2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #ifndef __included_ikev2_priv_h__
16 #define __included_ikev2_priv_h__
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ethernet/ethernet.h>
22 #include <plugins/ikev2/ikev2.h>
24 #include <vppinfra/hash.h>
25 #include <vppinfra/elog.h>
26 #include <vppinfra/error.h>
28 #include <openssl/rand.h>
29 #include <openssl/dh.h>
30 #include <openssl/hmac.h>
31 #include <openssl/evp.h>
33 #define IKEV2_DEBUG_PAYLOAD 1
35 #if IKEV2_DEBUG_PAYLOAD == 1
36 #define DBG_PLD(my_args...) clib_warning(my_args)
38 #define DBG_PLD(my_args...)
46 IKEV2_STATE_AUTH_FAILED,
47 IKEV2_STATE_AUTHENTICATED,
48 IKEV2_STATE_NOTIFY_AND_DELETE,
49 IKEV2_STATE_TS_UNACCEPTABLE,
50 IKEV2_STATE_NO_PROPOSAL_CHOSEN,
55 ikev2_auth_method_t method:8;
57 u8 hex; /* hex encoding of the shared secret */
63 IKEV2_DH_GROUP_MODP = 0,
64 IKEV2_DH_GROUP_ECP = 1,
69 ikev2_transform_type_t type;
73 ikev2_transform_encr_type_t encr_type:16;
74 ikev2_transform_prf_type_t prf_type:16;
75 ikev2_transform_integ_type_t integ_type:16;
76 ikev2_transform_dh_type_t dh_type:16;
77 ikev2_transform_esn_type_t esn_type:16;
89 } ikev2_sa_transform_t;
94 ikev2_protocol_id_t protocol_id:8;
96 ikev2_sa_transform_t *transforms;
97 } ikev2_sa_proposal_t;
106 ip4_address_t start_addr;
107 ip4_address_t end_addr;
118 ikev2_transform_encr_type_t crypto_alg;
119 ikev2_transform_integ_type_t integ_alg;
120 ikev2_transform_dh_type_t dh_type;
122 } ikev2_transforms_set;
127 ikev2_id_type_t type:8;
133 /* sa proposals vectors */
134 ikev2_sa_proposal_t *i_proposals;
135 ikev2_sa_proposal_t *r_proposals;
137 /* Traffic Selectors */
154 f64 time_to_expiration;
162 u32 spi; /*for ESP and AH SPI size is 4, for IKE size is 0 */
170 ikev2_sa_proposal_t *i_proposal;
171 ikev2_sa_proposal_t *r_proposal;
194 ikev2_responder_t responder;
195 ikev2_transforms_set ike_ts;
196 ikev2_transforms_set esp_ts;
198 u64 lifetime_maxdata;
222 /* sa proposals vectors */
223 ikev2_sa_proposal_t *i_proposals;
224 ikev2_sa_proposal_t *r_proposals;
243 /* pending deletes */
246 /* pending rekeyings */
247 ikev2_rekey_t *rekey;
250 u8 *last_sa_init_req_packet_data;
251 u8 *last_sa_init_res_packet_data;
255 u8 *last_res_packet_data;
258 u32 last_init_msg_id;
259 u8 is_profile_index_set;
262 ikev2_child_sa_t *childs;
268 /* pool of IKEv2 Security Associations */
273 } ikev2_main_per_thread_data_t;
277 /* pool of IKEv2 profiles */
278 ikev2_profile_t *profiles;
280 /* vector of supported transform types */
281 ikev2_sa_transform_t *supported_transforms;
284 mhash_t profile_index_by_name;
286 /* local private key */
290 vlib_main_t *vlib_main;
291 vnet_main_t *vnet_main;
293 /* pool of IKEv2 Security Associations created in initiator mode */
298 ikev2_main_per_thread_data_t *per_thread_data;
300 /* interface indices managed by IKE */
301 uword *sw_if_indices;
303 /* API message ID base */
307 extern ikev2_main_t ikev2_main;
309 void ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v);
310 ikev2_sa_transform_t *ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p,
311 ikev2_transform_type_t type);
314 v8 *ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data);
315 u8 *ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed,
317 v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
319 v8 *ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len);
320 int ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst);
321 void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
322 void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
323 int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
324 u8 *ikev2_calc_sign (EVP_PKEY * pkey, u8 * data);
325 EVP_PKEY *ikev2_load_cert_file (u8 * file);
326 EVP_PKEY *ikev2_load_key_file (u8 * file);
327 void ikev2_crypto_init (ikev2_main_t * km);
329 /* ikev2_payload.c */
332 u8 first_payload_type;
335 } ikev2_payload_chain_t;
337 #define ikev2_payload_new_chain(V) vec_validate (V, 0)
338 #define ikev2_payload_destroy_chain(V) do { \
339 vec_free((V)->data); \
343 void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type,
345 void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type,
346 u8 * data, ikev2_notify_t * notify);
347 void ikev2_payload_add_sa (ikev2_payload_chain_t * c,
348 ikev2_sa_proposal_t * proposals);
349 void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group,
351 void ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce);
352 void ikev2_payload_add_id (ikev2_payload_chain_t * c, ikev2_id_t * id,
354 void ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth);
355 void ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts,
357 void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d);
358 void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs);
359 void ikev2_parse_vendor_payload (ike_payload_header_t * ikep);
360 ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep);
361 ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep);
362 ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep);
363 ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep);
365 #endif /* __included_ikev2_priv_h__ */
369 * fd.io coding-style-patch-verification: ON
372 * eval: (c-set-style "gnu")