2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #ifndef __included_ikev2_priv_h__
16 #define __included_ikev2_priv_h__
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ethernet/ethernet.h>
22 #include <vnet/ipsec/ikev2.h>
24 #include <vppinfra/hash.h>
25 #include <vppinfra/elog.h>
26 #include <vppinfra/error.h>
28 #include <openssl/rand.h>
29 #include <openssl/dh.h>
30 #include <openssl/hmac.h>
31 #include <openssl/evp.h>
33 #define IKEV2_DEBUG_PAYLOAD 1
35 #if IKEV2_DEBUG_PAYLOAD == 1
36 #define DBG_PLD(my_args...) clib_warning(my_args)
38 #define DBG_PLD(my_args...)
45 IKEV2_STATE_AUTH_FAILED,
46 IKEV2_STATE_AUTHENTICATED,
47 IKEV2_STATE_NOTIFY_AND_DELETE,
48 IKEV2_STATE_TS_UNACCEPTABLE,
49 IKEV2_STATE_NO_PROPOSAL_CHOSEN,
53 ikev2_auth_method_t method:8;
55 u8 hex; /* hex encoding of the shared secret */
60 IKEV2_DH_GROUP_MODP = 0,
61 IKEV2_DH_GROUP_ECP = 1,
65 ikev2_transform_type_t type;
68 ikev2_transform_encr_type_t encr_type:16;
69 ikev2_transform_prf_type_t prf_type:16;
70 ikev2_transform_integ_type_t integ_type:16;
71 ikev2_transform_dh_type_t dh_type:16;
72 ikev2_transform_esn_type_t esn_type:16;
84 } ikev2_sa_transform_t;
88 ikev2_protocol_id_t protocol_id:8;
90 ikev2_sa_transform_t * transforms;
91 } ikev2_sa_proposal_t;
99 ip4_address_t start_addr;
100 ip4_address_t end_addr;
104 ikev2_id_type_t type:8;
109 /* sa proposals vectors */
110 ikev2_sa_proposal_t * i_proposals;
111 ikev2_sa_proposal_t * r_proposals;
113 /* Traffic Selectors */
126 u32 spi; /*for ESP and AH SPI size is 4, for IKE size is 0 */
132 ikev2_sa_proposal_t * i_proposal;
133 ikev2_sa_proposal_t * r_proposal;
163 /* sa proposals vectors */
164 ikev2_sa_proposal_t * i_proposals;
165 ikev2_sa_proposal_t * r_proposals;
184 /* pending deletes */
185 ikev2_delete_t * del;
187 /* pending rekeyings */
188 ikev2_rekey_t * rekey;
191 u8 * last_sa_init_req_packet_data;
192 u8 * last_sa_init_res_packet_data;
196 u8 * last_res_packet_data;
198 ikev2_child_sa_t * childs;
213 /* pool of IKEv2 Security Associations */
216 /* pool of IKEv2 profiles */
217 ikev2_profile_t * profiles;
219 /* vector of supported transform types */
220 ikev2_sa_transform_t * supported_transforms;
224 mhash_t profile_index_by_name;
226 /* local private key */
230 vlib_main_t * vlib_main;
231 vnet_main_t * vnet_main;
234 ikev2_main_t ikev2_main;
236 void ikev2_sa_free_proposal_vector(ikev2_sa_proposal_t ** v);
237 ikev2_sa_transform_t * ikev2_sa_get_td_for_type(ikev2_sa_proposal_t * p,
238 ikev2_transform_type_t type);
241 v8 * ikev2_calc_prf(ikev2_sa_transform_t * tr, v8 * key, v8 * data);
242 u8 * ikev2_calc_prfplus(ikev2_sa_transform_t * tr, u8 * key, u8 * seed, int len);
243 v8 * ikev2_calc_integr(ikev2_sa_transform_t * tr, v8 * key, u8 * data, int len);
244 v8 * ikev2_decrypt_data(ikev2_sa_t * sa, u8 * data, int len);
245 int ikev2_encrypt_data(ikev2_sa_t * sa, v8 * src, u8 * dst);
246 void ikev2_generate_dh(ikev2_sa_t * sa, ikev2_sa_transform_t * t);
247 int ikev2_verify_sign(EVP_PKEY *pkey, u8 * sigbuf, u8 * data);
248 u8 * ikev2_calc_sign(EVP_PKEY *pkey, u8 * data);
249 EVP_PKEY * ikev2_load_cert_file(u8 * file);
250 EVP_PKEY * ikev2_load_key_file(u8 * file);
251 void ikev2_crypto_init (ikev2_main_t * km);
253 /* ikev2_payload.c */
255 u8 first_payload_type;
258 } ikev2_payload_chain_t;
260 #define ikev2_payload_new_chain(V) vec_validate (V, 0)
261 #define ikev2_payload_destroy_chain(V) do { \
262 vec_free((V)->data); \
266 void ikev2_payload_add_notify(ikev2_payload_chain_t * c, u16 msg_type, u8 * data);
267 void ikev2_payload_add_sa(ikev2_payload_chain_t * c, ikev2_sa_proposal_t * proposals);
268 void ikev2_payload_add_ke(ikev2_payload_chain_t * c, u16 dh_group, u8 * dh_data);
269 void ikev2_payload_add_nonce(ikev2_payload_chain_t * c, u8 * nonce);
270 void ikev2_payload_add_id(ikev2_payload_chain_t *c, ikev2_id_t * id, u8 type);
271 void ikev2_payload_add_auth(ikev2_payload_chain_t *c, ikev2_auth_t * auth);
272 void ikev2_payload_add_ts(ikev2_payload_chain_t * c, ikev2_ts_t * ts, u8 type);
273 void ikev2_payload_add_delete(ikev2_payload_chain_t *c, ikev2_delete_t * d);
274 void ikev2_payload_chain_add_padding(ikev2_payload_chain_t * c, int bs);
275 void ikev2_parse_vendor_payload(ike_payload_header_t * ikep);
276 ikev2_sa_proposal_t * ikev2_parse_sa_payload(ike_payload_header_t * ikep);
277 ikev2_ts_t * ikev2_parse_ts_payload(ike_payload_header_t * ikep);
278 ikev2_delete_t * ikev2_parse_delete_payload(ike_payload_header_t * ikep);
279 ikev2_notify_t * ikev2_parse_notify_payload(ike_payload_header_t * ikep);
281 #endif /* __included_ikev2_priv_h__ */