sz);
3250 rlen = b0->current_length - ip_hdr_sz - sizeof (*udp0);
3252 /* check for non-esp marker */
3255 ASSERT (*((u32 *) ike0) == 0);
3257 (ike_header_t *) ((u8 *) ike0 + sizeof (ikev2_non_esp_marker));
3258 rlen -= sizeof (ikev2_non_esp_marker);
3261 if (clib_net_to_host_u32 (ike0->length) != rlen)
3263 vlib_node_increment_counter (vm, node->node_index,
3264 IKEV2_ERROR_BAD_LENGTH, 1);
3268 if (ike0->version != IKE_VERSION_2)
3270 vlib_node_increment_counter (vm, node->node_index,
3271 IKEV2_ERROR_NOT_IKEV2, 1);
3275 if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
3278 clib_memset (sa0, 0, sizeof (*sa0));
3280 if (ike_hdr_is_initiator (ike0))
3282 sa0->stats.n_sa_init_req++;
3283 stats->n_sa_init_req++;
3284 if (ike0->rspi == 0)
3287 ikev2_set_ip_address (sa0, &ip40->src_address,
3288 &ip40->dst_address, AF_IP4);
3290 ikev2_set_ip_address (sa0, &ip60->src_address,
3291 &ip60->dst_address, AF_IP6);
3293 sa0->dst_port = clib_net_to_host_u16 (udp0->src_port);
3296 ikev2_retransmit_sa_init (ike0, sa0->iaddr,
3300 vlib_node_increment_counter (vm, node->node_index,
3303 IKEV2_ERROR_IKE_SA_INIT_IGNORE
3305 IKEV2_ERROR_IKE_SA_INIT_RETRANSMIT,
3310 res = ikev2_process_sa_init_req (
3311 vm, sa0, ike0, udp0, rlen,
3312 vnet_buffer (b0)->sw_if_index[VLIB_RX]);
3314 vlib_node_increment_counter (vm, node->node_index,
3315 IKEV2_ERROR_MALFORMED_PACKET,
3318 if (sa0->state == IKEV2_STATE_SA_INIT)
3320 ikev2_sa_free_proposal_vector (&sa0->r_proposals);
3322 ikev2_select_proposal (sa0->i_proposals,
3323 IKEV2_PROTOCOL_IKE);
3324 ikev2_generate_sa_init_data_and_log (sa0);
3327 if (sa0->state == IKEV2_STATE_SA_INIT
3328 || sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE)
3330 ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
3332 ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
3334 vlib_node_increment_counter (vm, node->node_index,
3335 IKEV2_ERROR_NO_BUFF_SPACE,
3339 if (sa0->state == IKEV2_STATE_SA_INIT)
3341 /* add SA to the pool */
3342 pool_get (ptd->sas, sa0);
3343 clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
3344 ikev2_init_sa (vm, sa0);
3345 hash_set (ptd->sa_by_rspi, sa0->rspi, sa0 - ptd->sas);
3349 ikev2_sa_free_all_vec (sa0);
3353 else //received sa_init without initiator flag
3356 ikev2_set_ip_address (sa0, &ip40->dst_address,
3357 &ip40->src_address, AF_IP4);
3359 ikev2_set_ip_address (sa0, &ip60->dst_address,
3360 &ip60->src_address, AF_IP6);
3362 ikev2_process_sa_init_resp (vm, sa0, ike0, udp0, rlen);
3364 if (sa0->state == IKEV2_STATE_SA_INIT)
3367 ike0->exchange = IKEV2_EXCHANGE_IKE_AUTH;
3368 uword *p = hash_get (km->sa_by_ispi, sa0->ispi);
3371 ikev2_sa_t *sai = pool_elt_at_index (km->sais, p[0]);
3373 if (clib_atomic_bool_cmp_and_swap
3374 (&sai->init_response_received, 0, 1))
3376 ikev2_complete_sa_data (sa0, sai);
3377 ikev2_calc_keys (sa0);
3378 ikev2_sa_auth_init (sa0);
3379 ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
3381 clib_net_to_host_u32 (sai->last_init_msg_id);
3382 sa0->last_init_msg_id = sai->last_init_msg_id + 1;
3383 slen = ikev2_generate_message (b0, sa0, ike0, 0,
3386 vlib_node_increment_counter (vm,
3388 IKEV2_ERROR_NO_BUFF_SPACE,
3393 /* we've already processed sa-init response */
3394 sa0->state = IKEV2_STATE_UNKNOWN;
3399 if (sa0->state == IKEV2_STATE_SA_INIT)
3401 /* add SA to the pool */
3402 pool_get (ptd->sas, sa0);
3403 clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
3404 hash_set (ptd->sa_by_rspi, sa0->rspi, sa0 - ptd->sas);
3408 ikev2_sa_free_all_vec (sa0);
3412 else if (ike0->exchange == IKEV2_EXCHANGE_IKE_AUTH)
3415 p = hash_get (ptd->sa_by_rspi, clib_net_to_host_u64 (ike0->rspi));
3418 sa0 = pool_elt_at_index (ptd->sas, p[0]);
3419 slen = ikev2_retransmit_resp (sa0, ike0);
3422 vlib_node_increment_counter (vm, node->node_index,
3425 IKEV2_ERROR_IKE_REQ_IGNORE
3427 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
3432 sa0->dst_port = clib_net_to_host_u16 (udp0->src_port);
3433 res = ikev2_process_auth_req (vm, sa0, ike0, rlen);
3435 ikev2_sa_auth (sa0);
3437 vlib_node_increment_counter (vm, node->node_index,
3438 IKEV2_ERROR_MALFORMED_PACKET, 1);
3439 if (sa0->state == IKEV2_STATE_AUTHENTICATED)
3441 ikev2_initial_contact_cleanup (ptd, sa0);
3442 p = hash_get (ptd->sa_by_rspi,
3443 clib_net_to_host_u64 (ike0->rspi));
3444 ikev2_sa_match_ts (sa0);
3445 if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE)
3446 ikev2_create_tunnel_interface (vm, sa0, &sa0->childs[0],
3450 if (sa0->is_initiator)
3452 sa0->last_msg_id = ~0;
3453 ikev2_del_sa_init (sa0->ispi);
3457 sa0->stats.n_sa_auth_req++;
3458 stats->n_sa_auth_req++;
3459 ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
3461 ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
3463 vlib_node_increment_counter (vm, node->node_index,
3464 IKEV2_ERROR_NO_BUFF_SPACE,
3469 else if (ike0->exchange == IKEV2_EXCHANGE_INFORMATIONAL)
3472 p = hash_get (ptd->sa_by_rspi, clib_net_to_host_u64 (ike0->rspi));
3475 sa0 = pool_elt_at_index (ptd->sas, p[0]);
3476 slen = ikev2_retransmit_resp (sa0, ike0);
3479 vlib_node_increment_counter (vm, node->node_index,
3482 IKEV2_ERROR_IKE_REQ_IGNORE
3484 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
3489 res = ikev2_process_informational_req (vm, sa0, ike0, rlen);
3492 vlib_node_increment_counter (vm, node->node_index,
3493 IKEV2_ERROR_MALFORMED_PACKET,
3501 if (sa0->del[0].protocol_id != IKEV2_PROTOCOL_IKE)
3503 ikev2_delete_t *d, *tmp, *resp = 0;
3504 vec_foreach (d, sa0->del)
3506 ikev2_child_sa_t *ch_sa;
3507 ch_sa = ikev2_sa_get_child (sa0, d->spi,
3509 !sa0->is_initiator);
3512 ikev2_delete_tunnel_interface (km->vnet_main,
3514 if (!sa0->is_initiator)
3516 vec_add2 (resp, tmp, 1);
3517 tmp->protocol_id = d->protocol_id;
3518 tmp->spi = ch_sa->r_proposals[0].spi;
3520 ikev2_sa_del_child_sa (sa0, ch_sa);
3523 if (!sa0->is_initiator)
3525 vec_free (sa0->del);
3530 if (ike_hdr_is_request (ike0))
3532 ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
3534 ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
3536 vlib_node_increment_counter (vm, node->node_index,
3537 IKEV2_ERROR_NO_BUFF_SPACE,
3542 else if (ike0->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
3545 p = hash_get (ptd->sa_by_rspi, clib_net_to_host_u64 (ike0->rspi));
3548 sa0 = pool_elt_at_index (ptd->sas, p[0]);
3549 slen = ikev2_retransmit_resp (sa0, ike0);
3552 vlib_node_increment_counter (vm, node->node_index,
3555 IKEV2_ERROR_IKE_REQ_IGNORE
3557 IKEV2_ERROR_IKE_REQ_RETRANSMIT,
3562 res = ikev2_process_create_child_sa_req (vm, sa0, ike0, rlen);
3565 vlib_node_increment_counter (vm, node->node_index,
3566 IKEV2_ERROR_MALFORMED_PACKET,
3572 if (vec_len (sa0->rekey) > 0)
3574 if (!sa0->rekey[0].notify_type &&
3575 sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
3577 if (vec_len (sa0->childs) > 0)
3578 ikev2_sa_free_all_child_sa (&sa0->childs);
3579 ikev2_child_sa_t *child;
3580 vec_add2 (sa0->childs, child, 1);
3581 clib_memset (child, 0, sizeof (*child));
3582 child->r_proposals = sa0->rekey[0].r_proposal;
3583 child->i_proposals = sa0->rekey[0].i_proposal;
3584 child->tsi = sa0->rekey[0].tsi;
3585 child->tsr = sa0->rekey[0].tsr;
3586 ikev2_create_tunnel_interface (vm, sa0, child, p[0],
3587 child - sa0->childs, 1,
3590 if (ike_hdr_is_response (ike0))
3592 vec_free (sa0->rekey);
3596 stats->n_rekey_req++;
3597 sa0->stats.n_rekey_req++;
3598 ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
3600 ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
3602 vlib_node_increment_counter (vm, node->node_index,
3603 IKEV2_ERROR_NO_BUFF_SPACE,
3607 else if (vec_len (sa0->new_child) > 0)
3609 ikev2_child_sa_t *c;
3610 vec_add2 (sa0->childs, c, 1);
3611 memset (c, 0, sizeof (*c));
3612 c->r_proposals = sa0->new_child[0].r_proposal;
3613 c->i_proposals = sa0->new_child[0].i_proposal;
3614 c->tsi = sa0->new_child[0].tsi;
3615 c->tsr = sa0->new_child[0].tsr;
3616 ikev2_create_tunnel_interface (vm, sa0, c, p[0],
3618 sa0->new_child[0].kex);
3619 if (ike_hdr_is_request (ike0))
3621 ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
3623 ikev2_generate_message (b0, sa0, ike0, 0, udp0, 0);
3625 vlib_node_increment_counter (
3626 vm, node->node_index, IKEV2_ERROR_NO_BUFF_SPACE, 1);
3629 else if (vec_len (sa0->sa_rekey) > 0)
3631 if (!sa0->sa_rekey[0].notify_type)
3633 ikev2_sa_t *sar, *tmp = 0;
3634 pool_get (ptd->sas, tmp);
3635 sa0 = pool_elt_at_index (ptd->sas, p[0]);
3636 /* swap old/new SAs to keep index and inherit IPsec SA */
3637 clib_memcpy_fast (tmp, sa0, sizeof (*tmp));
3640 hash_set (ptd->sa_by_rspi, sa0->rspi, sa0 - ptd->sas);
3641 p = hash_get (ptd->sa_by_rspi, sa0->rspi);
3642 ikev2_complete_sa_rekey (sar, sa0, &sa0->sa_rekey[0]);
3643 hash_set (ptd->sa_by_rspi, sar->rspi, sar - ptd->sas);
3645 if (ike_hdr_is_response (ike0))
3647 vec_free (sa0->sa_rekey);
3651 stats->n_rekey_req++;
3652 sa0->stats.n_rekey_req++;
3653 ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
3655 ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
3657 vlib_node_increment_counter (
3658 vm, node->node_index, IKEV2_ERROR_NO_BUFF_SPACE, 1);
3665 ikev2_elog_uint_peers_addr (ike0->exchange, ip40, ip60, is_ip4);
3669 /* if we are sending packet back, rewrite headers */
3670 if (slen && ~0 != slen)
3674 next[0] = IKEV2_NEXT_IP4_LOOKUP;
3675 ikev2_rewrite_v4_addrs (sa0, ip40);
3679 next[0] = IKEV2_NEXT_IP6_LOOKUP;
3680 ikev2_rewrite_v6_addrs (sa0, ip60);
3685 udp0->dst_port = udp0->src_port =
3686 clib_net_to_host_u16 (ikev2_get_port (sa0));
3688 if (udp0->dst_port == clib_net_to_host_u16 (IKEV2_PORT_NATT)
3689 && ikev2_natt_active (sa0))
3692 slen = ikev2_insert_non_esp_marker (ike0, slen);
3698 slen += sizeof (ikev2_non_esp_marker);
3700 u16 tp = udp0->dst_port;
3701 udp0->dst_port = udp0->src_port;
3702 udp0->src_port = tp;
3705 udp0->length = clib_host_to_net_u16 (slen + sizeof (udp_header_t));
3707 b0->current_length = slen + ip_hdr_sz + sizeof (udp_header_t);
3710 ip40->length = clib_host_to_net_u16 (b0->current_length);
3711 ip40->checksum = ip4_header_checksum (ip40);
3715 ip60->payload_length =
3716 clib_host_to_net_u16 (b0->current_length - sizeof (*ip60));
3720 if (sa0 && (sa0->state == IKEV2_STATE_DELETED ||
3721 sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE))
3723 ikev2_child_sa_t *c;
3725 vec_foreach (c, sa0->childs)
3726 ikev2_delete_tunnel_interface (km->vnet_main, sa0, c);
3728 ikev2_delete_sa (ptd, sa0);
3730 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3731 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3734 ikev2_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
3735 t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3736 t->next_index = next[0];
3743 ikev2_update_stats (vm, node->node_index, stats);
3744 vlib_node_increment_counter (vm, node->node_index,
3745 IKEV2_ERROR_PROCESSED, frame->n_vectors);
3746 vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
3747 return frame->n_vectors;
3751 ikev2_ip4 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
3753 return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */, 0);
3757 ikev2_ip4_natt (vlib_main_t *vm, vlib_node_runtime_t *node,
3758 vlib_frame_t *frame)
3760 return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */, 1 /* natt */);
3764 ikev2_ip6 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
3766 return ikev2_node_internal (vm, node, frame, 0 /* is_ip4 */, 0);
3770 VLIB_REGISTER_NODE (ikev2_node_ip4,static) = {
3771 .function = ikev2_ip4,
3772 .name = "ikev2-ip4",
3773 .vector_size = sizeof (u32),
3774 .format_trace = format_ikev2_trace,
3775 .type = VLIB_NODE_TYPE_INTERNAL,
3777 .n_errors = IKEV2_N_ERROR,
3778 .error_counters = ikev2_error_counters,
3780 .n_next_nodes = IKEV2_IP4_N_NEXT,
3782 [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
3783 [IKEV2_NEXT_IP4_ERROR_DROP] = "error-drop",
3787 VLIB_REGISTER_NODE (ikev2_node_ip4_natt,static) = {
3788 .function = ikev2_ip4_natt,
3789 .name = "ikev2-ip4-natt",
3790 .vector_size = sizeof (u32),
3791 .format_trace = format_ikev2_trace,
3792 .type = VLIB_NODE_TYPE_INTERNAL,
3794 .n_errors = IKEV2_N_ERROR,
3795 .error_counters = ikev2_error_counters,
3797 .n_next_nodes = IKEV2_IP4_N_NEXT,
3799 [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
3800 [IKEV2_NEXT_IP4_ERROR_DROP] = "error-drop",
3804 VLIB_REGISTER_NODE (ikev2_node_ip6,static) = {
3805 .function = ikev2_ip6,
3806 .name = "ikev2-ip6",
3807 .vector_size = sizeof (u32),
3808 .format_trace = format_ikev2_trace,
3809 .type = VLIB_NODE_TYPE_INTERNAL,
3811 .n_errors = IKEV2_N_ERROR,
3812 .error_counters = ikev2_error_counters,
3814 .n_next_nodes = IKEV2_IP6_N_NEXT,
3816 [IKEV2_NEXT_IP6_LOOKUP] = "ip6-lookup",
3817 [IKEV2_NEXT_IP6_ERROR_DROP] = "error-drop",
3822 // set ikev2 proposals when vpp is used as initiator
3823 static clib_error_t *
3824 ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
3825 ikev2_transforms_set * ts,
3826 ikev2_sa_proposal_t ** proposals, int is_ike)
3829 ikev2_main_t *km = &ikev2_main;
3830 ikev2_sa_proposal_t *proposal;
3831 vec_add2 (*proposals, proposal, 1);
3832 ikev2_sa_transform_t *td;
3837 vec_foreach (td, km->supported_transforms)
3839 if (td->type == IKEV2_TRANSFORM_TYPE_ENCR
3840 && td->encr_type == ts->crypto_alg
3841 && td->key_len == ts->crypto_key_size / 8)
3844 attr[0] = clib_host_to_net_u16 (14 | (1 << 15));
3845 attr[1] = clib_host_to_net_u16 (td->key_len << 3);
3846 vec_add (td->attrs, (u8 *) attr, 4);
3847 vec_add1 (proposal->transforms, *td);
3856 r = clib_error_return (0, "Unsupported algorithm");
3860 if (IKEV2_TRANSFORM_INTEG_TYPE_NONE != ts->integ_alg)
3864 vec_foreach (td, km->supported_transforms)
3866 if (td->type == IKEV2_TRANSFORM_TYPE_INTEG
3867 && td->integ_type == ts->integ_alg)
3869 vec_add1 (proposal->transforms, *td);
3877 ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG");
3878 r = clib_error_return (0, "Unsupported algorithm");
3887 vec_foreach (td, km->supported_transforms)
3889 if (td->type == IKEV2_TRANSFORM_TYPE_PRF
3890 && td->prf_type == IKEV2_TRANSFORM_PRF_TYPE_PRF_HMAC_SHA2_256)
3892 vec_add1 (proposal->transforms, *td);
3899 r = clib_error_return (0, "Unsupported algorithm");
3908 vec_foreach (td, km->supported_transforms)
3910 if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
3912 vec_add1 (proposal->transforms, *td);
3915 sa->dh_group = td->dh_type;
3923 r = clib_error_return (0, "Unsupported algorithm");
3931 vec_foreach (td, km->supported_transforms)
3933 if (td->type == IKEV2_TRANSFORM_TYPE_ESN)
3935 vec_add1 (proposal->transforms, *td);
3941 r = clib_error_return (0, "Unsupported algorithm");
3950 static ikev2_profile_t *
3951 ikev2_profile_index_by_name (u8 * name)
3953 ikev2_main_t *km = &ikev2_main;
3956 p = mhash_get (&km->profile_index_by_name, name);
3960 return pool_elt_at_index (km->profiles, p[0]);
3965 ikev2_send_ike (vlib_main_t * vm, ip_address_t * src, ip_address_t * dst,
3966 u32 bi0, u32 len, u16 src_port, u16 dst_port, u32 sw_if_index)
3975 b0 = vlib_get_buffer (vm, bi0);
3976 vlib_buffer_advance (b0, -sizeof (udp_header_t));
3977 udp0 = vlib_buffer_get_current (b0);
3978 udp0->dst_port = clib_host_to_net_u16 (dst_port);
3979 udp0->src_port = clib_host_to_net_u16 (src_port);
3980 udp0->length = clib_host_to_net_u16 (len + sizeof (udp_header_t));
3983 if (ip_addr_version (dst) == AF_IP4)
3985 vlib_buffer_advance (b0, -sizeof (ip4_header_t));
3986 ip40 = vlib_buffer_get_current (b0);
3987 ip40->ip_version_and_header_length = 0x45;
3989 ip40->fragment_id = 0;
3990 ip40->flags_and_fragment_offset = 0;
3992 ip40->protocol = IP_PROTOCOL_UDP;
3993 ip40->dst_address.as_u32 = ip_addr_v4 (dst).as_u32;
3994 ip40->src_address.as_u32 = ip_addr_v4 (src).as_u32;
3995 b0->current_length =
3996 len + sizeof (ip4_header_t) + sizeof (udp_header_t);
3997 ip40->length = clib_host_to_net_u16 (b0->current_length);
3998 ip40->checksum = ip4_header_checksum (ip40);
4002 vlib_buffer_advance (b0, -sizeof (ip6_header_t));
4003 ip60 = vlib_buffer_get_current (b0);
4005 b0->current_length = len + sizeof (*ip60) + sizeof (udp_header_t);
4006 ip60->ip_version_traffic_class_and_flow_label =
4007 clib_host_to_net_u32 (0x6 << 28);
4008 ip60->payload_length =
4009 clib_host_to_net_u16 (b0->current_length - sizeof (*ip60));
4010 ip60->protocol = IP_PROTOCOL_UDP;
4011 ip60->hop_limit = 0xff;
4012 clib_memcpy_fast (ip60->src_address.as_u8, ip_addr_v6 (src).as_u8,
4013 sizeof (ip60->src_address));
4014 clib_memcpy_fast (ip60->dst_address.as_u8, ip_addr_v6 (dst).as_u8,
4015 sizeof (ip60->src_address));
4018 b0->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
4019 vnet_buffer (b0)->sw_if_index[VLIB_RX] = sw_if_index;
4020 vnet_buffer (b0)->sw_if_index[VLIB_TX] = ~0;
4022 u32 next_index = (ip_addr_version (dst) == AF_IP4) ?
4023 ip4_lookup_node.index : ip6_lookup_node.index;
4025 /* send the request */
4026 f = vlib_get_frame_to_node (vm, next_index);
4027 to_next = vlib_frame_vector_args (f);
4030 vlib_put_frame_to_node (vm, next_index, f);
4035 ikev2_get_new_ike_header_buff (vlib_main_t * vm, vlib_buffer_t ** b)
4038 if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
4043 *b = vlib_get_buffer (vm, bi0);
4048 ikev2_set_local_key (vlib_main_t * vm, u8 * file)
4050 ikev2_main_t *km = &ikev2_main;
4053 EVP_PKEY_free (km->pkey);
4054 km->pkey = ikev2_load_key_file (file);
4055 if (km->pkey == NULL)
4056 return clib_error_return (0, "load key '%s' failed", file);
4061 static vnet_api_error_t
4062 ikev2_register_udp_port (ikev2_profile_t *p, u16 port)
4064 ipsec_register_udp_port (port, 0 /* is_ip4 */);
4065 ipsec_register_udp_port (port, 1 /* is_ip4 */);
4066 p->ipsec_over_udp_port = port;
4071 ikev2_unregister_udp_port (ikev2_profile_t *p)
4073 if (p->ipsec_over_udp_port == IPSEC_UDP_PORT_NONE)
4076 ipsec_unregister_udp_port (p->ipsec_over_udp_port, 0 /* is_ip4 */);
4077 ipsec_unregister_udp_port (p->ipsec_over_udp_port, 1 /* is_ip4 */);
4078 p->ipsec_over_udp_port = IPSEC_UDP_PORT_NONE;
4082 ikev2_initiate_delete_ike_sa_internal (vlib_main_t * vm,
4083 ikev2_main_per_thread_data_t * tkm,
4084 ikev2_sa_t * sa, u8 send_notification)
4086 ikev2_main_t *km = &ikev2_main;
4087 ip_address_t *src, *dst;
4089 ikev2_child_sa_t *c;
4091 /* Create the Initiator notification for IKE SA removal */
4096 vec_resize (sa->del, 1);
4097 sa->del->protocol_id = IKEV2_PROTOCOL_IKE;
4098 sa->del->spi = sa->ispi;
4100 if (send_notification)
4102 bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
4105 ikev2_log_error ("buffer alloc failure");
4109 ike0 = vlib_buffer_get_current (b0);
4110 ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
4111 ike0->ispi = clib_host_to_net_u64 (sa->ispi);
4112 ike0->rspi = clib_host_to_net_u64 (sa->rspi);
4114 ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
4115 sa->last_init_msg_id += 1;
4116 len = ikev2_generate_message (b0, sa, ike0, 0, 0, 0);
4120 if (ikev2_natt_active (sa))
4121 len = ikev2_insert_non_esp_marker (ike0, len);
4123 if (sa->is_initiator)
4134 ikev2_send_ike (vm, src, dst, bi0, len,
4135 ikev2_get_port (sa), sa->dst_port, 0);
4139 /* delete local SA */
4140 vec_foreach (c, sa->childs)
4141 ikev2_delete_tunnel_interface (km->vnet_main, sa, c);
4143 u64 rspi = sa->rspi;
4144 ikev2_sa_free_all_vec (sa);
4145 uword *p = hash_get (tkm->sa_by_rspi, rspi);
4148 hash_unset (tkm->sa_by_rspi, rspi);
4149 pool_put (tkm->sas, sa);
4154 ikev2_cleanup_profile_sessions (ikev2_main_t * km, ikev2_profile_t * p)
4156 ikev2_main_per_thread_data_t *tkm;
4158 u32 pi = p - km->profiles;
4163 pool_foreach (sa, km->sais) {
4164 if (pi == sa->profile_index)
4165 vec_add1 (del_sai, sa - km->sais);
4169 vec_foreach (sai, del_sai)
4171 sa = pool_elt_at_index (km->sais, sai[0]);
4172 ikev2_sa_free_all_vec (sa);
4173 hash_unset (km->sa_by_ispi, sa->ispi);
4174 pool_put (km->sais, sa);
4176 vec_reset_length (del_sai);
4178 vec_foreach (tkm, km->per_thread_data)
4181 pool_foreach (sa, tkm->sas) {
4182 if (sa->profile_index != ~0 && pi == sa->profile_index)
4183 vec_add1 (del_sai, sa - tkm->sas);
4187 vec_foreach (sai, del_sai)
4189 sa = pool_elt_at_index (tkm->sas, sai[0]);
4190 ikev2_initiate_delete_ike_sa_internal (km->vlib_main, tkm, sa, 1);
4193 vec_reset_length (del_sai);
4200 ikev2_profile_responder_free (ikev2_responder_t *r)
4202 vec_free (r->hostname);
4206 ikev2_profile_free (ikev2_profile_t * p)
4210 vec_free (p->auth.data);
4212 EVP_PKEY_free (p->auth.key);
4214 ikev2_profile_responder_free (&p->responder);
4216 vec_free (p->loc_id.data);
4217 vec_free (p->rem_id.data);
4221 ikev2_bind (vlib_main_t *vm, ikev2_main_t *km)
4223 if (0 == km->bind_refcount)
4225 udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip4.index, 1);
4226 udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip6.index, 0);
4227 udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index, 1);
4228 udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index, 0);
4230 vlib_punt_register (km->punt_hdl,
4231 ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0],
4235 km->bind_refcount++;
4239 ikev2_unbind (vlib_main_t *vm, ikev2_main_t *km)
4241 km->bind_refcount--;
4242 if (0 == km->bind_refcount)
4244 vlib_punt_unregister (km->punt_hdl,
4245 ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0],
4248 udp_unregister_dst_port (vm, IKEV2_PORT_NATT, 0);
4249 udp_unregister_dst_port (vm, IKEV2_PORT_NATT, 1);
4250 udp_unregister_dst_port (vm, IKEV2_PORT, 0);
4251 udp_unregister_dst_port (vm, IKEV2_PORT, 1);
4255 static void ikev2_lazy_init (ikev2_main_t *km);
4258 ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add)
4260 ikev2_main_t *km = &ikev2_main;
4263 ikev2_lazy_init (km);
4267 if (ikev2_profile_index_by_name (name))
4268 return clib_error_return (0, "policy %v already exists", name);
4270 pool_get (km->profiles, p);
4271 clib_memset (p, 0, sizeof (*p));
4272 p->name = vec_dup (name);
4273 p->ipsec_over_udp_port = IPSEC_UDP_PORT_NONE;
4274 p->responder.sw_if_index = ~0;
4276 uword index = p - km->profiles;
4277 mhash_set_mem (&km->profile_index_by_name, name, &index, 0);
4279 ikev2_bind (vm, km);
4283 p = ikev2_profile_index_by_name (name);
4285 return clib_error_return (0, "policy %v does not exists", name);
4287 ikev2_unbind (vm, km);
4289 ikev2_unregister_udp_port (p);
4290 ikev2_cleanup_profile_sessions (km, p);
4292 ikev2_profile_free (p);
4293 pool_put (km->profiles, p);
4294 mhash_unset (&km->profile_index_by_name, name, 0);
4300 ikev2_set_profile_auth (vlib_main_t * vm, u8 * name, u8 auth_method,
4301 u8 * auth_data, u8 data_hex_format)
4306 p = ikev2_profile_index_by_name (name);
4310 r = clib_error_return (0, "unknown profile %v", name);
4315 EVP_PKEY_free (p->auth.key);
4316 vec_free (p->auth.data);
4318 p->auth.method = auth_method;
4319 p->auth.data = vec_dup (auth_data);
4320 p->auth.hex = data_hex_format;
4322 if (auth_method == IKEV2_AUTH_METHOD_RSA_SIG)
4324 vec_add1 (p->auth.data, 0);
4325 p->auth.key = ikev2_load_cert_file (p->auth.data);
4326 if (p->auth.key == NULL)
4327 return clib_error_return (0, "load cert '%s' failed", p->auth.data);
4334 ikev2_is_id_supported (u8 id_type)
4336 return (id_type == IKEV2_ID_TYPE_ID_IPV4_ADDR ||
4337 id_type == IKEV2_ID_TYPE_ID_IPV6_ADDR ||
4338 id_type == IKEV2_ID_TYPE_ID_RFC822_ADDR ||
4339 id_type == IKEV2_ID_TYPE_ID_FQDN);
4343 ikev2_set_profile_id (vlib_main_t * vm, u8 * name, u8 id_type, u8 * data,
4349 if (!ikev2_is_id_supported (id_type))
4351 r = clib_error_return (0, "unsupported identity type %U",
4352 format_ikev2_id_type, id_type);
4356 p = ikev2_profile_index_by_name (name);
4360 r = clib_error_return (0, "unknown profile %v", name);
4366 vec_free (p->loc_id.data);
4367 p->loc_id.type = id_type;
4368 p->loc_id.data = vec_dup (data);
4372 vec_free (p->rem_id.data);
4373 p->rem_id.type = id_type;
4374 p->rem_id.data = vec_dup (data);
4381 ikev2_set_ts_type (ikev2_ts_t *ts, const ip_address_t *addr)
4383 if (ip_addr_version (addr) == AF_IP4)
4384 ts->ts_type = TS_IPV4_ADDR_RANGE;
4386 ts->ts_type = TS_IPV6_ADDR_RANGE;
4390 ikev2_set_ts_addrs (ikev2_ts_t *ts, const ip_address_t *start,
4391 const ip_address_t *end)
4393 ip_address_copy (&ts->start_addr, start);
4394 ip_address_copy (&ts->end_addr, end);
4398 ikev2_set_profile_ts (vlib_main_t * vm, u8 * name, u8 protocol_id,
4399 u16 start_port, u16 end_port, ip_address_t start_addr,
4400 ip_address_t end_addr, int is_local)
4405 p = ikev2_profile_index_by_name (name);
4409 r = clib_error_return (0, "unknown profile %v", name);
4413 if (ip_addr_version (&start_addr) != ip_addr_version (&end_addr))
4414 return clib_error_return (0, "IP address version mismatch!");
4418 ikev2_set_ts_addrs (&p->loc_ts, &start_addr, &end_addr);
4419 p->loc_ts.start_port = start_port;
4420 p->loc_ts.end_port = end_port;
4421 p->loc_ts.protocol_id = protocol_id;
4422 ikev2_set_ts_type (&p->loc_ts, &start_addr);
4426 ikev2_set_ts_addrs (&p->rem_ts, &start_addr, &end_addr);
4427 p->rem_ts.start_port = start_port;
4428 p->rem_ts.end_port = end_port;
4429 p->rem_ts.protocol_id = protocol_id;
4430 ikev2_set_ts_type (&p->rem_ts, &start_addr);
4437 ikev2_set_profile_responder_hostname (vlib_main_t *vm, u8 *name, u8 *hostname,
4443 p = ikev2_profile_index_by_name (name);
4447 r = clib_error_return (0, "unknown profile %v", name);
4451 p->responder.is_resolved = 0;
4452 p->responder.sw_if_index = sw_if_index;
4453 p->responder.hostname = vec_dup (hostname);
4459 ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
4460 u32 sw_if_index, ip_address_t addr)
4465 p = ikev2_profile_index_by_name (name);
4469 r = clib_error_return (0, "unknown profile %v", name);
4473 p->responder.is_resolved = 1;
4474 p->responder.sw_if_index = sw_if_index;
4475 ip_address_copy (&p->responder.addr, &addr);
4481 ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
4482 ikev2_transform_encr_type_t crypto_alg,
4483 ikev2_transform_integ_type_t integ_alg,
4484 ikev2_transform_dh_type_t dh_type,
4485 u32 crypto_key_size)
4489 p = ikev2_profile_index_by_name (name);
4491 return clib_error_return (0, "unknown profile %v", name);
4493 if ((IKEV2_TRANSFORM_INTEG_TYPE_NONE != integ_alg) +
4494 (IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16 == crypto_alg) !=
4496 return clib_error_return (0, "invalid cipher + integrity algorithm");
4498 p->ike_ts.crypto_alg = crypto_alg;
4499 p->ike_ts.integ_alg = integ_alg;
4500 p->ike_ts.dh_type = dh_type;
4501 p->ike_ts.crypto_key_size = crypto_key_size;
4506 ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name,
4507 ikev2_transform_encr_type_t crypto_alg,
4508 ikev2_transform_integ_type_t integ_alg,
4509 u32 crypto_key_size)
4514 p = ikev2_profile_index_by_name (name);
4518 r = clib_error_return (0, "unknown profile %v", name);
4522 p->esp_ts.crypto_alg = crypto_alg;
4523 p->esp_ts.integ_alg = integ_alg;
4524 p->esp_ts.crypto_key_size = crypto_key_size;
4529 ikev2_set_profile_tunnel_interface (vlib_main_t * vm,
4530 u8 * name, u32 sw_if_index)
4535 p = ikev2_profile_index_by_name (name);
4539 r = clib_error_return (0, "unknown profile %v", name);
4543 p->tun_itf = sw_if_index;
4549 ikev2_set_profile_ipsec_udp_port (vlib_main_t * vm, u8 * name, u16 port,
4552 ikev2_profile_t *p = ikev2_profile_index_by_name (name);
4553 vnet_api_error_t rv = 0;
4556 return VNET_API_ERROR_INVALID_VALUE;
4560 if (p->ipsec_over_udp_port != IPSEC_UDP_PORT_NONE)
4561 return VNET_API_ERROR_VALUE_EXIST;
4563 rv = ikev2_register_udp_port (p, port);
4567 if (p->ipsec_over_udp_port == IPSEC_UDP_PORT_NONE)
4568 return VNET_API_ERROR_INVALID_VALUE;
4570 ikev2_unregister_udp_port (p);
4576 ikev2_set_profile_udp_encap (vlib_main_t * vm, u8 * name)
4578 ikev2_profile_t *p = ikev2_profile_index_by_name (name);
4583 r = clib_error_return (0, "unknown profile %v", name);
4592 ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name,
4593 u64 lifetime, u32 jitter, u32 handover,
4599 p = ikev2_profile_index_by_name (name);
4603 r = clib_error_return (0, "unknown profile %v", name);
4607 p->lifetime = lifetime;
4608 p->lifetime_jitter = jitter;
4609 p->handover = handover;
4610 p->lifetime_maxdata = maxdata;
4615 ikev2_get_if_address (u32 sw_if_index, ip_address_family_t af,
4616 ip_address_t * out_addr)
4618 ip4_address_t *if_ip4;
4619 ip6_address_t *if_ip6;
4623 if_ip4 = ip4_interface_first_address (&ip4_main, sw_if_index, 0);
4626 ip_address_set (out_addr, if_ip4, AF_IP4);
4632 if_ip6 = ip6_interface_first_address (&ip6_main, sw_if_index);
4635 ip_address_set (out_addr, if_ip6, AF_IP6);
4642 static clib_error_t *
4643 ikev2_resolve_responder_hostname (vlib_main_t *vm, ikev2_responder_t *r)
4645 ikev2_main_t *km = &ikev2_main;
4646 dns_cache_entry_t *ep = 0;
4647 dns_pending_request_t _t0, *t0 = &_t0;
4648 dns_resolve_name_t _rn, *rn = &_rn;
4652 if (!km->dns_resolve_name_ptr)
4653 return clib_error_return (0, "cannot load symbols from dns plugin");
4655 t0->request_type = DNS_API_PENDING_NAME_TO_IP;
4656 /* VPP main curse: IKEv2 uses only non-NULL terminated vectors internally
4657 * whereas DNS resolver expects a NULL-terminated C-string */
4658 name = vec_dup (r->hostname);
4659 vec_terminate_c_string (name);
4660 rv = ((__typeof__ (dns_resolve_name) *) km->dns_resolve_name_ptr) (name, &ep,
4664 return clib_error_return (0, "dns lookup failure");
4669 ip_address_copy (&r->addr, &rn->address);
4675 ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
4679 ikev2_main_t *km = &ikev2_main;
4683 int len = sizeof (ike_header_t), valid_ip = 0;
4684 ip_address_t src_if_ip = ip_address_initializer;
4686 p = ikev2_profile_index_by_name (name);
4690 r = clib_error_return (0, "unknown profile %v", name);
4694 if (p->responder.sw_if_index == ~0 ||
4695 (ip_address_is_zero (&p->responder.addr) &&
4696 vec_len (p->responder.hostname) == 0))
4698 r = clib_error_return (0, "responder not set for profile %v", name);
4702 if (!p->responder.is_resolved)
4704 /* try to resolve using dns plugin
4705 * success does not mean we have resolved the name */
4706 r = ikev2_resolve_responder_hostname (vm, &p->responder);
4711 if (p->responder.is_resolved &&
4712 ikev2_get_if_address (p->responder.sw_if_index,
4713 ip_addr_version (&p->responder.addr), &src_if_ip))
4718 /* Prepare the SA and the IKE payload */
4720 clib_memset (&sa, 0, sizeof (ikev2_sa_t));
4721 ikev2_payload_chain_t *chain = 0;
4722 ikev2_payload_new_chain (chain);
4724 /* Build the IKE proposal payload */
4725 ikev2_sa_proposal_t *proposals = 0;
4726 ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
4727 proposals[0].proposal_num = 1;
4728 proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
4730 /* Add and then cleanup proposal data */
4731 ikev2_payload_add_sa (chain, proposals, 0);
4732 ikev2_sa_free_proposal_vector (&proposals);
4734 sa.is_initiator = 1;
4735 sa.profile_index = p - km->profiles;
4736 sa.state = IKEV2_STATE_SA_INIT;
4737 sa.tun_itf = p->tun_itf;
4738 sa.udp_encap = p->udp_encap;
4739 if (p->natt_disabled)
4740 sa.natt_state = IKEV2_NATT_DISABLED;
4741 sa.ipsec_over_udp_port = p->ipsec_over_udp_port;
4742 sa.is_tun_itf_set = 1;
4743 sa.initial_contact = 1;
4744 sa.dst_port = IKEV2_PORT;
4746 ikev2_generate_sa_error_t rc = ikev2_generate_sa_init_data (&sa);
4747 if (rc != IKEV2_GENERATE_SA_INIT_OK)
4749 ikev2_sa_free_all_vec (&sa);
4750 ikev2_payload_destroy_chain (chain);
4751 return clib_error_return (0, "%U", format_ikev2_gen_sa_error, rc);
4754 ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
4755 ikev2_payload_add_nonce (chain, sa.i_nonce);
4757 /* Build the child SA proposal */
4758 vec_resize (sa.childs, 1);
4759 ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
4760 &sa.childs[0].i_proposals, 0);
4761 sa.childs[0].i_proposals[0].proposal_num = 1;
4762 sa.childs[0].i_proposals[0].protocol_id = IKEV2_PROTOCOL_ESP;
4763 RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
4764 sizeof (sa.childs[0].i_proposals[0].spi));
4765 sa.childs[0].i_proposals[0].spi &= 0xffffffff;
4767 /* Add NAT detection notification messages (mandatory) */
4768 u8 *nat_detection_sha1 = ikev2_compute_nat_sha1 (
4769 clib_host_to_net_u64 (sa.ispi), clib_host_to_net_u64 (sa.rspi), &src_if_ip,
4770 clib_host_to_net_u16 (IKEV2_PORT));
4772 ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
4773 nat_detection_sha1);
4774 vec_free (nat_detection_sha1);
4775 nat_detection_sha1 =
4776 ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa.ispi),
4777 clib_host_to_net_u64 (sa.rspi),
4779 clib_host_to_net_u16 (sa.dst_port));
4780 ikev2_payload_add_notify (chain,
4781 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
4782 nat_detection_sha1);
4783 vec_free (nat_detection_sha1);
4785 u8 *sig_hash_algo = vec_new (u8, 8);
4786 u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
4787 clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig));
4788 ikev2_payload_add_notify (chain,
4789 IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
4791 vec_free (sig_hash_algo);
4793 bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
4796 ikev2_sa_free_all_vec (&sa);
4797 ikev2_payload_destroy_chain (chain);
4798 char *errmsg = "buffer alloc failure";
4799 ikev2_log_error (errmsg);
4800 return clib_error_return (0, errmsg);
4802 ike0 = vlib_buffer_get_current (b0);
4804 /* Buffer update and boilerplate */
4805 len += vec_len (chain->data);
4806 ike0->nextpayload = chain->first_payload_type;
4807 ike0->length = clib_host_to_net_u32 (len);
4808 clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data));
4809 ikev2_payload_destroy_chain (chain);
4811 ike0->version = IKE_VERSION_2;
4812 ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
4813 ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
4814 ike0->ispi = clib_host_to_net_u64 (sa.ispi);
4817 sa.last_init_msg_id += 1;
4819 /* store whole IKE payload - needed for PSK auth */
4820 vec_reset_length (sa.last_sa_init_req_packet_data);
4821 vec_add (sa.last_sa_init_req_packet_data, ike0, len);
4823 /* add data to the SA then add it to the pool */
4824 ip_address_copy (&sa.iaddr, &src_if_ip);
4825 ip_address_copy (&sa.raddr, &p->responder.addr);
4826 sa.i_id.type = p->loc_id.type;
4827 sa.i_id.data = vec_dup (p->loc_id.data);
4828 sa.r_id.type = p->rem_id.type;
4829 sa.r_id.data = vec_dup (p->rem_id.data);
4830 sa.i_auth.method = p->auth.method;
4831 sa.i_auth.hex = p->auth.hex;
4832 sa.i_auth.data = vec_dup (p->auth.data);
4833 sa.sw_if_index = p->responder.sw_if_index;
4834 vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
4835 vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
4837 ikev2_initial_contact_cleanup (0, &sa);
4839 /* add SA to the pool */
4840 ikev2_sa_t *sa0 = 0;
4841 pool_get (km->sais, sa0);
4842 clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
4843 hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
4847 ikev2_send_ike (vm, &src_if_ip, &p->responder.addr, bi0, len, IKEV2_PORT,
4848 sa.dst_port, sa.sw_if_index);
4851 ("ispi %lx rspi %lx IKEV2_EXCHANGE_SA_INIT sent to ",
4852 clib_host_to_net_u64 (sa0->ispi), 0,
4853 ip_addr_v4 (&p->responder.addr).as_u32,
4854 ip_addr_version (&p->responder.addr) == AF_IP4);
4861 ikev2_delete_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa,
4862 ikev2_child_sa_t * csa)
4864 /* Create the Initiator notification for child SA removal */
4865 ikev2_main_t *km = &ikev2_main;
4871 bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
4874 ikev2_log_error ("buffer alloc failure");
4878 ike0 = vlib_buffer_get_current (b0);
4879 ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
4880 ike0->ispi = clib_host_to_net_u64 (sa->ispi);
4881 ike0->rspi = clib_host_to_net_u64 (sa->rspi);
4883 vec_resize (sa->del, 1);
4884 sa->del->protocol_id = IKEV2_PROTOCOL_ESP;
4885 sa->del->spi = csa->i_proposals->spi;
4886 ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
4887 sa->last_init_msg_id += 1;
4888 len = ikev2_generate_message (b0, sa, ike0, 0, 0, 0);
4892 if (ikev2_natt_active (sa))
4893 len = ikev2_insert_non_esp_marker (ike0, len);
4894 ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
4895 ikev2_get_port (sa), sa->dst_port, sa->sw_if_index);
4897 /* delete local child SA */
4898 ikev2_delete_tunnel_interface (km->vnet_main, sa, csa);
4899 ikev2_sa_del_child_sa (sa, csa);
4903 ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi)
4906 ikev2_main_t *km = &ikev2_main;
4907 ikev2_main_per_thread_data_t *tkm;
4908 ikev2_sa_t *fsa = 0;
4909 ikev2_child_sa_t *fchild = 0;
4911 /* Search for the child SA */
4912 vec_foreach (tkm, km->per_thread_data)
4918 pool_foreach (sa, tkm->sas) {
4919 fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
4929 if (!fchild || !fsa)
4931 r = clib_error_return (0, "Child SA not found");
4936 ikev2_delete_child_sa_internal (vm, fsa, fchild);
4943 ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi)
4946 ikev2_main_t *km = &ikev2_main;
4947 ikev2_main_per_thread_data_t *tkm;
4948 ikev2_sa_t *fsa = 0;
4949 ikev2_main_per_thread_data_t *ftkm = 0;
4951 /* Search for the IKE SA */
4952 vec_foreach (tkm, km->per_thread_data)
4958 pool_foreach (sa, tkm->sas) {
4959 if (sa->ispi == ispi)
4971 r = clib_error_return (0, "IKE SA not found");
4975 ikev2_initiate_delete_ike_sa_internal (vm, ftkm, fsa, 1);
4980 ikev2_rekey_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa,
4981 ikev2_child_sa_t * csa)
4983 /* Create the Initiator request for create child SA */
4989 bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
4992 ikev2_log_error ("buffer alloc failure");
4996 ike0 = vlib_buffer_get_current (b0);
4997 ike0->version = IKE_VERSION_2;
4998 ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
4999 ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
5000 ike0->ispi = clib_host_to_net_u64 (sa->ispi);
5001 ike0->rspi = clib_host_to_net_u64 (sa->rspi);
5002 ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
5003 sa->last_init_msg_id += 1;
5005 ikev2_rekey_t *rekey;
5006 vec_reset_length (sa->rekey);
5007 vec_add2 (sa->rekey, rekey, 1);
5009 ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals);
5012 RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
5013 proposals[0].spi &= 0xffffffff;
5014 rekey->spi = proposals[0].spi;
5015 rekey->ispi = csa->i_proposals->spi;
5016 len = ikev2_generate_message (b0, sa, ike0, proposals, 0, 0);
5020 if (ikev2_natt_active (sa))
5021 len = ikev2_insert_non_esp_marker (ike0, len);
5022 ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
5023 ikev2_get_port (sa), ikev2_get_port (sa), sa->sw_if_index);
5024 vec_free (proposals);
5028 ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi)
5031 ikev2_main_t *km = &ikev2_main;
5032 ikev2_main_per_thread_data_t *tkm;
5033 ikev2_sa_t *fsa = 0;
5034 ikev2_child_sa_t *fchild = 0;
5036 /* Search for the child SA */
5037 vec_foreach (tkm, km->per_thread_data)
5043 pool_foreach (sa, tkm->sas) {
5044 fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
5054 if (!fchild || !fsa)
5056 r = clib_error_return (0, "Child SA not found");
5061 ikev2_rekey_child_sa_internal (vm, fsa, fchild);
5068 ikev2_sa_sw_if_match (ikev2_sa_t * sa, u32 sw_if_index)
5070 return (sa->sw_if_index == sw_if_index) && sa->is_initiator;
5074 ikev2_sa_del (ikev2_profile_t * p, u32 sw_if_index)
5076 u64 *ispi, *ispi_vec = 0;
5077 ikev2_sa_t *sa, **sap, **sa_vec = 0;
5078 ikev2_main_t *km = &ikev2_main;
5079 ikev2_main_per_thread_data_t *tkm;
5080 p->responder.sw_if_index = ~0;
5082 vec_foreach (tkm, km->per_thread_data)
5085 pool_foreach (sa, tkm->sas) {
5086 if (ikev2_sa_sw_if_match (sa, sw_if_index))
5087 vec_add1 (sa_vec, sa);
5091 vec_foreach (sap, sa_vec)
5093 ikev2_initiate_delete_ike_sa_internal (km->vlib_main, tkm, *sap, 0);
5095 vec_reset_length (sa_vec);
5100 pool_foreach (sa, km->sais) {
5101 if (ikev2_sa_sw_if_match (sa, sw_if_index))
5102 vec_add1 (ispi_vec, sa->ispi);
5106 vec_foreach (ispi, ispi_vec)
5108 ikev2_del_sa_init_from_main (ispi);
5111 vec_free (ispi_vec);
5114 static clib_error_t *
5115 ikev2_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
5117 ikev2_main_t *km = &ikev2_main;
5124 pool_foreach (p, km->profiles) {
5125 if (p->responder.sw_if_index == sw_if_index)
5126 ikev2_sa_del (p, sw_if_index);
5133 VNET_SW_INTERFACE_ADD_DEL_FUNCTION (ikev2_sw_interface_add_del);
5136 ikev2_init (vlib_main_t * vm)
5138 ikev2_main_t *km = &ikev2_main;
5140 clib_memset (km, 0, sizeof (ikev2_main_t));
5142 km->log_level = IKEV2_LOG_ERROR;
5143 km->log_class = vlib_log_register_class ("ikev2", 0);
5145 km->vnet_main = vnet_get_main ();
5148 km->liveness_period = IKEV2_LIVENESS_PERIOD_CHECK;
5149 km->liveness_max_retries = IKEV2_LIVENESS_RETRIES;
5155 VLIB_INIT_FUNCTION (ikev2_init) = {
5156 .runs_after = VLIB_INITS ("ipsec_init", "ipsec_punt_init"),
5161 ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa,
5164 ikev2_main_t *km = &ikev2_main;
5165 ikev2_profile_t *p = 0;
5166 vlib_main_t *vm = km->vlib_main;
5167 f64 now = vlib_time_now (vm);
5170 if (sa->profile_index != ~0)
5171 p = pool_elt_at_index (km->profiles, sa->profile_index);
5173 if (sa->is_initiator && p && csa->time_to_expiration
5174 && now > csa->time_to_expiration)
5176 if (!csa->is_expired || csa->rekey_retries > 0)
5178 ikev2_rekey_child_sa_internal (vm, sa, csa);
5179 csa->time_to_expiration = now + p->handover;
5180 csa->is_expired = 1;
5181 if (csa->rekey_retries == 0)
5183 csa->rekey_retries = 5;
5185 else if (csa->rekey_retries > 0)
5187 csa->rekey_retries--;
5188 ikev2_log_debug ("Rekeying Child SA 0x%x, retries left %d",
5189 csa->i_proposals->spi, csa->rekey_retries);
5190 if (csa->rekey_retries == 0)
5192 csa->rekey_retries = -1;
5199 csa->time_to_expiration = 0;
5200 ikev2_delete_child_sa_internal (vm, sa, csa);
5208 ipip_tunnel_t *ipip = NULL;
5209 u32 sw_if_index = sa->is_tun_itf_set ? sa->tun_itf : ~0;
5210 if (~0 == sw_if_index)
5212 ip46_address_t local_ip;
5213 ip46_address_t remote_ip;
5214 if (sa->is_initiator)
5216 local_ip = to_ip46 (ip_addr_version (&sa->iaddr),
5217 ip_addr_bytes (&sa->iaddr));
5218 remote_ip = to_ip46 (ip_addr_version (&sa->raddr),
5219 ip_addr_bytes (&sa->raddr));
5223 local_ip = to_ip46 (ip_addr_version (&sa->raddr),
5224 ip_addr_bytes (&sa->raddr));
5225 remote_ip = to_ip46 (ip_addr_version (&sa->iaddr),
5226 ip_addr_bytes (&sa->iaddr));
5230 ipip_tunnel_key_t key = {
5233 .transport = IPIP_TRANSPORT_IP4,
5238 ipip = ipip_tunnel_db_find (&key);
5241 sw_if_index = ipip->sw_if_index;
5247 vec_add1 (sas_in, csa->remote_sa_id);
5248 vlib_worker_thread_barrier_sync (vm);
5249 int rv = ipsec_tun_protect_update (sw_if_index, NULL,
5250 csa->local_sa_id, sas_in);
5253 ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (csa->remote_sa_id));
5254 vlib_worker_thread_barrier_release (vm);
5261 ikev2_set_log_level (ikev2_log_level_t log_level)
5263 ikev2_main_t *km = &ikev2_main;
5265 if (log_level >= IKEV2_LOG_MAX)
5267 ikev2_log_error ("unknown logging level %d", log_level);
5271 km->log_level = log_level;
5276 ikev2_set_liveness_params (u32 period, u32 max_retries)
5278 ikev2_main_t *km = &ikev2_main;
5280 if (period == 0 || max_retries == 0)
5281 return clib_error_return (0, "invalid args");
5283 km->liveness_period = period;
5284 km->liveness_max_retries = max_retries;
5289 ikev2_profile_natt_disable (u8 * name)
5291 ikev2_profile_t *p = ikev2_profile_index_by_name (name);
5293 return clib_error_return (0, "unknown profile %v", name);
5295 p->natt_disabled = 1;
5300 ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
5302 ikev2_main_t *km = &ikev2_main;
5303 vlib_main_t *vm = km->vlib_main;
5304 ikev2_main_per_thread_data_t *tkm;
5305 ikev2_sa_t *fsa = 0;
5306 ikev2_profile_t *p = 0;
5307 ikev2_child_sa_t *fchild = 0;
5308 f64 now = vlib_time_now (vm);
5309 vlib_counter_t counts;
5311 /* Search for the SA and child SA */
5312 vec_foreach (tkm, km->per_thread_data)
5318 pool_foreach (sa, tkm->sas) {
5319 fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
5328 vlib_get_combined_counter (&ipsec_sa_counters,
5329 ipsec_sa->stat_index, &counts);
5331 if (fsa && fsa->profile_index != ~0 && fsa->is_initiator)
5332 p = pool_elt_at_index (km->profiles, fsa->profile_index);
5334 if (fchild && p && p->lifetime_maxdata)
5336 if (!fchild->is_expired && counts.bytes > p->lifetime_maxdata)
5338 fchild->time_to_expiration = now;
5344 ikev2_process_pending_sa_init_one (vlib_main_t *vm, ikev2_main_t *km,
5350 p = pool_elt_at_index (km->profiles, sa->profile_index);
5352 if (!p->responder.is_resolved)
5354 clib_error_t *r = ikev2_resolve_responder_hostname (vm, &p->responder);
5357 clib_error_free (r);
5361 if (!p->responder.is_resolved)
5364 ip_address_copy (&sa->raddr, &p->responder.addr);
5366 /* update nat detection destination hash */
5367 np = ikev2_find_ike_notify_payload (
5368 (ike_header_t *) sa->last_sa_init_req_packet_data,
5369 IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP);
5372 nat_sha = ikev2_compute_nat_sha1 (
5373 clib_host_to_net_u64 (sa->ispi), clib_host_to_net_u64 (sa->rspi),
5374 &sa->raddr, clib_host_to_net_u16 (sa->dst_port));
5375 clib_memcpy_fast (np, nat_sha, vec_len (nat_sha));
5380 if (ip_address_is_zero (&sa->iaddr))
5382 if (!ikev2_get_if_address (p->responder.sw_if_index,
5383 ip_addr_version (&p->responder.addr),
5387 /* update NAT detection payload */
5389 ikev2_find_ike_notify_payload
5390 ((ike_header_t *) sa->last_sa_init_req_packet_data,
5391 IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP);
5395 ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa->ispi),
5396 clib_host_to_net_u64 (sa->rspi),
5398 clib_host_to_net_u16 (IKEV2_PORT));
5399 clib_memcpy_fast (np, nat_sha, vec_len (nat_sha));
5404 if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
5407 vlib_buffer_t *b = vlib_get_buffer (km->vlib_main, bi0);
5408 clib_memcpy_fast (vlib_buffer_get_current (b),
5409 sa->last_sa_init_req_packet_data,
5410 vec_len (sa->last_sa_init_req_packet_data));
5412 ikev2_send_ike (km->vlib_main, &sa->iaddr, &sa->raddr, bi0,
5413 vec_len (sa->last_sa_init_req_packet_data),
5414 ikev2_get_port (sa), IKEV2_PORT, sa->sw_if_index);
5418 ikev2_process_pending_sa_init (vlib_main_t *vm, ikev2_main_t *km)
5425 hash_foreach (ispi, sai, km->sa_by_ispi,
5427 sa = pool_elt_at_index (km->sais, sai);
5428 if (sa->init_response_received)
5431 ikev2_process_pending_sa_init_one (vm, km, sa);
5437 ikev2_send_informational_request (ikev2_sa_t * sa)
5439 ikev2_main_t *km = &ikev2_main;
5440 ip_address_t *src, *dst;
5447 bi0 = ikev2_get_new_ike_header_buff (km->vlib_main, &b0);
5450 ikev2_log_error ("buffer alloc failure");
5454 ike0 = vlib_buffer_get_current (b0);
5455 ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
5456 ike0->ispi = clib_host_to_net_u64 (sa->ispi);
5457 ike0->rspi = clib_host_to_net_u64 (sa->rspi);
5458 ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
5460 sa->last_init_msg_id += 1;
5461 len = ikev2_generate_message (b0, sa, ike0, 0, 0, 0);
5465 if (ikev2_natt_active (sa))
5466 len = ikev2_insert_non_esp_marker (ike0, len);
5468 if (sa->is_initiator)
5479 dp = sa->dst_port ? sa->dst_port : ikev2_get_port (sa);
5480 ikev2_send_ike (km->vlib_main, src, dst, bi0, len, ikev2_get_port (sa), dp,
5485 ikev2_disable_dpd (void)
5487 ikev2_main_t *km = &ikev2_main;
5488 km->dpd_disabled = 1;
5492 ikev2_mngr_process_responder_sas (ikev2_sa_t *sa)
5494 ikev2_main_t *km = &ikev2_main;
5495 vlib_main_t *vm = km->vlib_main;
5497 if (!sa->keys_generated)
5500 if (sa->liveness_retries >= km->liveness_max_retries)
5503 f64 now = vlib_time_now (vm);
5505 if (sa->liveness_period_check < now)
5507 sa->liveness_retries++;
5508 sa->liveness_period_check = now + km->liveness_period;
5509 ikev2_send_informational_request (sa);
5515 ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
5518 ikev2_main_t *km = &ikev2_main;
5520 ikev2_child_sa_t *c;
5523 /* lazy init will wake it up */
5524 vlib_process_wait_for_event (vm);
5528 vlib_process_wait_for_event_or_clock (vm, 2);
5529 vlib_process_get_events (vm, NULL);
5531 /* process ike child sas */
5532 ikev2_main_per_thread_data_t *tkm;
5533 vec_foreach (tkm, km->per_thread_data)
5536 u32 *to_be_deleted = 0;
5539 pool_foreach (sa, tkm->sas) {
5540 ikev2_child_sa_t *c;
5543 if (sa->state == IKEV2_STATE_SA_INIT)
5545 if (vec_len (sa->childs) > 0)
5546 vec_add1 (to_be_deleted, sa - tkm->sas);
5548 else if (sa->state != IKEV2_STATE_AUTHENTICATED)
5551 if (sa->old_remote_id_present && 0 > sa->old_id_expiration)
5553 sa->old_remote_id_present = 0;
5557 sa->old_id_expiration -= 1;
5559 vec_foreach (c, sa->childs)
5560 ikev2_mngr_process_child_sa (sa, c, del_old_ids);
5562 if (!km->dpd_disabled && ikev2_mngr_process_responder_sas (sa))
5563 vec_add1 (to_be_deleted, sa - tkm->sas);
5566 vec_foreach (sai, to_be_deleted)
5568 sa = pool_elt_at_index (tkm->sas, sai[0]);
5569 const u32 profile_index = sa->profile_index;
5570 const int reinitiate = (sa->is_initiator && profile_index != ~0);
5571 vec_foreach (c, sa->childs)
5573 ikev2_delete_tunnel_interface (km->vnet_main, sa, c);
5574 ikev2_sa_del_child_sa (sa, c);
5576 ikev2_sa_free_all_vec (sa);
5577 hash_unset (tkm->sa_by_rspi, sa->rspi);
5578 pool_put (tkm->sas, sa);
5582 p = pool_elt_at_index (km->profiles, profile_index);
5585 clib_error_t *e = ikev2_initiate_sa_init (vm, p->name);
5588 ikev2_log_error ("%U", format_clib_error, e);
5589 clib_error_free (e);
5594 vec_free (to_be_deleted);
5597 /* process ipsec sas */
5600 pool_foreach (sa, ipsec_sa_pool)
5602 ikev2_mngr_process_ipsec_sa (sa);
5606 ikev2_process_pending_sa_init (vm, km);
5612 VLIB_REGISTER_NODE (ikev2_mngr_process_node, static) = {
5613 .function = ikev2_mngr_process_fn,
5614 .type = VLIB_NODE_TYPE_PROCESS,
5616 "ikev2-manager-process",
5620 ikev2_lazy_init (ikev2_main_t *km)
5622 vlib_thread_main_t *tm = vlib_get_thread_main ();
5625 if (km->lazy_init_done)
5628 ikev2_crypto_init (km);
5630 mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword));
5632 vec_validate_aligned (km->per_thread_data, tm->n_vlib_mains - 1,
5633 CLIB_CACHE_LINE_BYTES);
5634 for (thread_id = 0; thread_id < tm->n_vlib_mains; thread_id++)
5636 ikev2_main_per_thread_data_t *ptd =
5637 vec_elt_at_index (km->per_thread_data, thread_id);
5639 ptd->sa_by_rspi = hash_create (0, sizeof (uword));
5641 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
5642 ptd->evp_ctx = EVP_CIPHER_CTX_new ();
5643 ptd->hmac_ctx = HMAC_CTX_new ();
5645 EVP_CIPHER_CTX_init (&ptd->_evp_ctx);
5646 ptd->evp_ctx = &ptd->_evp_ctx;
5647 HMAC_CTX_init (&(ptd->_hmac_ctx));
5648 ptd->hmac_ctx = &ptd->_hmac_ctx;
5652 km->sa_by_ispi = hash_create (0, sizeof (uword));
5653 km->sw_if_indices = hash_create (0, 0);
5655 km->punt_hdl = vlib_punt_client_register ("ikev2");
5657 km->dns_resolve_name_ptr =
5658 vlib_get_plugin_symbol ("dns_plugin.so", "dns_resolve_name");
5659 if (!km->dns_resolve_name_ptr)
5660 ikev2_log_error ("cannot load symbols from dns plugin");
5662 /* wake up ikev2 process */
5663 vlib_process_signal_event (vlib_get_first_main (),
5664 ikev2_mngr_process_node.index, 0, 0);
5666 km->lazy_init_done = 1;
5669 VLIB_PLUGIN_REGISTER () = {
5670 .version = VPP_BUILD_VER,
5671 .description = "Internet Key Exchange (IKEv2) Protocol",
5676 * fd.io coding-style-patch-verification: ON
5679 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob