#include <vlibmemory/api.h>
#include <vpp/app/version.h>
#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
#include <vppinfra/random.h>
#include <vnet/udp/udp.h>
#include <vnet/ipip/ipip.h>
#include <plugins/ikev2/ikev2.h>
#include <plugins/ikev2/ikev2_priv.h>
+#include <plugins/dns/dns.h>
#include <openssl/sha.h>
#include <vnet/ipsec/ipsec_punt.h>
+#include <plugins/ikev2/ikev2.api_enum.h>
#define IKEV2_LIVENESS_RETRIES 3
#define IKEV2_LIVENESS_PERIOD_CHECK 30
ikev2_sa_t * sa,
ikev2_child_sa_t * child);
-#define ikev2_set_state(sa, v) do { \
+#define ikev2_set_state(sa, v, ...) do { \
(sa)->state = v; \
- ikev2_elog_sa_state("ispi %lx SA state changed to " #v, sa->ispi); \
+ ikev2_elog_sa_state("ispi %lx SA state changed to " #v __VA_ARGS__, sa->ispi); \
} while(0);
typedef struct
return s;
}
-static vlib_node_registration_t ikev2_node;
-
-#define foreach_ikev2_error \
-_(PROCESSED, "IKEv2 packets processed") \
-_(IKE_SA_INIT_RETRANSMIT, "IKE_SA_INIT retransmit ") \
-_(IKE_SA_INIT_IGNORE, "IKE_SA_INIT ignore (IKE SA already auth)") \
-_(IKE_REQ_RETRANSMIT, "IKE request retransmit") \
-_(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \
-_(NOT_IKEV2, "Non IKEv2 packets received") \
-_(BAD_LENGTH, "Bad packet length") \
-_(MALFORMED_PACKET, "Malformed packet") \
-_(NO_BUFF_SPACE, "No buffer space")
+#define IKEV2_GENERATE_SA_INIT_OK_str ""
+#define IKEV2_GENERATE_SA_INIT_OK_ERR_NO_DH_STR \
+ "no DH group configured for IKE proposals!"
+#define IKEV2_GENERATE_SA_INIT_OK_ERR_UNSUPP_STR \
+ "DH group not supported!"
typedef enum
{
-#define _(sym,str) IKEV2_ERROR_##sym,
- foreach_ikev2_error
-#undef _
- IKEV2_N_ERROR,
-} ikev2_error_t;
+ IKEV2_GENERATE_SA_INIT_OK,
+ IKEV2_GENERATE_SA_INIT_ERR_NO_DH,
+ IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH,
+} ikev2_generate_sa_error_t;
-static char *ikev2_error_strings[] = {
-#define _(sym,string) string,
- foreach_ikev2_error
-#undef _
-};
+static u8 *
+format_ikev2_gen_sa_error (u8 * s, va_list * args)
+{
+ ikev2_generate_sa_error_t e = va_arg (*args, ikev2_generate_sa_error_t);
+ switch (e)
+ {
+ case IKEV2_GENERATE_SA_INIT_OK:
+ break;
+ case IKEV2_GENERATE_SA_INIT_ERR_NO_DH:
+ s = format (s, IKEV2_GENERATE_SA_INIT_OK_ERR_NO_DH_STR);
+ break;
+ case IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH:
+ s = format (s, IKEV2_GENERATE_SA_INIT_OK_ERR_UNSUPP_STR);
+ break;
+ }
+ return s;
+}
typedef enum
{
IKEV2_NEXT_IP4_LOOKUP,
- IKEV2_NEXT_ERROR_DROP,
- IKEV2_N_NEXT,
-} ikev2_next_t;
+ IKEV2_NEXT_IP4_ERROR_DROP,
+ IKEV2_IP4_N_NEXT,
+} ikev2_ip4_next_t;
+
+typedef enum
+{
+ IKEV2_NEXT_IP6_LOOKUP,
+ IKEV2_NEXT_IP6_ERROR_DROP,
+ IKEV2_IP6_N_NEXT,
+} ikev2_ip6_next_t;
typedef u32 ikev2_non_esp_marker;
-static_always_inline u16
-ikev2_get_port (ikev2_sa_t * sa)
+static u16
+ikev2_get_port (ikev2_sa_t *sa)
{
- return sa->natt ? IKEV2_PORT_NATT : IKEV2_PORT;
+ return ikev2_natt_active (sa) ? IKEV2_PORT_NATT : IKEV2_PORT;
}
-static_always_inline int
-ikev2_insert_non_esp_marker (ike_header_t * ike, int len)
+static int
+ikev2_insert_non_esp_marker (ike_header_t *ike, int len)
{
memmove ((u8 *) ike + sizeof (ikev2_non_esp_marker), ike, len);
clib_memset (ike, 0, sizeof (ikev2_non_esp_marker));
vec_free (p->transforms);
}
vec_free (*v);
-};
+}
static void
ikev2_sa_free_child_sa (ikev2_child_sa_t * c)
}
static void
-ikev2_delete_sa (ikev2_sa_t * sa)
+ikev2_delete_sa (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa)
{
- ikev2_main_t *km = &ikev2_main;
- u32 thread_index = vlib_get_thread_index ();
uword *p;
ikev2_sa_free_all_vec (sa);
- p = hash_get (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
+ p = hash_get (ptd->sa_by_rspi, sa->rspi);
if (p)
{
- hash_unset (km->per_thread_data[thread_index].sa_by_rspi, sa->rspi);
- pool_put (km->per_thread_data[thread_index].sas, sa);
+ hash_unset (ptd->sa_by_rspi, sa->rspi);
+ pool_put (ptd->sas, sa);
}
}
-static void
+static ikev2_generate_sa_error_t
ikev2_generate_sa_init_data (ikev2_sa_t * sa)
{
ikev2_sa_transform_t *t = 0, *t2;
ikev2_main_t *km = &ikev2_main;
if (sa->dh_group == IKEV2_TRANSFORM_DH_TYPE_NONE)
- {
- return;
- }
+ return IKEV2_GENERATE_SA_INIT_ERR_NO_DH;
/* check if received DH group is on our list of supported groups */
vec_foreach (t2, km->supported_transforms)
if (!t)
{
sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE;
- return;
+ return IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH;
}
if (sa->is_initiator)
RAND_bytes ((u8 *) & sa->rspi, 8);
/* generate nonce */
- sa->r_nonce = vec_new (u8, IKEV2_NONCE_SIZE);
- RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
+ sa->r_nonce = vec_new (u8, vec_len (sa->i_nonce));
+ RAND_bytes ((u8 *) sa->r_nonce, vec_len (sa->i_nonce));
}
/* generate dh keys */
ikev2_generate_dh (sa, t);
+ return IKEV2_GENERATE_SA_INIT_OK;
}
static void
sa->i_nonce = _(sai->i_nonce);
sa->i_dh_data = _(sai->i_dh_data);
sa->dh_private_key = _(sai->dh_private_key);
- sa->iaddr.as_u32 = sai->iaddr.as_u32;
- sa->raddr.as_u32 = sai->raddr.as_u32;
+ ip_address_copy (&sa->iaddr, &sai->iaddr);
+ ip_address_copy (&sa->raddr, &sai->raddr);
sa->is_initiator = sai->is_initiator;
sa->i_id.type = sai->i_id.type;
sa->r_id.type = sai->r_id.type;
sa->profile_index = sai->profile_index;
sa->tun_itf = sai->tun_itf;
sa->is_tun_itf_set = sai->is_tun_itf_set;
+ if (sai->natt_state == IKEV2_NATT_DISABLED)
+ sa->natt_state = IKEV2_NATT_DISABLED;
sa->i_id.data = _(sai->i_id.data);
sa->r_id.data = _(sai->r_id.data);
sa->i_auth.method = sai->i_auth.method;
sa->i_auth.data = _(sai->i_auth.data);
sa->i_auth.key = _(sai->i_auth.key);
sa->last_sa_init_req_packet_data = _(sai->last_sa_init_req_packet_data);
+ sa->last_init_msg_id = sai->last_init_msg_id;
sa->childs = _(sai->childs);
sa->udp_encap = sai->udp_encap;
sa->ipsec_over_udp_port = sai->ipsec_over_udp_port;
vec_free (keymat);
}
-static_always_inline u8 *
-ikev2_compute_nat_sha1 (u64 ispi, u64 rspi, u32 ip, u16 port)
+static u8 *
+ikev2_compute_nat_sha1 (u64 ispi, u64 rspi, ip_address_t *ia, u16 port)
{
- /* ispi, rspi, ip, port */
- u8 buf[8 + 8 + 4 + 2];
+ const u32 max_buf_size =
+ sizeof (ispi) + sizeof (rspi) + sizeof (ip6_address_t) + sizeof (u16);
+ u8 buf[max_buf_size];
u8 *res = vec_new (u8, 20);
clib_memcpy_fast (&buf[0], &ispi, sizeof (ispi));
clib_memcpy_fast (&buf[8], &rspi, sizeof (rspi));
- clib_memcpy_fast (&buf[8 + 8], &ip, sizeof (ip));
- clib_memcpy_fast (&buf[8 + 8 + 4], &port, sizeof (port));
- SHA1 (buf, sizeof (buf), res);
+ clib_memcpy_fast (&buf[8 + 8], ip_addr_bytes (ia), ip_address_size (ia));
+ clib_memcpy_fast (&buf[8 + 8 + ip_address_size (ia)], &port, sizeof (port));
+ SHA1 (buf, 2 * sizeof (ispi) + sizeof (port) + ip_address_size (ia), res);
return res;
}
u16 plen = clib_net_to_host_u16 (ke->length);
ASSERT (plen >= sizeof (*ke) && plen <= rlen);
if (sizeof (*ke) > rlen)
- return 0;
+ {
+ ikev2_elog_error ("KE: packet too small");
+ return 0;
+ }
sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
vec_reset_length (ke_data[0]);
}
static int
-ikev2_parse_nonce_payload (const void *p, u32 rlen, u8 * nonce)
+ikev2_parse_nonce_payload (const void *p, u32 rlen, const u8 **nonce)
{
const ike_payload_header_t *ikep = p;
u16 plen = clib_net_to_host_u16 (ikep->length);
ASSERT (plen >= sizeof (*ikep) && plen <= rlen);
- clib_memcpy_fast (nonce, ikep->payload, plen - sizeof (*ikep));
- return 1;
+ int len = plen - sizeof (*ikep);
+ ASSERT (len >= 16 && len <= 256);
+ if (PREDICT_FALSE (len < 16 || len > 256))
+ {
+ ikev2_elog_error ("NONCE: bad size");
+ return 0;
+ }
+ *nonce = ikep->payload;
+ return len;
}
static int
u16 * plen)
{
if (sizeof (*ikep) > rlen)
- return 0;
+ {
+ ikev2_elog_error ("payload: packet too small");
+ return 0;
+ }
*plen = clib_net_to_host_u16 (ikep->length);
if (*plen < sizeof (*ikep) || *plen > rlen)
- return 0;
+ {
+ ikev2_elog_error ("payload: bad size");
+ return 0;
+ }
return 1;
}
static int
-ikev2_process_sa_init_req (vlib_main_t * vm,
- ikev2_sa_t * sa, ike_header_t * ike,
- udp_header_t * udp, u32 len)
+ikev2_process_sa_init_req (vlib_main_t *vm, ikev2_sa_t *sa, ike_header_t *ike,
+ udp_header_t *udp, u32 len, u32 sw_if_index)
{
- u8 nonce[IKEV2_NONCE_SIZE];
int p = 0;
u8 payload = ike->nextpayload;
ike_payload_header_t *ikep;
u16 plen;
ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT request received "
- "from %d.%d.%d.%d",
- clib_net_to_host_u64 (ike->ispi),
- clib_net_to_host_u64 (ike->rspi), sa->iaddr.as_u32);
+ "from ", clib_net_to_host_u64 (ike->ispi),
+ clib_net_to_host_u64 (ike->rspi),
+ ip_addr_v4 (&sa->iaddr).as_u32,
+ ip_addr_version (&sa->iaddr) == AF_IP4);
sa->ispi = clib_net_to_host_u64 (ike->ispi);
+ sa->sw_if_index = sw_if_index;
/* store whole IKE payload - needed for PSK auth */
vec_reset_length (sa->last_sa_init_req_packet_data);
vec_add (sa->last_sa_init_req_packet_data, ike, len);
if (len < sizeof (*ike))
- return 0;
+ {
+ ikev2_elog_error ("IKE_INIT request too small");
+ return 0;
+ }
len -= sizeof (*ike);
while (p < len && payload != IKEV2_PAYLOAD_NONE)
}
else if (payload == IKEV2_PAYLOAD_NONCE)
{
+ const u8 *nonce;
+ int nonce_len;
vec_reset_length (sa->i_nonce);
- if (ikev2_parse_nonce_payload (ikep, current_length, nonce))
- vec_add (sa->i_nonce, nonce, plen - sizeof (*ikep));
+ if ((nonce_len = ikev2_parse_nonce_payload (ikep, current_length,
+ &nonce)) <= 0)
+ return 0;
+ vec_add (sa->i_nonce, nonce, nonce_len);
}
else if (payload == IKEV2_PAYLOAD_NOTIFY)
{
ikev2_parse_notify_payload (ikep, current_length);
if (n->msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
{
- u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi, 0,
- sa->iaddr.as_u32,
+ u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi, 0, &sa->iaddr,
udp->src_port);
if (clib_memcmp (src_sha, n->data, vec_len (src_sha)))
{
- sa->natt = 1;
+ if (sa->natt_state == IKEV2_NATT_ENABLED)
+ sa->natt_state = IKEV2_NATT_ACTIVE;
ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx initiator"
" behind NAT", sa->ispi);
}
else if (n->msg_type ==
IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP)
{
- u8 *dst_sha = ikev2_compute_nat_sha1 (ike->ispi, 0,
- sa->raddr.as_u32,
+ u8 *dst_sha = ikev2_compute_nat_sha1 (ike->ispi, 0, &sa->raddr,
udp->dst_port);
if (clib_memcmp (dst_sha, n->data, vec_len (dst_sha)))
{
- sa->natt = 1;
+ if (sa->natt_state == IKEV2_NATT_ENABLED)
+ sa->natt_state = IKEV2_NATT_ACTIVE;
ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx responder"
" (self) behind NAT", sa->ispi);
}
ikev2_sa_t * sa, ike_header_t * ike,
udp_header_t * udp, u32 len)
{
- u8 nonce[IKEV2_NONCE_SIZE];
int p = 0;
u8 payload = ike->nextpayload;
ike_payload_header_t *ikep;
sa->rspi = clib_net_to_host_u64 (ike->rspi);
ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT response received "
- "from %d.%d.%d.%d", sa->ispi, sa->rspi,
- sa->raddr.as_u32);
+ "from ", sa->ispi, sa->rspi,
+ ip_addr_v4 (&sa->raddr).as_u32,
+ ip_addr_version (&sa->raddr) == AF_IP4);
/* store whole IKE payload - needed for PSK auth */
vec_reset_length (sa->last_sa_init_res_packet_data);
vec_add (sa->last_sa_init_res_packet_data, ike, len);
if (sizeof (*ike) > len)
- return;
+ {
+ ikev2_elog_error ("IKE_INIT response too small");
+ return;
+ }
len -= sizeof (*ike);
while (p < len && payload != IKEV2_PAYLOAD_NONE)
}
else if (payload == IKEV2_PAYLOAD_NONCE)
{
+ const u8 *nonce;
+ int nonce_len;
vec_reset_length (sa->r_nonce);
- if (ikev2_parse_nonce_payload (ikep, current_length, nonce))
- vec_add (sa->r_nonce, nonce, plen - sizeof (*ikep));
+ if ((nonce_len = ikev2_parse_nonce_payload (ikep, current_length,
+ &nonce)) <= 0)
+ return;
+ vec_add (sa->r_nonce, nonce, nonce_len);
}
else if (payload == IKEV2_PAYLOAD_NOTIFY)
{
ikev2_parse_notify_payload (ikep, current_length);
if (n->msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
{
- u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi,
- ike->rspi,
- sa->raddr.as_u32,
+ u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi, ike->rspi,
+ &sa->raddr,
udp->src_port);
if (clib_memcmp (src_sha, n->data, vec_len (src_sha)))
{
else if (n->msg_type ==
IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP)
{
- u8 *dst_sha = ikev2_compute_nat_sha1 (ike->ispi,
- ike->rspi,
- sa->iaddr.as_u32,
+ u8 *dst_sha = ikev2_compute_nat_sha1 (ike->ispi, ike->rspi,
+ &sa->iaddr,
udp->dst_port);
if (clib_memcmp (dst_sha, n->data, vec_len (dst_sha)))
{
- sa->natt = 1;
+ if (sa->natt_state == IKEV2_NATT_ENABLED)
+ sa->natt_state = IKEV2_NATT_ACTIVE;
ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx initiator"
" (self) behind NAT", sa->ispi);
}
ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
int is_aead = tr_encr->encr_type == IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16;
- if ((!sa->sk_ar || !sa->sk_ai) && !is_aead)
+ if (((!sa->sk_ar || !sa->sk_ai) && !is_aead) || (!sa->sk_ei || !sa->sk_er))
return 0;
if (rlen <= sizeof (*ike))
return plaintext;
}
-static_always_inline int
-ikev2_is_id_equal (ikev2_id_t * i1, ikev2_id_t * i2)
+static int
+ikev2_is_id_equal (const ikev2_id_t *i1, const ikev2_id_t *i2)
{
if (i1->type != i2->type)
return 0;
}
static void
-ikev2_initial_contact_cleanup (ikev2_sa_t * sa)
+ikev2_initial_contact_cleanup_internal (ikev2_main_per_thread_data_t * ptd,
+ ikev2_sa_t * sa)
{
ikev2_main_t *km = &ikev2_main;
ikev2_sa_t *tmp;
u32 i, *delete = 0;
ikev2_child_sa_t *c;
- u32 thread_index = vlib_get_thread_index ();
-
- if (!sa->initial_contact)
- return;
/* find old IKE SAs with the same authenticated identity */
/* *INDENT-OFF* */
- pool_foreach (tmp, km->per_thread_data[thread_index].sas, ({
- if (!ikev2_is_id_equal (&tmp->i_id, &sa->i_id)
- || !ikev2_is_id_equal(&tmp->r_id, &sa->r_id))
- continue;
+ pool_foreach (tmp, ptd->sas) {
+ if (!ikev2_is_id_equal (&tmp->i_id, &sa->i_id)
+ || !ikev2_is_id_equal(&tmp->r_id, &sa->r_id))
+ continue;
- if (sa->rspi != tmp->rspi)
- vec_add1(delete, tmp - km->per_thread_data[thread_index].sas);
- }));
+ if (sa->rspi != tmp->rspi)
+ vec_add1(delete, tmp - ptd->sas);
+ }
/* *INDENT-ON* */
for (i = 0; i < vec_len (delete); i++)
{
- tmp =
- pool_elt_at_index (km->per_thread_data[thread_index].sas, delete[i]);
- vec_foreach (c,
- tmp->childs) ikev2_delete_tunnel_interface (km->vnet_main,
- tmp, c);
- ikev2_delete_sa (tmp);
+ tmp = pool_elt_at_index (ptd->sas, delete[i]);
+ vec_foreach (c, tmp->childs)
+ {
+ ikev2_delete_tunnel_interface (km->vnet_main, tmp, c);
+ }
+ ikev2_delete_sa (ptd, tmp);
}
vec_free (delete);
sa->initial_contact = 0;
}
+static void
+ikev2_initial_contact_cleanup (ikev2_main_per_thread_data_t * ptd,
+ ikev2_sa_t * sa)
+{
+ ikev2_main_t *km = &ikev2_main;
+
+ if (!sa->initial_contact)
+ return;
+
+ if (ptd)
+ {
+ ikev2_initial_contact_cleanup_internal (ptd, sa);
+ }
+ else
+ {
+ vec_foreach (ptd, km->per_thread_data)
+ ikev2_initial_contact_cleanup_internal (ptd, sa);
+ }
+ sa->initial_contact = 0;
+}
+
static int
ikev2_parse_id_payload (const void *p, u16 rlen, ikev2_id_t * sa_id)
{
u32 dlen = 0;
ikev2_elog_exchange ("ispi %lx rspi %lx EXCHANGE_IKE_AUTH received "
- "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
+ "from ", clib_host_to_net_u64 (ike->ispi),
clib_host_to_net_u64 (ike->rspi),
- sa->is_initiator ? sa->raddr.as_u32 : sa->
- iaddr.as_u32);
+ sa->is_initiator ?
+ ip_addr_v4 (&sa->raddr).as_u32 :
+ ip_addr_v4 (&sa->iaddr).as_u32,
+ ip_addr_version (&sa->raddr) == AF_IP4);
ikev2_calc_keys (sa);
return 1;
malformed:
- ikev2_set_state (sa, IKEV2_STATE_DELETED);
+ ikev2_set_state (sa, IKEV2_STATE_DELETED, ": malformed IKE_AUTH");
return 0;
}
sa->liveness_retries = 0;
ikev2_elog_exchange ("ispi %lx rspi %lx INFORMATIONAL received "
- "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
- clib_host_to_net_u64 (ike->rspi), sa->iaddr.as_u32);
+ "from ", clib_host_to_net_u64 (ike->ispi),
+ clib_host_to_net_u64 (ike->rspi),
+ ip_addr_v4 (&sa->iaddr).as_u32,
+ ip_addr_version (&sa->iaddr) == AF_IP4);
plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
int p = 0;
u8 payload = ike->nextpayload;
u8 *plaintext = 0;
- u8 rekeying = 0;
- u8 nonce[IKEV2_NONCE_SIZE];
-
+ ikev2_rekey_t *rekey;
ike_payload_header_t *ikep;
ikev2_notify_t *n = 0;
ikev2_ts_t *tsi = 0;
ikev2_ts_t *tsr = 0;
ikev2_sa_proposal_t *proposal = 0;
ikev2_child_sa_t *child_sa;
- u32 dlen = 0;
+ u32 dlen = 0, src;
u16 plen;
+ const u8 *nonce = 0;
+ int nonce_len = 0;
+
+ if (sa->is_initiator)
+ src = ip_addr_v4 (&sa->raddr).as_u32;
+ else
+ src = ip_addr_v4 (&sa->iaddr).as_u32;
- ikev2_elog_exchange ("ispi %lx rspi %lx CREATE_CHILD_SA received "
- "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
- clib_host_to_net_u64 (ike->rspi), sa->raddr.as_u32);
+ ikev2_elog_exchange ("ispi %lx rspi %lx CREATE_CHILD_SA received from",
+ clib_host_to_net_u64 (ike->ispi),
+ clib_host_to_net_u64 (ike->rspi), src,
+ ip_addr_version (&sa->raddr) == AF_IP4);
plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
}
else if (payload == IKEV2_PAYLOAD_NOTIFY)
{
- n = ikev2_parse_notify_payload (ikep, current_length);
- if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
+ ikev2_notify_t *n0;
+ n0 = ikev2_parse_notify_payload (ikep, current_length);
+ if (n0->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
{
- rekeying = 1;
+ vec_free (n);
+ n = n0;
}
+ else
+ vec_free (n0);
}
else if (payload == IKEV2_PAYLOAD_DELETE)
{
}
else if (payload == IKEV2_PAYLOAD_NONCE)
{
- ikev2_parse_nonce_payload (ikep, current_length, nonce);
+ nonce_len = ikev2_parse_nonce_payload (ikep, current_length, &nonce);
+ if (nonce_len <= 0)
+ goto cleanup_and_exit;
}
else if (payload == IKEV2_PAYLOAD_TSI)
{
p += plen;
}
- if (sa->is_initiator && proposal->protocol_id == IKEV2_PROTOCOL_ESP)
+ if (!proposal || proposal->protocol_id != IKEV2_PROTOCOL_ESP || !nonce)
+ goto cleanup_and_exit;
+
+ if (sa->is_initiator)
{
- ikev2_rekey_t *rekey = &sa->rekey[0];
+ rekey = sa->rekey;
+ if (vec_len (rekey) == 0)
+ goto cleanup_and_exit;
+ rekey->notify_type = 0;
rekey->protocol_id = proposal->protocol_id;
rekey->i_proposal =
ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
rekey->tsr = tsr;
/* update Nr */
vec_reset_length (sa->r_nonce);
- vec_add (sa->r_nonce, nonce, IKEV2_NONCE_SIZE);
+ vec_add (sa->r_nonce, nonce, nonce_len);
child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1);
if (child_sa)
{
child_sa->rekey_retries = 0;
}
}
- else if (rekeying)
+ else
{
- ikev2_rekey_t *rekey;
- child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
- if (!child_sa)
+ if (n)
+ {
+ child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
+ if (!child_sa)
+ {
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "child SA spi %lx not found",
+ n->spi);
+ goto cleanup_and_exit;
+ }
+ vec_add2 (sa->rekey, rekey, 1);
+ rekey->notify_type = 0;
+ rekey->protocol_id = n->protocol_id;
+ rekey->spi = n->spi;
+ if (sa->old_remote_id_present)
+ {
+ rekey->notify_type = IKEV2_NOTIFY_MSG_TEMPORARY_FAILURE;
+ vec_free (proposal);
+ vec_free (tsr);
+ vec_free (tsi);
+ }
+ else
+ {
+ rekey->i_proposal = proposal;
+ rekey->r_proposal =
+ ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
+ /* update Ni */
+ vec_reset_length (sa->i_nonce);
+ vec_add (sa->i_nonce, nonce, nonce_len);
+ /* generate new Nr */
+ vec_validate (sa->r_nonce, nonce_len - 1);
+ RAND_bytes ((u8 *) sa->r_nonce, nonce_len);
+ }
+ }
+ else
{
- ikev2_elog_uint (IKEV2_LOG_ERROR, "child SA spi %lx not found",
- n->spi);
- goto cleanup_and_exit;
+ /* create new child SA */
+ vec_add2 (sa->new_child, rekey, 1);
+ rekey->notify_type = 0;
+ rekey->i_proposal = proposal;
+ rekey->r_proposal =
+ ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
+ /* update Ni */
+ vec_reset_length (sa->i_nonce);
+ vec_add (sa->i_nonce, nonce, nonce_len);
+ /* generate new Nr */
+ vec_validate (sa->r_nonce, nonce_len - 1);
+ RAND_bytes ((u8 *) sa->r_nonce, nonce_len);
}
- vec_add2 (sa->rekey, rekey, 1);
- rekey->protocol_id = n->protocol_id;
- rekey->spi = n->spi;
- rekey->i_proposal = proposal;
- rekey->r_proposal =
- ikev2_select_proposal (proposal, IKEV2_PROTOCOL_ESP);
rekey->tsi = tsi;
rekey->tsr = tsr;
- /* update Ni */
- vec_free (sa->i_nonce);
- vec_add (sa->i_nonce, nonce, IKEV2_NONCE_SIZE);
- /* generate new Nr */
- vec_validate (sa->r_nonce, IKEV2_NONCE_SIZE - 1);
- RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
- vec_free (n);
}
+ vec_free (n);
return 1;
cleanup_and_exit:
vec_free (n);
+ vec_free (proposal);
+ vec_free (tsr);
+ vec_free (tsi);
return 0;
}
return authmsg;
}
+static int
+ikev2_match_profile (const ikev2_profile_t *p, const ikev2_id_t *id_loc,
+ const ikev2_id_t *id_rem, int is_initiator)
+{
+ /* on the initiator, IDi is always present and must match
+ * however on the responder, IDr (which is our local id) is optional */
+ if ((is_initiator || id_loc->type != 0) &&
+ !ikev2_is_id_equal (&p->loc_id, id_loc))
+ return 0;
+
+ /* on the initiator, we might not have configured a specific remote id
+ * however on the responder, the remote id should always be configured */
+ if ((!is_initiator || p->rem_id.type != 0) &&
+ !ikev2_is_id_equal (&p->rem_id, id_rem))
+ return 0;
+
+ return 1;
+}
+
static int
ikev2_ts_cmp (ikev2_ts_t * ts1, ikev2_ts_t * ts2)
{
if (ts1->ts_type == ts2->ts_type && ts1->protocol_id == ts2->protocol_id &&
ts1->start_port == ts2->start_port && ts1->end_port == ts2->end_port &&
- ts1->start_addr.as_u32 == ts2->start_addr.as_u32 &&
- ts1->end_addr.as_u32 == ts2->end_addr.as_u32)
+ !ip_address_cmp (&ts1->start_addr, &ts2->start_addr) &&
+ !ip_address_cmp (&ts1->end_addr, &ts2->end_addr))
return 1;
return 0;
ikev2_id_t *id_rem, *id_loc;
/* *INDENT-OFF* */
- pool_foreach (p, km->profiles, ({
+ pool_foreach (p, km->profiles) {
if (sa->is_initiator)
{
id_loc = &sa->r_id;
}
- /* check id */
- if (!ikev2_is_id_equal (&p->rem_id, id_rem)
- || !ikev2_is_id_equal (&p->loc_id, id_loc))
+ if (!ikev2_match_profile (p, id_loc, id_rem, sa->is_initiator))
continue;
sa->profile_index = p - km->profiles;
}
break;
- }));
+ }
/* *INDENT-ON* */
if (tsi && tsr)
}
}
-static void
-ikev2_sa_auth (ikev2_sa_t * sa)
+static ikev2_profile_t *
+ikev2_select_profile (ikev2_main_t *km, ikev2_sa_t *sa,
+ ikev2_sa_transform_t *tr_prf, u8 *key_pad)
{
- ikev2_main_t *km = &ikev2_main;
- ikev2_profile_t *p, *sel_p = 0;
- u8 *authmsg, *key_pad, *psk = 0, *auth = 0;
- ikev2_sa_transform_t *tr_prf;
-
- tr_prf =
- ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
-
- /* only shared key and rsa signature */
- if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
- sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
- {
- ikev2_elog_uint (IKEV2_LOG_ERROR,
- "unsupported authentication method %u",
- sa->i_auth.method);
- ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
- return;
- }
-
- key_pad = format (0, "%s", IKEV2_KEY_PAD);
- authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator);
-
+ ikev2_profile_t *ret = 0, *p;
ikev2_id_t *id_rem, *id_loc;
ikev2_auth_t *sa_auth;
+ u8 *authmsg, *psk = 0, *auth = 0;
+
+ authmsg = ikev2_sa_generate_authmsg (sa, sa->is_initiator);
if (sa->is_initiator)
{
sa_auth = &sa->i_auth;
}
- /* *INDENT-OFF* */
- pool_foreach (p, km->profiles, ({
+ pool_foreach (p, km->profiles)
+ {
+ if (!ikev2_match_profile (p, id_loc, id_rem, sa->is_initiator))
+ continue;
- /* check id */
- if (!ikev2_is_id_equal (&p->rem_id, id_rem)
- || !ikev2_is_id_equal (&p->loc_id, id_loc))
- continue;
+ if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
+ {
+ if (!p->auth.data ||
+ p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
+ continue;
- if (sa_auth->method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
- {
- if (!p->auth.data ||
- p->auth.method != IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
- continue;
+ psk = ikev2_calc_prf (tr_prf, p->auth.data, key_pad);
+ auth = ikev2_calc_prf (tr_prf, psk, authmsg);
- psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
- auth = ikev2_calc_prf(tr_prf, psk, authmsg);
+ if (!clib_memcmp (auth, sa_auth->data, vec_len (sa_auth->data)))
+ {
+ ikev2_set_state (sa, IKEV2_STATE_AUTHENTICATED);
+ vec_free (auth);
+ ret = p;
+ break;
+ }
+ else
+ {
+ ikev2_elog_uint (IKEV2_LOG_ERROR,
+ "shared key mismatch! ispi %lx", sa->ispi);
+ }
+ }
+ else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG)
+ {
+ if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
+ continue;
- if (!clib_memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
- {
- ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
- vec_free(auth);
- sel_p = p;
- break;
- }
+ if (ikev2_verify_sign (p->auth.key, sa_auth->data, authmsg) == 1)
+ {
+ ikev2_set_state (sa, IKEV2_STATE_AUTHENTICATED);
+ ret = p;
+ break;
+ }
+ else
+ {
+ ikev2_elog_uint (IKEV2_LOG_ERROR,
+ "cert verification failed! ispi %lx", sa->ispi);
+ }
+ }
+ }
+ vec_free (authmsg);
+ return ret;
+}
- }
- else if (sa_auth->method == IKEV2_AUTH_METHOD_RSA_SIG)
- {
- if (p->auth.method != IKEV2_AUTH_METHOD_RSA_SIG)
- continue;
+static void
+ikev2_sa_auth (ikev2_sa_t *sa)
+{
+ ikev2_main_t *km = &ikev2_main;
+ ikev2_profile_t *sel_p = 0;
+ ikev2_sa_transform_t *tr_prf;
+ u8 *psk, *authmsg, *key_pad;
- if (ikev2_verify_sign(p->auth.key, sa_auth->data, authmsg) == 1)
- {
- ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
- sel_p = p;
- break;
- }
- }
+ tr_prf =
+ ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
- vec_free(auth);
- vec_free(psk);
- }));
- /* *INDENT-ON* */
+ /* only shared key and rsa signature */
+ if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC ||
+ sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG))
+ {
+ ikev2_elog_uint (IKEV2_LOG_ERROR, "unsupported authentication method %u",
+ sa->i_auth.method);
+ ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
+ return;
+ }
+
+ key_pad = format (0, "%s", IKEV2_KEY_PAD);
+ sel_p = ikev2_select_profile (km, sa, tr_prf, key_pad);
if (sel_p)
{
+ ASSERT (sa->state == IKEV2_STATE_AUTHENTICATED);
sa->udp_encap = sel_p->udp_encap;
sa->ipsec_over_udp_port = sel_p->ipsec_over_udp_port;
- }
- vec_free (authmsg);
- if (sa->state == IKEV2_STATE_AUTHENTICATED)
- {
if (!sa->is_initiator)
{
vec_free (sa->r_id.data);
authmsg = ikev2_sa_generate_authmsg (sa, 1);
if (sel_p->auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
{
+ vec_free (sa->r_auth.data);
+ psk = ikev2_calc_prf (tr_prf, sel_p->auth.data, key_pad);
sa->r_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
sa->r_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
+ vec_free (psk);
}
else if (sel_p->auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
{
+ vec_free (sa->r_auth.data);
sa->r_auth.data = ikev2_calc_sign (km->pkey, authmsg);
sa->r_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
}
"profile found! ispi %lx", sa->ispi);
ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
}
- vec_free (psk);
vec_free (key_pad);
}
-
static void
ikev2_sa_auth_init (ikev2_sa_t * sa)
{
return;
}
- key_pad = format (0, "%s", IKEV2_KEY_PAD);
authmsg = ikev2_sa_generate_authmsg (sa, 0);
- psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad);
if (sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC)
{
+ key_pad = format (0, "%s", IKEV2_KEY_PAD);
+ psk = ikev2_calc_prf (tr_prf, sa->i_auth.data, key_pad);
+ vec_free (sa->i_auth.data);
sa->i_auth.data = ikev2_calc_prf (tr_prf, psk, authmsg);
sa->i_auth.method = IKEV2_AUTH_METHOD_SHARED_KEY_MIC;
+ vec_free (psk);
+ vec_free (key_pad);
}
else if (sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)
{
+ vec_free (sa->i_auth.data);
sa->i_auth.data = ikev2_calc_sign (km->pkey, authmsg);
sa->i_auth.method = IKEV2_AUTH_METHOD_RSA_SIG;
}
-
- vec_free (psk);
- vec_free (key_pad);
vec_free (authmsg);
}
u32 remote_spi;
ipsec_crypto_alg_t encr_type;
ipsec_integ_alg_t integ_type;
- ip46_address_t local_ip;
- ip46_address_t remote_ip;
+ ip_address_t local_ip;
+ ip_address_t remote_ip;
ipsec_key_t loc_ckey, rem_ckey, loc_ikey, rem_ikey;
u8 is_rekey;
u32 old_remote_sa_id;
ikev2_main_t *km = &ikev2_main;
u32 sw_if_index;
int rv = 0;
+ tunnel_t tun_in = {
+ .t_flags = TUNNEL_FLAG_NONE,
+ .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ .t_dscp = 0,
+ .t_mode = TUNNEL_MODE_P2P,
+ .t_table_id = 0,
+ .t_hop_limit = 255,
+ .t_src = a->remote_ip,
+ .t_dst = a->local_ip,
+ };
+ tunnel_t tun_out = {
+ .t_flags = TUNNEL_FLAG_NONE,
+ .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ .t_dscp = 0,
+ .t_mode = TUNNEL_MODE_P2P,
+ .t_table_id = 0,
+ .t_hop_limit = 255,
+ .t_src = a->local_ip,
+ .t_dst = a->remote_ip,
+ };
if (~0 == a->sw_if_index)
{
/* no tunnel associated with the SA/profile - create a new one */
- rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0,
- &a->local_ip, &a->remote_ip, 0,
+ rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0, &ip_addr_46 (&a->local_ip),
+ &ip_addr_46 (&a->remote_ip), 0,
TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
TUNNEL_MODE_P2P, &sw_if_index);
if (rv)
{
- ikev2_elog_peers (IKEV2_LOG_ERROR, "installing ipip tunnel failed! "
- "loc:%d.%d.%d.%d rem:%d.%d.%d.%d",
- a->local_ip.ip4.as_u32, a->remote_ip.ip4.as_u32);
+ ikev2_elog_uint (IKEV2_LOG_ERROR,
+ "installing ipip tunnel failed! local spi: %x",
+ a->local_spi);
return;
}
vec_add1 (sas_in, a->old_remote_sa_id);
}
- rv |= ipsec_sa_add_and_lock (a->local_sa_id,
- a->local_spi,
- IPSEC_PROTOCOL_ESP, a->encr_type,
- &a->loc_ckey, a->integ_type, &a->loc_ikey,
- a->flags, 0, a->salt_local, &a->local_ip,
- &a->remote_ip, NULL, a->src_port, a->dst_port);
- rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
- IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
- a->integ_type, &a->rem_ikey,
- (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
- a->salt_remote, &a->remote_ip,
- &a->local_ip, NULL, a->ipsec_over_udp_port,
- a->ipsec_over_udp_port);
-
- rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
+ rv = ipsec_sa_add_and_lock (a->local_sa_id, a->local_spi, IPSEC_PROTOCOL_ESP,
+ a->encr_type, &a->loc_ckey, a->integ_type,
+ &a->loc_ikey, a->flags, a->salt_local,
+ a->src_port, a->dst_port, &tun_out, NULL);
+ if (rv)
+ goto err0;
+
+ rv = ipsec_sa_add_and_lock (
+ a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type,
+ &a->rem_ckey, a->integ_type, &a->rem_ikey,
+ (a->flags | IPSEC_SA_FLAG_IS_INBOUND), a->salt_remote,
+ a->ipsec_over_udp_port, a->ipsec_over_udp_port, &tun_in, NULL);
+ if (rv)
+ goto err1;
+
+ rv = ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
+ if (rv)
+ goto err2;
+
+ return;
+
+err2:
+ ipsec_sa_unlock_id (a->remote_sa_id);
+err1:
+ ipsec_sa_unlock_id (a->local_sa_id);
+err0:
+ vec_free (sas_in);
}
static int
if (sa->is_initiator)
{
- ip46_address_set_ip4 (&a.local_ip, &sa->iaddr);
- ip46_address_set_ip4 (&a.remote_ip, &sa->raddr);
+ ip_address_copy (&a.local_ip, &sa->iaddr);
+ ip_address_copy (&a.remote_ip, &sa->raddr);
proposals = child->r_proposals;
a.local_spi = child->r_proposals[0].spi;
a.remote_spi = child->i_proposals[0].spi;
}
else
{
- ip46_address_set_ip4 (&a.local_ip, &sa->raddr);
- ip46_address_set_ip4 (&a.remote_ip, &sa->iaddr);
+ ip_address_copy (&a.local_ip, &sa->raddr);
+ ip_address_copy (&a.remote_ip, &sa->iaddr);
proposals = child->i_proposals;
a.local_spi = child->i_proposals[0].spi;
a.remote_spi = child->r_proposals[0].spi;
a.flags |= IPSEC_SA_FLAG_IS_TUNNEL;
a.flags |= IPSEC_SA_FLAG_UDP_ENCAP;
}
- if (sa->natt)
+ if (ikev2_natt_active (sa))
a.flags |= IPSEC_SA_FLAG_UDP_ENCAP;
a.is_rekey = is_rekey;
a.salt_remote = child->salt_ei;
a.salt_local = child->salt_er;
}
- a.dst_port = sa->natt ? sa->dst_port : sa->ipsec_over_udp_port;
+ a.dst_port =
+ ikev2_natt_active (sa) ? sa->dst_port : sa->ipsec_over_udp_port;
a.src_port = sa->ipsec_over_udp_port;
}
u32 sw_if_index;
} ikev2_del_ipsec_tunnel_args_t;
-static_always_inline u32
+static u32
ikev2_flip_alternate_sa_bit (u32 id)
{
u32 mask = 0x800;
if (sa->is_initiator)
{
- ip46_address_set_ip4 (&a.local_ip, &sa->iaddr);
- ip46_address_set_ip4 (&a.remote_ip, &sa->raddr);
+ ip_address_to_46 (&sa->iaddr, &a.local_ip);
+ ip_address_to_46 (&sa->raddr, &a.remote_ip);
}
else
{
- ip46_address_set_ip4 (&a.local_ip, &sa->raddr);
- ip46_address_set_ip4 (&a.remote_ip, &sa->iaddr);
+ ip_address_to_46 (&sa->raddr, &a.local_ip);
+ ip_address_to_46 (&sa->iaddr, &a.remote_ip);
}
a.remote_sa_id = child->remote_sa_id;
}
static u32
-ikev2_generate_message (vlib_buffer_t * b, ikev2_sa_t * sa,
- ike_header_t * ike, void *user, udp_header_t * udp)
+ikev2_generate_message (vlib_buffer_t *b, ikev2_sa_t *sa, ike_header_t *ike,
+ void *user, udp_header_t *udp, ikev2_stats_t *stats)
{
ikev2_main_t *km = &ikev2_main;
u16 buffer_data_size = vlib_buffer_get_default_data_size (km->vlib_main);
u8 *nat_detection_sha1 =
ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa->ispi),
clib_host_to_net_u64 (sa->rspi),
- sa->raddr.as_u32,
- udp->dst_port);
+ &sa->raddr, udp->dst_port);
ikev2_payload_add_notify (chain,
IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
nat_detection_sha1);
nat_detection_sha1 =
ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa->ispi),
clib_host_to_net_u64 (sa->rspi),
- sa->iaddr.as_u32, udp->src_port);
+ &sa->iaddr, udp->src_port);
ikev2_payload_add_notify (chain,
IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
nat_detection_sha1);
if (sa->state == IKEV2_STATE_AUTHENTICATED)
{
ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
- ikev2_payload_add_id (chain, &sa->i_id, IKEV2_PAYLOAD_IDI);
ikev2_payload_add_auth (chain, &sa->r_auth);
ikev2_payload_add_sa (chain, sa->childs[0].r_proposals);
ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
else if (sa->state == IKEV2_STATE_SA_INIT)
{
ikev2_payload_add_id (chain, &sa->i_id, IKEV2_PAYLOAD_IDI);
- ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
+ /* IDr is optional when sending INIT from the initiator */
+ ASSERT (sa->r_id.type != 0 || sa->is_initiator);
+ if (sa->r_id.type != 0)
+ ikev2_payload_add_id (chain, &sa->r_id, IKEV2_PAYLOAD_IDR);
ikev2_payload_add_auth (chain, &sa->i_auth);
ikev2_payload_add_sa (chain, sa->childs[0].i_proposals);
ikev2_payload_add_ts (chain, sa->childs[0].tsi, IKEV2_PAYLOAD_TSI);
}
else
{
- ikev2_set_state (sa, IKEV2_STATE_DELETED);
+ ikev2_set_state (sa, IKEV2_STATE_DELETED, ": unexpected IKE_AUTH");
goto done;
}
}
{
if (sa->del[0].protocol_id == IKEV2_PROTOCOL_IKE)
{
- if (sa->is_initiator)
+ if (ike_hdr_is_request (ike))
ikev2_payload_add_delete (chain, sa->del);
/* The response to a request that deletes the IKE SA is an empty
/* received N(AUTHENTICATION_FAILED) */
else if (sa->state == IKEV2_STATE_AUTH_FAILED)
{
- ikev2_set_state (sa, IKEV2_STATE_DELETED);
+ ikev2_set_state (sa, IKEV2_STATE_DELETED, ": auth failed");
goto done;
}
/* received unsupported critical payload */
vec_free (data);
sa->unsupported_cp = 0;
}
- /* else send empty response */
+ else
+ /* else send empty response */
+ {
+ if (ike_hdr_is_response (ike))
+ {
+ ASSERT (stats != 0);
+ stats->n_keepalives++;
+ sa->stats.n_keepalives++;
+ }
+ }
}
else if (ike->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)
{
vec_free (data);
}
- else
+ else if (vec_len (sa->rekey) > 0)
{
- if (vec_len (sa->rekey) > 0)
+ if (sa->rekey[0].notify_type)
+ ikev2_payload_add_notify (chain, sa->rekey[0].notify_type, 0);
+ else
{
ikev2_payload_add_sa (chain, sa->rekey[0].r_proposal);
ikev2_payload_add_nonce (chain, sa->r_nonce);
IKEV2_PAYLOAD_TSI);
ikev2_payload_add_ts (chain, sa->rekey[0].tsr,
IKEV2_PAYLOAD_TSR);
- vec_del1 (sa->rekey, 0);
- }
- else if (sa->unsupported_cp)
- {
- u8 *data = vec_new (u8, 1);
-
- data[0] = sa->unsupported_cp;
- ikev2_payload_add_notify (chain,
- IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD,
- data);
- vec_free (data);
- sa->unsupported_cp = 0;
- }
- else
- {
- ikev2_payload_add_notify (chain,
- IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
- 0);
}
+ vec_del1 (sa->rekey, 0);
+ }
+ else if (vec_len (sa->new_child) > 0)
+ {
+ ikev2_payload_add_sa (chain, sa->new_child[0].r_proposal);
+ ikev2_payload_add_nonce (chain, sa->r_nonce);
+ ikev2_payload_add_ts (chain, sa->new_child[0].tsi,
+ IKEV2_PAYLOAD_TSI);
+ ikev2_payload_add_ts (chain, sa->new_child[0].tsr,
+ IKEV2_PAYLOAD_TSR);
+ vec_del1 (sa->new_child, 0);
+ }
+ else if (sa->unsupported_cp)
+ {
+ u8 *data = vec_new (u8, 1);
+
+ data[0] = sa->unsupported_cp;
+ ikev2_payload_add_notify (
+ chain, IKEV2_NOTIFY_MSG_UNSUPPORTED_CRITICAL_PAYLOAD, data);
+ vec_free (data);
+ sa->unsupported_cp = 0;
+ }
+ else
+ {
+ ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NO_ADDITIONAL_SAS,
+ 0);
}
}
ike->version = IKE_VERSION_2;
ike->nextpayload = IKEV2_PAYLOAD_SK;
tlen = sizeof (*ike);
- if (sa->is_initiator)
- {
- ike->flags = IKEV2_HDR_FLAG_INITIATOR;
- sa->last_init_msg_id = clib_net_to_host_u32 (ike->msgid);
- }
- else
- {
- ike->flags = IKEV2_HDR_FLAG_RESPONSE;
- }
+ if (sa->is_initiator)
+ ike->flags |= IKEV2_HDR_FLAG_INITIATOR;
if (ike->exchange == IKEV2_EXCHANGE_SA_INIT)
{
}
static u32
-ikev2_retransmit_sa_init (ike_header_t * ike, ip4_address_t iaddr,
- ip4_address_t raddr, u32 rlen)
+ikev2_retransmit_sa_init_one (ikev2_sa_t * sa, ike_header_t * ike,
+ ip_address_t iaddr, ip_address_t raddr,
+ u32 rlen)
{
- ikev2_main_t *km = &ikev2_main;
- ikev2_sa_t *sa;
- u32 thread_index = vlib_get_thread_index ();
-
- /* *INDENT-OFF* */
- pool_foreach (sa, km->per_thread_data[thread_index].sas, ({
- if (sa->ispi == clib_net_to_host_u64(ike->ispi) &&
- sa->iaddr.as_u32 == iaddr.as_u32 &&
- sa->raddr.as_u32 == raddr.as_u32)
- {
- int p = 0;
- u8 payload = ike->nextpayload;
+ int p = 0;
+ ike_header_t *tmp;
+ u8 payload = ike->nextpayload;
- while (p < rlen && payload!= IKEV2_PAYLOAD_NONE) {
- ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
- u32 plen = clib_net_to_host_u16 (ikep->length);
- if (plen > p + sizeof (*ike))
- return ~0;
+ if (sa->ispi != clib_net_to_host_u64 (ike->ispi) ||
+ ip_address_cmp (&sa->iaddr, &iaddr) ||
+ ip_address_cmp (&sa->raddr, &raddr))
+ {
+ return 0;
+ }
- if (plen < sizeof(ike_payload_header_t))
- return ~0;
+ while (p < rlen && payload != IKEV2_PAYLOAD_NONE)
+ {
+ ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
+ u32 plen = clib_net_to_host_u16 (ikep->length);
- if (payload == IKEV2_PAYLOAD_NONCE)
- {
- if (!clib_memcmp(sa->i_nonce, ikep->payload,
- plen - sizeof(*ikep)))
- {
- /* req is retransmit */
- if (sa->state == IKEV2_STATE_SA_INIT)
- {
- ike_header_t * tmp = (ike_header_t*)sa->last_sa_init_res_packet_data;
- u32 slen = clib_net_to_host_u32(tmp->length);
- ike->ispi = tmp->ispi;
- ike->rspi = tmp->rspi;
- ike->nextpayload = tmp->nextpayload;
- ike->version = tmp->version;
- ike->exchange = tmp->exchange;
- ike->flags = tmp->flags;
- ike->msgid = tmp->msgid;
- ike->length = tmp->length;
- clib_memcpy_fast(ike->payload, tmp->payload, slen - sizeof(*ike));
- ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
- "ispi %lx IKE_SA_INIT retransmit "
- "from %d.%d.%d.%d to %d.%d.%d.%d",
- ike->ispi,
- raddr.as_u32, iaddr.as_u32);
- return slen;
- }
- /* else ignore req */
- else
- {
- ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
- "ispi %lx IKE_SA_INIT ignore "
- "from %d.%d.%d.%d to %d.%d.%d.%d",
- ike->ispi,
- raddr.as_u32, iaddr.as_u32);
- return ~0;
- }
- }
- }
- payload = ikep->nextpayload;
- p+=plen;
- }
- }
- }));
+ if (plen < sizeof (ike_payload_header_t))
+ return ~0;
+
+ if (payload == IKEV2_PAYLOAD_NONCE &&
+ !clib_memcmp (sa->i_nonce, ikep->payload, plen - sizeof (*ikep)))
+ {
+ /* req is retransmit */
+ if (sa->state == IKEV2_STATE_SA_INIT)
+ {
+ sa->stats.n_init_retransmit++;
+ tmp = (ike_header_t *) sa->last_sa_init_res_packet_data;
+ u32 slen = clib_net_to_host_u32 (tmp->length);
+ ike->ispi = tmp->ispi;
+ ike->rspi = tmp->rspi;
+ ike->nextpayload = tmp->nextpayload;
+ ike->version = tmp->version;
+ ike->exchange = tmp->exchange;
+ ike->flags = tmp->flags;
+ ike->msgid = tmp->msgid;
+ ike->length = tmp->length;
+ clib_memcpy_fast (ike->payload, tmp->payload,
+ slen - sizeof (*ike));
+ ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
+ "ispi %lx IKE_SA_INIT retransmit "
+ "from %d.%d.%d.%d to %d.%d.%d.%d",
+ ike->ispi,
+ ip_addr_v4 (&raddr).as_u32,
+ ip_addr_v4 (&iaddr).as_u32);
+ return slen;
+ }
+ /* else ignore req */
+ else
+ {
+ ikev2_elog_uint_peers (IKEV2_LOG_DEBUG,
+ "ispi %lx IKE_SA_INIT ignore "
+ "from %d.%d.%d.%d to %d.%d.%d.%d",
+ ike->ispi,
+ ip_addr_v4 (&raddr).as_u32,
+ ip_addr_v4 (&iaddr).as_u32);
+ return ~0;
+ }
+ }
+ payload = ikep->nextpayload;
+ p += plen;
+ }
+
+ return 0;
+}
+
+static u32
+ikev2_retransmit_sa_init (ike_header_t * ike, ip_address_t iaddr,
+ ip_address_t raddr, u32 rlen)
+{
+ ikev2_sa_t *sa;
+ u32 res;
+ ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
+
+ /* *INDENT-OFF* */
+ pool_foreach (sa, ptd->sas) {
+ res = ikev2_retransmit_sa_init_one (sa, ike, iaddr, raddr, rlen);
+ if (res)
+ return res;
+ }
/* *INDENT-ON* */
/* req is not retransmit */
static u32
ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
{
+ if (ike_hdr_is_response (ike))
+ return 0;
+
u32 msg_id = clib_net_to_host_u32 (ike->msgid);
/* new req */
- if (msg_id > sa->last_msg_id)
+ if (msg_id > sa->last_msg_id || sa->last_msg_id == ~0)
{
sa->last_msg_id = msg_id;
return 0;
/* retransmitted req */
if (msg_id == sa->last_msg_id)
{
+ sa->stats.n_retransmit++;
ike_header_t *tmp = (ike_header_t *) sa->last_res_packet_data;
u32 slen = clib_net_to_host_u32 (tmp->length);
ike->ispi = tmp->ispi;
ike->length = tmp->length;
clib_memcpy_fast (ike->payload, tmp->payload, slen - sizeof (*ike));
ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE retransmit msgid %d",
- msg_id, sa->raddr.as_u32, sa->iaddr.as_u32);
+ msg_id, ip_addr_v4 (&sa->raddr).as_u32,
+ ip_addr_v4 (&sa->iaddr).as_u32);
return slen;
}
/* old req ignore */
ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE req ignore msgid %d",
- msg_id, sa->raddr.as_u32, sa->iaddr.as_u32);
+ msg_id, ip_addr_v4 (&sa->raddr).as_u32,
+ ip_addr_v4 (&sa->iaddr).as_u32);
return ~0;
}
sizeof (ispi));
}
+static void
+ikev2_rewrite_v6_addrs (ikev2_sa_t *sa, ip6_header_t *ih)
+{
+ if (sa->is_initiator)
+ {
+ ip_address_copy_addr (&ih->dst_address, &sa->raddr);
+ ip_address_copy_addr (&ih->src_address, &sa->iaddr);
+ }
+ else
+ {
+ ip_address_copy_addr (&ih->dst_address, &sa->iaddr);
+ ip_address_copy_addr (&ih->src_address, &sa->raddr);
+ }
+}
+
+static void
+ikev2_rewrite_v4_addrs (ikev2_sa_t *sa, ip4_header_t *ih)
+{
+ if (sa->is_initiator)
+ {
+ ip_address_copy_addr (&ih->dst_address, &sa->raddr);
+ ip_address_copy_addr (&ih->src_address, &sa->iaddr);
+ }
+ else
+ {
+ ip_address_copy_addr (&ih->dst_address, &sa->iaddr);
+ ip_address_copy_addr (&ih->src_address, &sa->raddr);
+ }
+}
+
+static void
+ikev2_set_ip_address (ikev2_sa_t *sa, const void *iaddr, const void *raddr,
+ const ip_address_family_t af)
+{
+ ip_address_set (&sa->raddr, raddr, af);
+ ip_address_set (&sa->iaddr, iaddr, af);
+}
+
+static void
+ikev2_elog_uint_peers_addr (u32 exchange, ip4_header_t * ip4,
+ ip6_header_t * ip6, u8 is_ip4)
+{
+ u32 src, dst;
+ if (is_ip4)
+ {
+ src = ip4->src_address.as_u32;
+ dst = ip4->dst_address.as_u32;
+ }
+ else
+ {
+ src = ip6->src_address.as_u32[3];
+ dst = ip6->dst_address.as_u32[3];
+ }
+ ikev2_elog_uint_peers (IKEV2_LOG_WARNING, "IKEv2 exchange %d "
+ "received from %d.%d.%d.%d to %d.%d.%d.%d",
+ exchange, src, dst);
+}
+
+static void
+ikev2_generate_sa_init_data_and_log (ikev2_sa_t * sa)
+{
+ ikev2_generate_sa_error_t rc = ikev2_generate_sa_init_data (sa);
+
+ if (PREDICT_TRUE (rc == IKEV2_GENERATE_SA_INIT_OK))
+ return;
+
+ if (rc == IKEV2_GENERATE_SA_INIT_ERR_NO_DH)
+ ikev2_elog_error (IKEV2_GENERATE_SA_INIT_OK_ERR_NO_DH_STR);
+ else if (rc == IKEV2_GENERATE_SA_INIT_ERR_UNSUPPORTED_DH)
+ ikev2_elog_error (IKEV2_GENERATE_SA_INIT_OK_ERR_UNSUPP_STR);
+}
+
+static void
+ikev2_update_stats (vlib_main_t *vm, u32 node_index, ikev2_stats_t *s)
+{
+ vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_KEEPALIVE,
+ s->n_keepalives);
+ vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_REKEY_REQ,
+ s->n_rekey_req);
+ vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_INIT_SA_REQ,
+ s->n_sa_init_req);
+ vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_IKE_AUTH_REQ,
+ s->n_sa_auth_req);
+}
+
static uword
-ikev2_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
+ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node,
+ vlib_frame_t *frame, u8 is_ip4, u8 natt)
{
u32 n_left = frame->n_vectors, *from;
ikev2_main_t *km = &ikev2_main;
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
+ ikev2_stats_t _stats, *stats = &_stats;
int res;
+ /* no NAT traversal for ip6 */
+ ASSERT (!natt || is_ip4);
+
+ clib_memset_u16 (stats, 0, sizeof (stats[0]) / sizeof (u16));
from = vlib_frame_vector_args (frame);
vlib_get_buffers (vm, from, bufs, n_left);
b = bufs;
while (n_left > 0)
{
vlib_buffer_t *b0 = b[0];
- next[0] = IKEV2_NEXT_ERROR_DROP;
- ip4_header_t *ip40;
+ next[0] = is_ip4 ? IKEV2_NEXT_IP4_ERROR_DROP
+ : IKEV2_NEXT_IP6_ERROR_DROP;
+ ip4_header_t *ip40 = 0;
+ ip6_header_t *ip60 = 0;
udp_header_t *udp0;
ike_header_t *ike0;
ikev2_sa_t *sa0 = 0;
ikev2_sa_t sa; /* temporary store for SA */
u32 rlen, slen = 0;
- int is_req = 0, has_non_esp_marker = 0;
+ int ip_hdr_sz = 0;
+ int is_req = 0;
- if (b0->punt_reason == ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0])
+ if (natt)
{
u8 *ptr = vlib_buffer_get_current (b0);
ip40 = (ip4_header_t *) ptr;
udp0 = (udp_header_t *) ptr;
ptr += sizeof (*udp0);
ike0 = (ike_header_t *) ptr;
+ ip_hdr_sz = sizeof (*ip40);
}
else
{
+ u8 *ipx_hdr = b0->data + vnet_buffer (b0)->l3_hdr_offset;
ike0 = vlib_buffer_get_current (b0);
vlib_buffer_advance (b0, -sizeof (*udp0));
udp0 = vlib_buffer_get_current (b0);
- vlib_buffer_advance (b0, -sizeof (*ip40));
- ip40 = vlib_buffer_get_current (b0);
+
+ if (is_ip4)
+ {
+ ip40 = (ip4_header_t *) ipx_hdr;
+ ip_hdr_sz = sizeof (*ip40);
+ }
+ else
+ {
+ ip60 = (ip6_header_t *) ipx_hdr;
+ ip_hdr_sz = sizeof (*ip60);
+ }
+ vlib_buffer_advance (b0, -ip_hdr_sz);
}
- rlen = b0->current_length - sizeof (*ip40) - sizeof (*udp0);
+ rlen = b0->current_length - ip_hdr_sz - sizeof (*udp0);
/* check for non-esp marker */
- if (*((u32 *) ike0) == 0)
+ if (natt)
{
+ ASSERT (*((u32 *) ike0) == 0);
ike0 =
(ike_header_t *) ((u8 *) ike0 + sizeof (ikev2_non_esp_marker));
rlen -= sizeof (ikev2_non_esp_marker);
- has_non_esp_marker = 1;
}
if (clib_net_to_host_u32 (ike0->length) != rlen)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_BAD_LENGTH, 1);
goto dispatch0;
}
if (ike0->version != IKE_VERSION_2)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_NOT_IKEV2, 1);
goto dispatch0;
}
sa0 = &sa;
clib_memset (sa0, 0, sizeof (*sa0));
- if (ike0->flags & IKEV2_HDR_FLAG_INITIATOR)
+ if (ike_hdr_is_initiator (ike0))
{
+ sa0->stats.n_sa_init_req++;
+ stats->n_sa_init_req++;
if (ike0->rspi == 0)
{
- sa0->raddr.as_u32 = ip40->dst_address.as_u32;
- sa0->iaddr.as_u32 = ip40->src_address.as_u32;
+ if (is_ip4)
+ ikev2_set_ip_address (sa0, &ip40->src_address,
+ &ip40->dst_address, AF_IP4);
+ else
+ ikev2_set_ip_address (sa0, &ip60->src_address,
+ &ip60->dst_address, AF_IP6);
+
sa0->dst_port = clib_net_to_host_u16 (udp0->src_port);
slen =
sa0->raddr, rlen);
if (slen)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
~0 ==
slen ?
IKEV2_ERROR_IKE_SA_INIT_IGNORE
goto dispatch0;
}
- res = ikev2_process_sa_init_req (vm, sa0, ike0, udp0, rlen);
+ res = ikev2_process_sa_init_req (
+ vm, sa0, ike0, udp0, rlen,
+ vnet_buffer (b0)->sw_if_index[VLIB_RX]);
if (!res)
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_MALFORMED_PACKET,
1);
sa0->r_proposals =
ikev2_select_proposal (sa0->i_proposals,
IKEV2_PROTOCOL_IKE);
- ikev2_generate_sa_init_data (sa0);
+ ikev2_generate_sa_init_data_and_log (sa0);
}
if (sa0->state == IKEV2_STATE_SA_INIT
|| sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE)
{
- slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+ ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
+ slen =
+ ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
if (~0 == slen)
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_NO_BUFF_SPACE,
1);
}
}
else //received sa_init without initiator flag
{
- sa0->raddr.as_u32 = ip40->src_address.as_u32;
- sa0->iaddr.as_u32 = ip40->dst_address.as_u32;
+ if (is_ip4)
+ ikev2_set_ip_address (sa0, &ip40->dst_address,
+ &ip40->src_address, AF_IP4);
+ else
+ ikev2_set_ip_address (sa0, &ip60->dst_address,
+ &ip60->src_address, AF_IP6);
+
ikev2_process_sa_init_resp (vm, sa0, ike0, udp0, rlen);
if (sa0->state == IKEV2_STATE_SA_INIT)
ikev2_complete_sa_data (sa0, sai);
ikev2_calc_keys (sa0);
ikev2_sa_auth_init (sa0);
- slen =
- ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+ ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
+ ike0->msgid =
+ clib_net_to_host_u32 (sai->last_init_msg_id);
+ sa0->last_init_msg_id = sai->last_init_msg_id + 1;
+ slen = ikev2_generate_message (b0, sa0, ike0, 0,
+ udp0, stats);
if (~0 == slen)
vlib_node_increment_counter (vm,
- ikev2_node.index,
+ node->node_index,
IKEV2_ERROR_NO_BUFF_SPACE,
1);
}
slen = ikev2_retransmit_resp (sa0, ike0);
if (slen)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
~0 ==
slen ?
IKEV2_ERROR_IKE_REQ_IGNORE
if (res)
ikev2_sa_auth (sa0);
else
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_MALFORMED_PACKET, 1);
if (sa0->state == IKEV2_STATE_AUTHENTICATED)
{
- ikev2_initial_contact_cleanup (sa0);
+ ikev2_initial_contact_cleanup (ptd, sa0);
ikev2_sa_match_ts (sa0);
if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE)
ikev2_create_tunnel_interface (vm, sa0,
if (sa0->is_initiator)
{
+ sa0->last_msg_id = ~0;
ikev2_del_sa_init (sa0->ispi);
}
else
{
- slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+ sa0->stats.n_sa_auth_req++;
+ stats->n_sa_auth_req++;
+ ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
+ slen =
+ ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
if (~0 == slen)
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_NO_BUFF_SPACE,
1);
}
slen = ikev2_retransmit_resp (sa0, ike0);
if (slen)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
~0 ==
slen ?
IKEV2_ERROR_IKE_REQ_IGNORE
res = ikev2_process_informational_req (vm, sa0, ike0, rlen);
if (!res)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_MALFORMED_PACKET,
1);
slen = ~0;
}
}
}
- if (!(ike0->flags & IKEV2_HDR_FLAG_RESPONSE))
+ if (ike_hdr_is_request (ike0))
{
- ike0->flags |= IKEV2_HDR_FLAG_RESPONSE;
- slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+ ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
+ slen =
+ ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
if (~0 == slen)
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_NO_BUFF_SPACE,
1);
}
slen = ikev2_retransmit_resp (sa0, ike0);
if (slen)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
~0 ==
slen ?
IKEV2_ERROR_IKE_REQ_IGNORE
res = ikev2_process_create_child_sa_req (vm, sa0, ike0, rlen);
if (!res)
{
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_MALFORMED_PACKET,
1);
slen = ~0;
goto dispatch0;
}
- if (sa0->rekey)
+ if (vec_len (sa0->rekey) > 0)
{
- if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
+ if (!sa0->rekey[0].notify_type &&
+ sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
{
- if (sa0->childs)
+ if (vec_len (sa0->childs) > 0)
ikev2_sa_free_all_child_sa (&sa0->childs);
ikev2_child_sa_t *child;
vec_add2 (sa0->childs, child, 1);
ikev2_create_tunnel_interface (vm, sa0, child, p[0],
child - sa0->childs, 1);
}
- if (sa0->is_initiator)
+ if (ike_hdr_is_response (ike0))
{
vec_free (sa0->rekey);
}
else
{
- slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+ stats->n_rekey_req++;
+ sa0->stats.n_rekey_req++;
+ ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
+ slen =
+ ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
if (~0 == slen)
- vlib_node_increment_counter (vm, ikev2_node.index,
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_NO_BUFF_SPACE,
1);
}
}
+ else if (vec_len (sa0->new_child) > 0)
+ {
+ ikev2_child_sa_t *c;
+ vec_add2 (sa0->childs, c, 1);
+ memset (c, 0, sizeof (*c));
+ c->r_proposals = sa0->new_child[0].r_proposal;
+ c->i_proposals = sa0->new_child[0].i_proposal;
+ c->tsi = sa0->new_child[0].tsi;
+ c->tsr = sa0->new_child[0].tsr;
+ ikev2_create_tunnel_interface (vm, sa0, c, p[0],
+ c - sa0->childs, 0);
+ if (ike_hdr_is_request (ike0))
+ {
+ ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
+ slen =
+ ikev2_generate_message (b0, sa0, ike0, 0, udp0, 0);
+ if (~0 == slen)
+ vlib_node_increment_counter (
+ vm, node->node_index, IKEV2_ERROR_NO_BUFF_SPACE, 1);
+ }
+ }
}
}
else
{
- ikev2_elog_uint_peers (IKEV2_LOG_WARNING, "IKEv2 exchange %d "
- "received from %d.%d.%d.%d to %d.%d.%d.%d",
- ike0->exchange,
- ip40->src_address.as_u32,
- ip40->dst_address.as_u32);
+ ikev2_elog_uint_peers_addr (ike0->exchange, ip40, ip60, is_ip4);
}
dispatch0:
/* if we are sending packet back, rewrite headers */
if (slen && ~0 != slen)
{
- next[0] = IKEV2_NEXT_IP4_LOOKUP;
- if (sa0->is_initiator)
+ if (is_ip4)
{
- ip40->dst_address.as_u32 = sa0->raddr.as_u32;
- ip40->src_address.as_u32 = sa0->iaddr.as_u32;
+ next[0] = IKEV2_NEXT_IP4_LOOKUP;
+ ikev2_rewrite_v4_addrs (sa0, ip40);
}
else
{
- ip40->dst_address.as_u32 = sa0->iaddr.as_u32;
- ip40->src_address.as_u32 = sa0->raddr.as_u32;
+ next[0] = IKEV2_NEXT_IP6_LOOKUP;
+ ikev2_rewrite_v6_addrs (sa0, ip60);
}
if (is_req)
clib_net_to_host_u16 (ikev2_get_port (sa0));
if (udp0->dst_port == clib_net_to_host_u16 (IKEV2_PORT_NATT)
- && sa0->natt)
+ && ikev2_natt_active (sa0))
{
- if (!has_non_esp_marker)
+ if (!natt)
slen = ikev2_insert_non_esp_marker (ike0, slen);
}
}
else
{
- if (has_non_esp_marker)
+ if (natt)
slen += sizeof (ikev2_non_esp_marker);
u16 tp = udp0->dst_port;
udp0->length = clib_host_to_net_u16 (slen + sizeof (udp_header_t));
udp0->checksum = 0;
- b0->current_length =
- slen + sizeof (ip4_header_t) + sizeof (udp_header_t);
- ip40->length = clib_host_to_net_u16 (b0->current_length);
- ip40->checksum = ip4_header_checksum (ip40);
+ b0->current_length = slen + ip_hdr_sz + sizeof (udp_header_t);
+ if (is_ip4)
+ {
+ ip40->length = clib_host_to_net_u16 (b0->current_length);
+ ip40->checksum = ip4_header_checksum (ip40);
+ }
+ else
+ {
+ ip60->payload_length =
+ clib_host_to_net_u16 (b0->current_length - sizeof (*ip60));
+ }
}
/* delete sa */
if (sa0 && (sa0->state == IKEV2_STATE_DELETED ||
vec_foreach (c, sa0->childs)
ikev2_delete_tunnel_interface (km->vnet_main, sa0, c);
- ikev2_delete_sa (sa0);
+ ikev2_delete_sa (ptd, sa0);
}
if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
&& (b0->flags & VLIB_BUFFER_IS_TRACED)))
b += 1;
}
- vlib_node_increment_counter (vm, ikev2_node.index,
+ ikev2_update_stats (vm, node->node_index, stats);
+ vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_PROCESSED, frame->n_vectors);
vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
return frame->n_vectors;
}
+static uword
+ikev2_ip4 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
+{
+ return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */, 0);
+}
+
+static uword
+ikev2_ip4_natt (vlib_main_t *vm, vlib_node_runtime_t *node,
+ vlib_frame_t *frame)
+{
+ return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */, 1 /* natt */);
+}
+
+static uword
+ikev2_ip6 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
+{
+ return ikev2_node_internal (vm, node, frame, 0 /* is_ip4 */, 0);
+}
+
/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (ikev2_node,static) = {
- .function = ikev2_node_fn,
- .name = "ikev2",
+VLIB_REGISTER_NODE (ikev2_node_ip4,static) = {
+ .function = ikev2_ip4,
+ .name = "ikev2-ip4",
.vector_size = sizeof (u32),
.format_trace = format_ikev2_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ikev2_error_strings),
- .error_strings = ikev2_error_strings,
+ .n_errors = IKEV2_N_ERROR,
+ .error_counters = ikev2_error_counters,
- .n_next_nodes = IKEV2_N_NEXT,
+ .n_next_nodes = IKEV2_IP4_N_NEXT,
+ .next_nodes = {
+ [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
+ [IKEV2_NEXT_IP4_ERROR_DROP] = "error-drop",
+ },
+};
+VLIB_REGISTER_NODE (ikev2_node_ip4_natt,static) = {
+ .function = ikev2_ip4_natt,
+ .name = "ikev2-ip4-natt",
+ .vector_size = sizeof (u32),
+ .format_trace = format_ikev2_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+
+ .n_errors = IKEV2_N_ERROR,
+ .error_counters = ikev2_error_counters,
+
+ .n_next_nodes = IKEV2_IP4_N_NEXT,
.next_nodes = {
[IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup",
- [IKEV2_NEXT_ERROR_DROP] = "error-drop",
+ [IKEV2_NEXT_IP4_ERROR_DROP] = "error-drop",
+ },
+};
+
+VLIB_REGISTER_NODE (ikev2_node_ip6,static) = {
+ .function = ikev2_ip6,
+ .name = "ikev2-ip6",
+ .vector_size = sizeof (u32),
+ .format_trace = format_ikev2_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+
+ .n_errors = IKEV2_N_ERROR,
+ .error_counters = ikev2_error_counters,
+
+ .n_next_nodes = IKEV2_IP6_N_NEXT,
+ .next_nodes = {
+ [IKEV2_NEXT_IP6_LOOKUP] = "ip6-lookup",
+ [IKEV2_NEXT_IP6_ERROR_DROP] = "error-drop",
},
};
/* *INDENT-ON* */
static void
-ikev2_send_ike (vlib_main_t * vm, ip4_address_t * src, ip4_address_t * dst,
+ikev2_send_ike (vlib_main_t * vm, ip_address_t * src, ip_address_t * dst,
u32 bi0, u32 len, u16 src_port, u16 dst_port, u32 sw_if_index)
{
ip4_header_t *ip40;
+ ip6_header_t *ip60;
udp_header_t *udp0;
vlib_buffer_t *b0;
vlib_frame_t *f;
b0 = vlib_get_buffer (vm, bi0);
vlib_buffer_advance (b0, -sizeof (udp_header_t));
udp0 = vlib_buffer_get_current (b0);
- vlib_buffer_advance (b0, -sizeof (ip4_header_t));
- ip40 = vlib_buffer_get_current (b0);
-
-
- ip40->ip_version_and_header_length = 0x45;
- ip40->tos = 0;
- ip40->fragment_id = 0;
- ip40->flags_and_fragment_offset = 0;
- ip40->ttl = 0xff;
- ip40->protocol = IP_PROTOCOL_UDP;
- ip40->dst_address.as_u32 = dst->as_u32;
- ip40->src_address.as_u32 = src->as_u32;
udp0->dst_port = clib_host_to_net_u16 (dst_port);
udp0->src_port = clib_host_to_net_u16 (src_port);
udp0->length = clib_host_to_net_u16 (len + sizeof (udp_header_t));
udp0->checksum = 0;
- b0->current_length = len + sizeof (ip4_header_t) + sizeof (udp_header_t);
- ip40->length = clib_host_to_net_u16 (b0->current_length);
- ip40->checksum = ip4_header_checksum (ip40);
+ if (ip_addr_version (dst) == AF_IP4)
+ {
+ vlib_buffer_advance (b0, -sizeof (ip4_header_t));
+ ip40 = vlib_buffer_get_current (b0);
+ ip40->ip_version_and_header_length = 0x45;
+ ip40->tos = 0;
+ ip40->fragment_id = 0;
+ ip40->flags_and_fragment_offset = 0;
+ ip40->ttl = 0xff;
+ ip40->protocol = IP_PROTOCOL_UDP;
+ ip40->dst_address.as_u32 = ip_addr_v4 (dst).as_u32;
+ ip40->src_address.as_u32 = ip_addr_v4 (src).as_u32;
+ b0->current_length =
+ len + sizeof (ip4_header_t) + sizeof (udp_header_t);
+ ip40->length = clib_host_to_net_u16 (b0->current_length);
+ ip40->checksum = ip4_header_checksum (ip40);
+ }
+ else
+ {
+ vlib_buffer_advance (b0, -sizeof (ip6_header_t));
+ ip60 = vlib_buffer_get_current (b0);
+
+ b0->current_length = len + sizeof (*ip60) + sizeof (udp_header_t);
+ ip60->ip_version_traffic_class_and_flow_label =
+ clib_host_to_net_u32 (0x6 << 28);
+ ip60->payload_length =
+ clib_host_to_net_u16 (b0->current_length - sizeof (*ip60));
+ ip60->protocol = IP_PROTOCOL_UDP;
+ ip60->hop_limit = 0xff;
+ clib_memcpy_fast (ip60->src_address.as_u8, ip_addr_v6 (src).as_u8,
+ sizeof (ip60->src_address));
+ clib_memcpy_fast (ip60->dst_address.as_u8, ip_addr_v6 (dst).as_u8,
+ sizeof (ip60->src_address));
+ }
+
+ b0->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
vnet_buffer (b0)->sw_if_index[VLIB_RX] = sw_if_index;
vnet_buffer (b0)->sw_if_index[VLIB_TX] = ~0;
+ u32 next_index = (ip_addr_version (dst) == AF_IP4) ?
+ ip4_lookup_node.index : ip6_lookup_node.index;
+
/* send the request */
- f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ f = vlib_get_frame_to_node (vm, next_index);
to_next = vlib_frame_vector_args (f);
to_next[0] = bi0;
f->n_vectors = 1;
- vlib_put_frame_to_node (vm, ip4_lookup_node.index, f);
+ vlib_put_frame_to_node (vm, next_index, f);
}
return 0;
}
-static_always_inline vnet_api_error_t
-ikev2_register_udp_port (ikev2_profile_t * p, u16 port)
+static vnet_api_error_t
+ikev2_register_udp_port (ikev2_profile_t *p, u16 port)
{
- ikev2_main_t *km = &ikev2_main;
- udp_dst_port_info_t *pi;
-
- uword *v = hash_get (km->udp_ports, port);
- pi = udp_get_dst_port_info (&udp_main, port, UDP_IP4);
-
- if (v)
- {
- /* IKE already uses this port, only increment reference counter */
- ASSERT (pi);
- v[0]++;
- }
- else
- {
- if (pi)
- return VNET_API_ERROR_UDP_PORT_TAKEN;
-
- udp_register_dst_port (km->vlib_main, port,
- ipsec4_tun_input_node.index, 1);
- hash_set (km->udp_ports, port, 1);
- }
+ ipsec_register_udp_port (port);
p->ipsec_over_udp_port = port;
return 0;
}
-static_always_inline void
-ikev2_unregister_udp_port (ikev2_profile_t * p)
+static void
+ikev2_unregister_udp_port (ikev2_profile_t *p)
{
- ikev2_main_t *km = &ikev2_main;
- uword *v;
-
if (p->ipsec_over_udp_port == IPSEC_UDP_PORT_NONE)
return;
- v = hash_get (km->udp_ports, p->ipsec_over_udp_port);
- if (!v)
- return;
-
- v[0]--;
-
- if (v[0] == 0)
- {
- udp_unregister_dst_port (km->vlib_main, p->ipsec_over_udp_port, 1);
- hash_unset (km->udp_ports, p->ipsec_over_udp_port);
- }
-
+ ipsec_unregister_udp_port (p->ipsec_over_udp_port);
p->ipsec_over_udp_port = IPSEC_UDP_PORT_NONE;
}
static void
ikev2_initiate_delete_ike_sa_internal (vlib_main_t * vm,
ikev2_main_per_thread_data_t * tkm,
- ikev2_sa_t * sa)
+ ikev2_sa_t * sa, u8 send_notification)
{
ikev2_main_t *km = &ikev2_main;
- ip4_address_t *src, *dst;
+ ip_address_t *src, *dst;
vlib_buffer_t *b0;
+ ikev2_child_sa_t *c;
/* Create the Initiator notification for IKE SA removal */
ike_header_t *ike0;
u32 bi0 = 0;
int len;
- bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
- if (!bi0)
- {
- ikev2_log_error ("buffer alloc failure");
- return;
- }
-
- ike0 = vlib_buffer_get_current (b0);
- ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
- ike0->ispi = clib_host_to_net_u64 (sa->ispi);
- ike0->rspi = clib_host_to_net_u64 (sa->rspi);
vec_resize (sa->del, 1);
sa->del->protocol_id = IKEV2_PROTOCOL_IKE;
sa->del->spi = sa->ispi;
- ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
- sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
- len = ikev2_generate_message (b0, sa, ike0, 0, 0);
- if (~0 == len)
- return;
- if (sa->is_initiator)
+ if (send_notification)
{
- src = &sa->iaddr;
- dst = &sa->raddr;
- }
- else
- {
- dst = &sa->iaddr;
- src = &sa->raddr;
- }
+ bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
+ if (!bi0)
+ {
+ ikev2_log_error ("buffer alloc failure");
+ goto delete_sa;
+ }
+
+ ike0 = vlib_buffer_get_current (b0);
+ ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
+ ike0->ispi = clib_host_to_net_u64 (sa->ispi);
+ ike0->rspi = clib_host_to_net_u64 (sa->rspi);
+ ike0->flags = 0;
+ ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
+ sa->last_init_msg_id += 1;
+ len = ikev2_generate_message (b0, sa, ike0, 0, 0, 0);
+ if (~0 == len)
+ return;
+
+ if (ikev2_natt_active (sa))
+ len = ikev2_insert_non_esp_marker (ike0, len);
+
+ if (sa->is_initiator)
+ {
+ src = &sa->iaddr;
+ dst = &sa->raddr;
+ }
+ else
+ {
+ dst = &sa->iaddr;
+ src = &sa->raddr;
+ }
- ikev2_send_ike (vm, src, dst, bi0, len,
- ikev2_get_port (sa), sa->dst_port, 0);
+ ikev2_send_ike (vm, src, dst, bi0, len,
+ ikev2_get_port (sa), sa->dst_port, 0);
+ }
+delete_sa:
/* delete local SA */
- ikev2_child_sa_t *c;
vec_foreach (c, sa->childs)
ikev2_delete_tunnel_interface (km->vnet_main, sa, c);
u32 *sai;
u32 *del_sai = 0;
+ /* *INDENT-OFF* */
+ pool_foreach (sa, km->sais) {
+ if (pi == sa->profile_index)
+ vec_add1 (del_sai, sa - km->sais);
+ }
+ /* *INDENT-ON* */
+
+ vec_foreach (sai, del_sai)
+ {
+ sa = pool_elt_at_index (km->sais, sai[0]);
+ ikev2_sa_free_all_vec (sa);
+ hash_unset (km->sa_by_ispi, sa->ispi);
+ pool_put (km->sais, sa);
+ }
+ vec_reset_length (del_sai);
+
vec_foreach (tkm, km->per_thread_data)
{
/* *INDENT-OFF* */
- pool_foreach (sa, tkm->sas, ({
+ pool_foreach (sa, tkm->sas) {
if (sa->profile_index != ~0 && pi == sa->profile_index)
vec_add1 (del_sai, sa - tkm->sas);
- }));
+ }
/* *INDENT-ON* */
vec_foreach (sai, del_sai)
{
sa = pool_elt_at_index (tkm->sas, sai[0]);
- ikev2_initiate_delete_ike_sa_internal (km->vlib_main, tkm, sa);
+ ikev2_initiate_delete_ike_sa_internal (km->vlib_main, tkm, sa, 1);
}
vec_reset_length (del_sai);
vec_free (del_sai);
}
+static void
+ikev2_profile_responder_free (ikev2_responder_t *r)
+{
+ vec_free (r->hostname);
+}
+
static void
ikev2_profile_free (ikev2_profile_t * p)
{
if (p->auth.key)
EVP_PKEY_free (p->auth.key);
+ ikev2_profile_responder_free (&p->responder);
+
vec_free (p->loc_id.data);
vec_free (p->rem_id.data);
}
+static void
+ikev2_bind (vlib_main_t *vm, ikev2_main_t *km)
+{
+ if (0 == km->bind_refcount)
+ {
+ udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip4.index, 1);
+ udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip6.index, 0);
+ udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index, 1);
+ udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index, 0);
+
+ vlib_punt_register (km->punt_hdl,
+ ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0],
+ "ikev2-ip4-natt");
+ }
+
+ km->bind_refcount++;
+}
+
+static void
+ikev2_unbind (vlib_main_t *vm, ikev2_main_t *km)
+{
+ km->bind_refcount--;
+ if (0 == km->bind_refcount)
+ {
+ vlib_punt_unregister (km->punt_hdl,
+ ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0],
+ "ikev2-ip4-natt");
+
+ udp_unregister_dst_port (vm, IKEV2_PORT_NATT, 0);
+ udp_unregister_dst_port (vm, IKEV2_PORT_NATT, 1);
+ udp_unregister_dst_port (vm, IKEV2_PORT, 0);
+ udp_unregister_dst_port (vm, IKEV2_PORT, 1);
+ }
+}
+
+static void ikev2_lazy_init (ikev2_main_t *km);
+
clib_error_t *
ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add)
{
ikev2_main_t *km = &ikev2_main;
ikev2_profile_t *p;
+ ikev2_lazy_init (km);
+
if (is_add)
{
if (ikev2_profile_index_by_name (name))
p->tun_itf = ~0;
uword index = p - km->profiles;
mhash_set_mem (&km->profile_index_by_name, name, &index, 0);
+
+ ikev2_bind (vm, km);
}
else
{
if (!p)
return clib_error_return (0, "policy %v does not exists", name);
+ ikev2_unbind (vm, km);
+
ikev2_unregister_udp_port (p);
ikev2_cleanup_profile_sessions (km, p);
return 0;
}
+static int
+ikev2_is_id_supported (u8 id_type)
+{
+ return (id_type == IKEV2_ID_TYPE_ID_IPV4_ADDR ||
+ id_type == IKEV2_ID_TYPE_ID_IPV6_ADDR ||
+ id_type == IKEV2_ID_TYPE_ID_RFC822_ADDR ||
+ id_type == IKEV2_ID_TYPE_ID_FQDN);
+}
+
clib_error_t *
ikev2_set_profile_id (vlib_main_t * vm, u8 * name, u8 id_type, u8 * data,
int is_local)
ikev2_profile_t *p;
clib_error_t *r;
- if (id_type > IKEV2_ID_TYPE_ID_RFC822_ADDR
- && id_type < IKEV2_ID_TYPE_ID_KEY_ID)
+ if (!ikev2_is_id_supported (id_type))
{
r = clib_error_return (0, "unsupported identity type %U",
format_ikev2_id_type, id_type);
return 0;
}
+static void
+ikev2_set_ts_type (ikev2_ts_t *ts, const ip_address_t *addr)
+{
+ if (ip_addr_version (addr) == AF_IP4)
+ ts->ts_type = TS_IPV4_ADDR_RANGE;
+ else
+ ts->ts_type = TS_IPV6_ADDR_RANGE;
+}
+
+static void
+ikev2_set_ts_addrs (ikev2_ts_t *ts, const ip_address_t *start,
+ const ip_address_t *end)
+{
+ ip_address_copy (&ts->start_addr, start);
+ ip_address_copy (&ts->end_addr, end);
+}
+
clib_error_t *
ikev2_set_profile_ts (vlib_main_t * vm, u8 * name, u8 protocol_id,
- u16 start_port, u16 end_port, ip4_address_t start_addr,
- ip4_address_t end_addr, int is_local)
+ u16 start_port, u16 end_port, ip_address_t start_addr,
+ ip_address_t end_addr, int is_local)
{
ikev2_profile_t *p;
clib_error_t *r;
return r;
}
+ if (ip_addr_version (&start_addr) != ip_addr_version (&end_addr))
+ return clib_error_return (0, "IP address version mismatch!");
+
if (is_local)
{
- p->loc_ts.start_addr.as_u32 = start_addr.as_u32;
- p->loc_ts.end_addr.as_u32 = end_addr.as_u32;
+ ikev2_set_ts_addrs (&p->loc_ts, &start_addr, &end_addr);
p->loc_ts.start_port = start_port;
p->loc_ts.end_port = end_port;
p->loc_ts.protocol_id = protocol_id;
- p->loc_ts.ts_type = 7;
+ ikev2_set_ts_type (&p->loc_ts, &start_addr);
}
else
{
- p->rem_ts.start_addr.as_u32 = start_addr.as_u32;
- p->rem_ts.end_addr.as_u32 = end_addr.as_u32;
+ ikev2_set_ts_addrs (&p->rem_ts, &start_addr, &end_addr);
p->rem_ts.start_port = start_port;
p->rem_ts.end_port = end_port;
p->rem_ts.protocol_id = protocol_id;
- p->rem_ts.ts_type = 7;
+ ikev2_set_ts_type (&p->rem_ts, &start_addr);
}
return 0;
}
+clib_error_t *
+ikev2_set_profile_responder_hostname (vlib_main_t *vm, u8 *name, u8 *hostname,
+ u32 sw_if_index)
+{
+ ikev2_profile_t *p;
+ clib_error_t *r;
+
+ p = ikev2_profile_index_by_name (name);
+
+ if (!p)
+ {
+ r = clib_error_return (0, "unknown profile %v", name);
+ return r;
+ }
+
+ p->responder.is_resolved = 0;
+ p->responder.sw_if_index = sw_if_index;
+ p->responder.hostname = vec_dup (hostname);
+
+ return 0;
+}
clib_error_t *
ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
- u32 sw_if_index, ip4_address_t ip4)
+ u32 sw_if_index, ip_address_t addr)
{
ikev2_profile_t *p;
clib_error_t *r;
return r;
}
+ p->responder.is_resolved = 1;
p->responder.sw_if_index = sw_if_index;
- p->responder.ip4 = ip4;
+ ip_address_copy (&p->responder.addr, &addr);
return 0;
}
u32 crypto_key_size)
{
ikev2_profile_t *p;
- clib_error_t *r;
p = ikev2_profile_index_by_name (name);
-
if (!p)
- {
- r = clib_error_return (0, "unknown profile %v", name);
- return r;
- }
+ return clib_error_return (0, "unknown profile %v", name);
+
+ if ((IKEV2_TRANSFORM_INTEG_TYPE_NONE != integ_alg) +
+ (IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16 == crypto_alg) !=
+ 1)
+ return clib_error_return (0, "invalid cipher + integrity algorithm");
p->ike_ts.crypto_alg = crypto_alg;
p->ike_ts.integ_alg = integ_alg;
u8 is_set)
{
ikev2_profile_t *p = ikev2_profile_index_by_name (name);
- ikev2_main_t *km = &ikev2_main;
vnet_api_error_t rv = 0;
- uword *v;
if (!p)
return VNET_API_ERROR_INVALID_VALUE;
}
else
{
- v = hash_get (km->udp_ports, port);
- if (!v)
- return VNET_API_ERROR_IKE_NO_PORT;
-
if (p->ipsec_over_udp_port == IPSEC_UDP_PORT_NONE)
return VNET_API_ERROR_INVALID_VALUE;
return 0;
}
+static int
+ikev2_get_if_address (u32 sw_if_index, ip_address_family_t af,
+ ip_address_t * out_addr)
+{
+ ip4_address_t *if_ip4;
+ ip6_address_t *if_ip6;
+
+ if (af == AF_IP4)
+ {
+ if_ip4 = ip4_interface_first_address (&ip4_main, sw_if_index, 0);
+ if (if_ip4)
+ {
+ ip_address_set (out_addr, if_ip4, AF_IP4);
+ return 1;
+ }
+ }
+ else
+ {
+ if_ip6 = ip6_interface_first_address (&ip6_main, sw_if_index);
+ if (if_ip6)
+ {
+ ip_address_set (out_addr, if_ip6, AF_IP6);
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static clib_error_t *
+ikev2_resolve_responder_hostname (vlib_main_t *vm, ikev2_responder_t *r)
+{
+ ikev2_main_t *km = &ikev2_main;
+ dns_cache_entry_t *ep = 0;
+ dns_pending_request_t _t0, *t0 = &_t0;
+ dns_resolve_name_t _rn, *rn = &_rn;
+ u8 *name;
+ int rv;
+
+ if (!km->dns_resolve_name)
+ return clib_error_return (0, "cannot load symbols from dns plugin");
+
+ t0->request_type = DNS_API_PENDING_NAME_TO_IP;
+ /* VPP main curse: IKEv2 uses only non-NULL terminated vectors internally
+ * whereas DNS resolver expects a NULL-terminated C-string */
+ name = vec_dup (r->hostname);
+ vec_terminate_c_string (name);
+ rv = km->dns_resolve_name (name, &ep, t0, rn);
+ vec_free (name);
+ if (rv < 0)
+ return clib_error_return (0, "dns lookup failure");
+
+ if (ep == 0)
+ return 0;
+
+ ip_address_copy (&r->addr, &rn->address);
+ r->is_resolved = 1;
+ return 0;
+}
+
clib_error_t *
ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
{
ikev2_profile_t *p;
clib_error_t *r;
- ip4_main_t *im = &ip4_main;
ikev2_main_t *km = &ikev2_main;
+ vlib_buffer_t *b0;
+ ike_header_t *ike0;
+ u32 bi0 = 0;
+ int len = sizeof (ike_header_t), valid_ip = 0;
+ ip_address_t src_if_ip = ip_address_initializer;
p = ikev2_profile_index_by_name (name);
return r;
}
- if (p->responder.sw_if_index == ~0 || p->responder.ip4.data_u32 == 0)
+ if (p->responder.sw_if_index == ~0 ||
+ (ip_address_is_zero (&p->responder.addr) &&
+ vec_len (p->responder.hostname) == 0))
{
r = clib_error_return (0, "responder not set for profile %v", name);
return r;
}
+ if (!p->responder.is_resolved)
+ {
+ /* try to resolve using dns plugin
+ * success does not mean we have resolved the name */
+ r = ikev2_resolve_responder_hostname (vm, &p->responder);
+ if (r)
+ return r;
+ }
- /* Create the Initiator Request */
- {
- vlib_buffer_t *b0;
- ike_header_t *ike0;
- u32 bi0 = 0;
- ip_lookup_main_t *lm = &im->lookup_main;
- u32 if_add_index0;
- int len = sizeof (ike_header_t);
-
- /* Get own iface IP */
- if_add_index0 =
- lm->if_address_pool_index_by_sw_if_index[p->responder.sw_if_index];
- ip_interface_address_t *if_add =
- pool_elt_at_index (lm->if_address_pool, if_add_index0);
- ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add);
-
- bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
- if (!bi0)
- {
- char *errmsg = "buffer alloc failure";
- ikev2_log_error (errmsg);
- return clib_error_return (0, errmsg);
- }
- ike0 = vlib_buffer_get_current (b0);
-
- /* Prepare the SA and the IKE payload */
- ikev2_sa_t sa;
- clib_memset (&sa, 0, sizeof (ikev2_sa_t));
- ikev2_payload_chain_t *chain = 0;
- ikev2_payload_new_chain (chain);
-
- /* Build the IKE proposal payload */
- ikev2_sa_proposal_t *proposals = 0;
- ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
- proposals[0].proposal_num = 1;
- proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
-
- /* Add and then cleanup proposal data */
- ikev2_payload_add_sa (chain, proposals);
- ikev2_sa_free_proposal_vector (&proposals);
-
- sa.is_initiator = 1;
- sa.profile_index = p - km->profiles;
- sa.state = IKEV2_STATE_SA_INIT;
- sa.tun_itf = p->tun_itf;
- sa.udp_encap = p->udp_encap;
- sa.ipsec_over_udp_port = p->ipsec_over_udp_port;
- sa.is_tun_itf_set = 1;
- sa.initial_contact = 1;
- sa.dst_port = IKEV2_PORT;
- ikev2_generate_sa_init_data (&sa);
- ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
- ikev2_payload_add_nonce (chain, sa.i_nonce);
-
- /* Build the child SA proposal */
- vec_resize (sa.childs, 1);
- ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
- &sa.childs[0].i_proposals, 0);
- sa.childs[0].i_proposals[0].proposal_num = 1;
- sa.childs[0].i_proposals[0].protocol_id = IKEV2_PROTOCOL_ESP;
- RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
- sizeof (sa.childs[0].i_proposals[0].spi));
-
- /* Add NAT detection notification messages (mandatory) */
- u8 *nat_detection_sha1 =
- ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa.ispi),
- clib_host_to_net_u64 (sa.rspi),
- if_ip->as_u32,
- clib_host_to_net_u16 (IKEV2_PORT));
-
- ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
- nat_detection_sha1);
- vec_free (nat_detection_sha1);
- nat_detection_sha1 =
- ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa.ispi),
- clib_host_to_net_u64 (sa.rspi),
- p->responder.ip4.as_u32,
- clib_host_to_net_u16 (sa.dst_port));
- ikev2_payload_add_notify (chain,
- IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
- nat_detection_sha1);
- vec_free (nat_detection_sha1);
-
- u8 *sig_hash_algo = vec_new (u8, 8);
- u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
- clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig));
- ikev2_payload_add_notify (chain,
- IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
- sig_hash_algo);
- vec_free (sig_hash_algo);
-
-
- /* Buffer update and boilerplate */
- len += vec_len (chain->data);
- ike0->nextpayload = chain->first_payload_type;
- ike0->length = clib_host_to_net_u32 (len);
- clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data));
- ikev2_payload_destroy_chain (chain);
-
- ike0->version = IKE_VERSION_2;
- ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
- ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
- ike0->ispi = clib_host_to_net_u64 (sa.ispi);
- ike0->rspi = 0;
- ike0->msgid = 0;
-
- /* store whole IKE payload - needed for PSK auth */
- vec_reset_length (sa.last_sa_init_req_packet_data);
- vec_add (sa.last_sa_init_req_packet_data, ike0, len);
-
- /* add data to the SA then add it to the pool */
- sa.iaddr.as_u32 = if_ip->as_u32;
- sa.raddr.as_u32 = p->responder.ip4.as_u32;
- sa.i_id.type = p->loc_id.type;
- sa.i_id.data = vec_dup (p->loc_id.data);
- sa.r_id.type = p->rem_id.type;
- sa.r_id.data = vec_dup (p->rem_id.data);
- sa.i_auth.method = p->auth.method;
- sa.i_auth.hex = p->auth.hex;
- sa.i_auth.data = vec_dup (p->auth.data);
- sa.sw_if_index = p->responder.sw_if_index;
- vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
- vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
-
- ikev2_initial_contact_cleanup (&sa);
-
- /* add SA to the pool */
- ikev2_sa_t *sa0 = 0;
- pool_get (km->sais, sa0);
- clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
- hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
-
- ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len,
- IKEV2_PORT, sa.dst_port, sa.sw_if_index);
-
- ikev2_elog_exchange ("ispi %lx rspi %lx IKEV2_EXCHANGE_SA_INIT sent to "
- "%d.%d.%d.%d", clib_host_to_net_u64 (sa0->ispi), 0,
- p->responder.ip4.as_u32);
- }
+ if (p->responder.is_resolved &&
+ ikev2_get_if_address (p->responder.sw_if_index,
+ ip_addr_version (&p->responder.addr), &src_if_ip))
+ {
+ valid_ip = 1;
+ }
+
+ /* Prepare the SA and the IKE payload */
+ ikev2_sa_t sa;
+ clib_memset (&sa, 0, sizeof (ikev2_sa_t));
+ ikev2_payload_chain_t *chain = 0;
+ ikev2_payload_new_chain (chain);
+
+ /* Build the IKE proposal payload */
+ ikev2_sa_proposal_t *proposals = 0;
+ ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
+ proposals[0].proposal_num = 1;
+ proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
+
+ /* Add and then cleanup proposal data */
+ ikev2_payload_add_sa (chain, proposals);
+ ikev2_sa_free_proposal_vector (&proposals);
+
+ sa.is_initiator = 1;
+ sa.profile_index = p - km->profiles;
+ sa.state = IKEV2_STATE_SA_INIT;
+ sa.tun_itf = p->tun_itf;
+ sa.udp_encap = p->udp_encap;
+ if (p->natt_disabled)
+ sa.natt_state = IKEV2_NATT_DISABLED;
+ sa.ipsec_over_udp_port = p->ipsec_over_udp_port;
+ sa.is_tun_itf_set = 1;
+ sa.initial_contact = 1;
+ sa.dst_port = IKEV2_PORT;
+
+ ikev2_generate_sa_error_t rc = ikev2_generate_sa_init_data (&sa);
+ if (rc != IKEV2_GENERATE_SA_INIT_OK)
+ {
+ ikev2_sa_free_all_vec (&sa);
+ ikev2_payload_destroy_chain (chain);
+ return clib_error_return (0, "%U", format_ikev2_gen_sa_error, rc);
+ }
+
+ ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
+ ikev2_payload_add_nonce (chain, sa.i_nonce);
+
+ /* Build the child SA proposal */
+ vec_resize (sa.childs, 1);
+ ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
+ &sa.childs[0].i_proposals, 0);
+ sa.childs[0].i_proposals[0].proposal_num = 1;
+ sa.childs[0].i_proposals[0].protocol_id = IKEV2_PROTOCOL_ESP;
+ RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
+ sizeof (sa.childs[0].i_proposals[0].spi));
+
+ /* Add NAT detection notification messages (mandatory) */
+ u8 *nat_detection_sha1 = ikev2_compute_nat_sha1 (
+ clib_host_to_net_u64 (sa.ispi), clib_host_to_net_u64 (sa.rspi), &src_if_ip,
+ clib_host_to_net_u16 (IKEV2_PORT));
+
+ ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
+ nat_detection_sha1);
+ vec_free (nat_detection_sha1);
+ nat_detection_sha1 =
+ ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa.ispi),
+ clib_host_to_net_u64 (sa.rspi),
+ &p->responder.addr,
+ clib_host_to_net_u16 (sa.dst_port));
+ ikev2_payload_add_notify (chain,
+ IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
+ nat_detection_sha1);
+ vec_free (nat_detection_sha1);
+
+ u8 *sig_hash_algo = vec_new (u8, 8);
+ u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
+ clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig));
+ ikev2_payload_add_notify (chain,
+ IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
+ sig_hash_algo);
+ vec_free (sig_hash_algo);
+
+ bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
+ if (!bi0)
+ {
+ ikev2_sa_free_all_vec (&sa);
+ ikev2_payload_destroy_chain (chain);
+ char *errmsg = "buffer alloc failure";
+ ikev2_log_error (errmsg);
+ return clib_error_return (0, errmsg);
+ }
+ ike0 = vlib_buffer_get_current (b0);
+
+ /* Buffer update and boilerplate */
+ len += vec_len (chain->data);
+ ike0->nextpayload = chain->first_payload_type;
+ ike0->length = clib_host_to_net_u32 (len);
+ clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data));
+ ikev2_payload_destroy_chain (chain);
+
+ ike0->version = IKE_VERSION_2;
+ ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
+ ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
+ ike0->ispi = clib_host_to_net_u64 (sa.ispi);
+ ike0->rspi = 0;
+ ike0->msgid = 0;
+ sa.last_init_msg_id += 1;
+
+ /* store whole IKE payload - needed for PSK auth */
+ vec_reset_length (sa.last_sa_init_req_packet_data);
+ vec_add (sa.last_sa_init_req_packet_data, ike0, len);
+
+ /* add data to the SA then add it to the pool */
+ ip_address_copy (&sa.iaddr, &src_if_ip);
+ ip_address_copy (&sa.raddr, &p->responder.addr);
+ sa.i_id.type = p->loc_id.type;
+ sa.i_id.data = vec_dup (p->loc_id.data);
+ sa.r_id.type = p->rem_id.type;
+ sa.r_id.data = vec_dup (p->rem_id.data);
+ sa.i_auth.method = p->auth.method;
+ sa.i_auth.hex = p->auth.hex;
+ sa.i_auth.data = vec_dup (p->auth.data);
+ sa.sw_if_index = p->responder.sw_if_index;
+ vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
+ vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
+
+ ikev2_initial_contact_cleanup (0, &sa);
+
+ /* add SA to the pool */
+ ikev2_sa_t *sa0 = 0;
+ pool_get (km->sais, sa0);
+ clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
+ hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
+
+ if (valid_ip)
+ {
+ ikev2_send_ike (vm, &src_if_ip, &p->responder.addr, bi0, len, IKEV2_PORT,
+ sa.dst_port, sa.sw_if_index);
+
+ ikev2_elog_exchange
+ ("ispi %lx rspi %lx IKEV2_EXCHANGE_SA_INIT sent to ",
+ clib_host_to_net_u64 (sa0->ispi), 0,
+ ip_addr_v4 (&p->responder.addr).as_u32,
+ ip_addr_version (&p->responder.addr) == AF_IP4);
+ }
return 0;
}
ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
ike0->ispi = clib_host_to_net_u64 (sa->ispi);
ike0->rspi = clib_host_to_net_u64 (sa->rspi);
+ ike0->flags = 0;
vec_resize (sa->del, 1);
sa->del->protocol_id = IKEV2_PROTOCOL_ESP;
sa->del->spi = csa->i_proposals->spi;
- ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
- sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
- len = ikev2_generate_message (b0, sa, ike0, 0, 0);
+ ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
+ sa->last_init_msg_id += 1;
+ len = ikev2_generate_message (b0, sa, ike0, 0, 0, 0);
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
ikev2_get_port (sa), sa->dst_port, sa->sw_if_index);
if (fchild)
break;
/* *INDENT-OFF* */
- pool_foreach (sa, tkm->sas, ({
+ pool_foreach (sa, tkm->sas) {
fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
if (fchild)
{
fsa = sa;
break;
}
- }));
+ }
/* *INDENT-ON* */
}
if (fsa)
break;
/* *INDENT-OFF* */
- pool_foreach (sa, tkm->sas, ({
+ pool_foreach (sa, tkm->sas) {
if (sa->ispi == ispi)
{
fsa = sa;
ftkm = tkm;
break;
}
- }));
+ }
/* *INDENT-ON* */
}
return r;
}
- ikev2_initiate_delete_ike_sa_internal (vm, ftkm, fsa);
+ ikev2_initiate_delete_ike_sa_internal (vm, ftkm, fsa, 1);
return 0;
}
ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
ike0->ispi = clib_host_to_net_u64 (sa->ispi);
ike0->rspi = clib_host_to_net_u64 (sa->rspi);
- ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
- sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
+ ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
+ sa->last_init_msg_id += 1;
ikev2_rekey_t *rekey;
+ vec_reset_length (sa->rekey);
vec_add2 (sa->rekey, rekey, 1);
ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals);
RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
rekey->spi = proposals[0].spi;
rekey->ispi = csa->i_proposals->spi;
- len = ikev2_generate_message (b0, sa, ike0, proposals, 0);
+ len = ikev2_generate_message (b0, sa, ike0, proposals, 0, 0);
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
ikev2_get_port (sa), ikev2_get_port (sa), sa->sw_if_index);
if (fchild)
break;
/* *INDENT-OFF* */
- pool_foreach (sa, tkm->sas, ({
+ pool_foreach (sa, tkm->sas) {
fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
if (fchild)
{
fsa = sa;
break;
}
- }));
+ }
/* *INDENT-ON* */
}
return 0;
}
-clib_error_t *
-ikev2_init (vlib_main_t * vm)
+static int
+ikev2_sa_sw_if_match (ikev2_sa_t * sa, u32 sw_if_index)
{
+ return (sa->sw_if_index == sw_if_index) && sa->is_initiator;
+}
+
+static void
+ikev2_sa_del (ikev2_profile_t * p, u32 sw_if_index)
+{
+ u64 *ispi, *ispi_vec = 0;
+ ikev2_sa_t *sa, **sap, **sa_vec = 0;
ikev2_main_t *km = &ikev2_main;
- vlib_thread_main_t *tm = vlib_get_thread_main ();
- int thread_id;
+ ikev2_main_per_thread_data_t *tkm;
+ p->responder.sw_if_index = ~0;
- clib_memset (km, 0, sizeof (ikev2_main_t));
- km->vnet_main = vnet_get_main ();
- km->vlib_main = vm;
+ vec_foreach (tkm, km->per_thread_data)
+ {
+ /* *INDENT-OFF* */
+ pool_foreach (sa, tkm->sas) {
+ if (ikev2_sa_sw_if_match (sa, sw_if_index))
+ vec_add1 (sa_vec, sa);
+ }
+ /* *INDENT-ON* */
- km->liveness_period = IKEV2_LIVENESS_PERIOD_CHECK;
- km->liveness_max_retries = IKEV2_LIVENESS_RETRIES;
- ikev2_crypto_init (km);
+ vec_foreach (sap, sa_vec)
+ {
+ ikev2_initiate_delete_ike_sa_internal (km->vlib_main, tkm, *sap, 0);
+ }
+ vec_reset_length (sa_vec);
+ }
+ vec_free (sa_vec);
- mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword));
+ /* *INDENT-OFF* */
+ pool_foreach (sa, km->sais) {
+ if (ikev2_sa_sw_if_match (sa, sw_if_index))
+ vec_add1 (ispi_vec, sa->ispi);
+ }
+ /* *INDENT-ON* */
- vec_validate_aligned (km->per_thread_data, tm->n_vlib_mains - 1,
- CLIB_CACHE_LINE_BYTES);
- for (thread_id = 0; thread_id < tm->n_vlib_mains; thread_id++)
- {
- ikev2_main_per_thread_data_t *ptd =
- vec_elt_at_index (km->per_thread_data, thread_id);
+ vec_foreach (ispi, ispi_vec)
+ {
+ ikev2_del_sa_init_from_main (ispi);
+ }
- ptd->sa_by_rspi = hash_create (0, sizeof (uword));
+ vec_free (ispi_vec);
+}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ptd->evp_ctx = EVP_CIPHER_CTX_new ();
- ptd->hmac_ctx = HMAC_CTX_new ();
-#else
- EVP_CIPHER_CTX_init (&ptd->_evp_ctx);
- ptd->evp_ctx = &ptd->_evp_ctx;
- HMAC_CTX_init (&(ptd->_hmac_ctx));
- ptd->hmac_ctx = &ptd->_hmac_ctx;
-#endif
- }
+static clib_error_t *
+ikev2_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
+{
+ ikev2_main_t *km = &ikev2_main;
+ ikev2_profile_t *p;
- km->sa_by_ispi = hash_create (0, sizeof (uword));
- km->sw_if_indices = hash_create (0, 0);
- km->udp_ports = hash_create (0, sizeof (uword));
+ if (is_add)
+ return 0;
+
+ /* *INDENT-OFF* */
+ pool_foreach (p, km->profiles) {
+ if (p->responder.sw_if_index == sw_if_index)
+ ikev2_sa_del (p, sw_if_index);
+ }
+ /* *INDENT-ON* */
- udp_register_dst_port (vm, IKEV2_PORT, ikev2_node.index, 1);
- udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node.index, 1);
+ return 0;
+}
- vlib_punt_hdl_t punt_hdl = vlib_punt_client_register ("ikev2");
- vlib_punt_register (punt_hdl, ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0],
- "ikev2");
- ikev2_cli_reference ();
+VNET_SW_INTERFACE_ADD_DEL_FUNCTION (ikev2_sw_interface_add_del);
+
+clib_error_t *
+ikev2_init (vlib_main_t * vm)
+{
+ ikev2_main_t *km = &ikev2_main;
+
+ clib_memset (km, 0, sizeof (ikev2_main_t));
km->log_level = IKEV2_LOG_ERROR;
km->log_class = vlib_log_register_class ("ikev2", 0);
+
+ km->vnet_main = vnet_get_main ();
+ km->vlib_main = vm;
+
+ km->liveness_period = IKEV2_LIVENESS_PERIOD_CHECK;
+ km->liveness_max_retries = IKEV2_LIVENESS_RETRIES;
+
return 0;
}
/* *INDENT-OFF* */
-VLIB_INIT_FUNCTION (ikev2_init) =
-{
- .runs_after = VLIB_INITS("ipsec_init", "ipsec_punt_init"),
+VLIB_INIT_FUNCTION (ikev2_init) = {
+ .runs_after = VLIB_INITS ("ipsec_init", "ipsec_punt_init"),
};
/* *INDENT-ON* */
ip46_address_t remote_ip;
if (sa->is_initiator)
{
- ip46_address_set_ip4 (&local_ip, &sa->iaddr);
- ip46_address_set_ip4 (&remote_ip, &sa->raddr);
+ local_ip = to_ip46 (ip_addr_version (&sa->iaddr),
+ ip_addr_bytes (&sa->iaddr));
+ remote_ip = to_ip46 (ip_addr_version (&sa->raddr),
+ ip_addr_bytes (&sa->raddr));
}
else
{
- ip46_address_set_ip4 (&local_ip, &sa->raddr);
- ip46_address_set_ip4 (&remote_ip, &sa->iaddr);
+ local_ip = to_ip46 (ip_addr_version (&sa->raddr),
+ ip_addr_bytes (&sa->raddr));
+ remote_ip = to_ip46 (ip_addr_version (&sa->iaddr),
+ ip_addr_bytes (&sa->iaddr));
}
/* *INDENT-OFF* */
u32 *sas_in = NULL;
vec_add1 (sas_in, csa->remote_sa_id);
vlib_worker_thread_barrier_sync (vm);
- ipsec_tun_protect_update (sw_if_index, NULL, csa->local_sa_id, sas_in);
+ int rv = ipsec_tun_protect_update (sw_if_index, NULL,
+ csa->local_sa_id, sas_in);
+ if (rv)
+ vec_free (sas_in);
ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (csa->remote_sa_id));
vlib_worker_thread_barrier_release (vm);
}
return 0;
}
+clib_error_t *
+ikev2_profile_natt_disable (u8 * name)
+{
+ ikev2_profile_t *p = ikev2_profile_index_by_name (name);
+ if (!p)
+ return clib_error_return (0, "unknown profile %v", name);
+
+ p->natt_disabled = 1;
+ return 0;
+}
+
static void
ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
{
if (fchild)
break;
/* *INDENT-OFF* */
- pool_foreach (sa, tkm->sas, ({
+ pool_foreach (sa, tkm->sas) {
fchild = ikev2_sa_get_child(sa, ipsec_sa->spi, IKEV2_PROTOCOL_ESP, 1);
if (fchild)
{
fsa = sa;
break;
}
- }));
+ }
/* *INDENT-ON* */
}
vlib_get_combined_counter (&ipsec_sa_counters,
}
static void
-ikev2_process_pending_sa_init (ikev2_main_t * km)
+ikev2_process_pending_sa_init_one (vlib_main_t *vm, ikev2_main_t *km,
+ ikev2_sa_t *sa)
+{
+ ikev2_profile_t *p;
+ u32 bi0;
+ u8 *nat_sha, *np;
+ p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+ if (!p->responder.is_resolved)
+ {
+ clib_error_t *r = ikev2_resolve_responder_hostname (vm, &p->responder);
+ if (r)
+ {
+ clib_error_free (r);
+ return;
+ }
+
+ if (!p->responder.is_resolved)
+ return;
+
+ ip_address_copy (&sa->raddr, &p->responder.addr);
+
+ /* update nat detection destination hash */
+ np = ikev2_find_ike_notify_payload (
+ (ike_header_t *) sa->last_sa_init_req_packet_data,
+ IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP);
+ if (np)
+ {
+ nat_sha = ikev2_compute_nat_sha1 (
+ clib_host_to_net_u64 (sa->ispi), clib_host_to_net_u64 (sa->rspi),
+ &sa->raddr, clib_host_to_net_u16 (sa->dst_port));
+ clib_memcpy_fast (np, nat_sha, vec_len (nat_sha));
+ vec_free (nat_sha);
+ }
+ }
+
+ if (ip_address_is_zero (&sa->iaddr))
+ {
+ if (!ikev2_get_if_address (p->responder.sw_if_index,
+ ip_addr_version (&p->responder.addr),
+ &sa->iaddr))
+ return;
+
+ /* update NAT detection payload */
+ np =
+ ikev2_find_ike_notify_payload
+ ((ike_header_t *) sa->last_sa_init_req_packet_data,
+ IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP);
+ if (np)
+ {
+ nat_sha =
+ ikev2_compute_nat_sha1 (clib_host_to_net_u64 (sa->ispi),
+ clib_host_to_net_u64 (sa->rspi),
+ &sa->iaddr,
+ clib_host_to_net_u16 (IKEV2_PORT));
+ clib_memcpy_fast (np, nat_sha, vec_len (nat_sha));
+ vec_free (nat_sha);
+ }
+ }
+
+ if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
+ return;
+
+ vlib_buffer_t *b = vlib_get_buffer (km->vlib_main, bi0);
+ clib_memcpy_fast (vlib_buffer_get_current (b),
+ sa->last_sa_init_req_packet_data,
+ vec_len (sa->last_sa_init_req_packet_data));
+
+ ikev2_send_ike (km->vlib_main, &sa->iaddr, &sa->raddr, bi0,
+ vec_len (sa->last_sa_init_req_packet_data),
+ ikev2_get_port (sa), IKEV2_PORT, sa->sw_if_index);
+}
+
+static void
+ikev2_process_pending_sa_init (vlib_main_t *vm, ikev2_main_t *km)
{
u32 sai;
u64 ispi;
if (sa->init_response_received)
continue;
- u32 bi0;
- if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
- return;
-
- vlib_buffer_t * b = vlib_get_buffer (km->vlib_main, bi0);
- clib_memcpy_fast (vlib_buffer_get_current (b),
- sa->last_sa_init_req_packet_data,
- vec_len (sa->last_sa_init_req_packet_data));
- ikev2_send_ike (km->vlib_main, &sa->iaddr, &sa->raddr, bi0,
- vec_len (sa->last_sa_init_req_packet_data),
- ikev2_get_port (sa), IKEV2_PORT, sa->sw_if_index);
+ ikev2_process_pending_sa_init_one (vm, km, sa);
}));
/* *INDENT-ON* */
}
-static vlib_node_registration_t ikev2_mngr_process_node;
-
static void
ikev2_send_informational_request (ikev2_sa_t * sa)
{
ikev2_main_t *km = &ikev2_main;
- ip4_address_t *src, *dst;
+ ip_address_t *src, *dst;
ike_header_t *ike0;
vlib_buffer_t *b0;
u32 bi0 = 0;
ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
ike0->ispi = clib_host_to_net_u64 (sa->ispi);
ike0->rspi = clib_host_to_net_u64 (sa->rspi);
- ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
- sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
- len = ikev2_generate_message (b0, sa, ike0, 0, 0);
+ ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id);
+ ike0->flags = 0;
+ sa->last_init_msg_id += 1;
+ len = ikev2_generate_message (b0, sa, ike0, 0, 0, 0);
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
if (sa->is_initiator)
sa->sw_if_index);
}
-static_always_inline int
-ikev2_mngr_process_responder_sas (ikev2_sa_t * sa)
+void
+ikev2_disable_dpd (void)
+{
+ ikev2_main_t *km = &ikev2_main;
+ km->dpd_disabled = 1;
+}
+
+static int
+ikev2_mngr_process_responder_sas (ikev2_sa_t *sa)
{
ikev2_main_t *km = &ikev2_main;
vlib_main_t *vm = km->vlib_main;
vlib_frame_t * f)
{
ikev2_main_t *km = &ikev2_main;
- ipsec_main_t *im = &ipsec_main;
ikev2_profile_t *p;
ikev2_child_sa_t *c;
u32 *sai;
+ /* lazy init will wake it up */
+ vlib_process_wait_for_event (vm);
+
while (1)
{
- u8 req_sent = 0;
- vlib_process_wait_for_event_or_clock (vm, 1);
+ vlib_process_wait_for_event_or_clock (vm, 2);
vlib_process_get_events (vm, NULL);
/* process ike child sas */
u32 *to_be_deleted = 0;
/* *INDENT-OFF* */
- pool_foreach (sa, tkm->sas, ({
+ pool_foreach (sa, tkm->sas) {
ikev2_child_sa_t *c;
u8 del_old_ids = 0;
+
+ if (sa->state != IKEV2_STATE_AUTHENTICATED)
+ continue;
+
if (sa->old_remote_id_present && 0 > sa->old_id_expiration)
{
sa->old_remote_id_present = 0;
sa->old_id_expiration -= 1;
vec_foreach (c, sa->childs)
- {
- req_sent |= ikev2_mngr_process_child_sa(sa, c, del_old_ids);
- }
+ ikev2_mngr_process_child_sa(sa, c, del_old_ids);
- if (ikev2_mngr_process_responder_sas (sa))
+ if (!km->dpd_disabled && ikev2_mngr_process_responder_sas (sa))
vec_add1 (to_be_deleted, sa - tkm->sas);
- }));
+ }
/* *INDENT-ON* */
vec_foreach (sai, to_be_deleted)
{
sa = pool_elt_at_index (tkm->sas, sai[0]);
- u8 reinitiate = (sa->is_initiator && sa->profile_index != ~0);
+ const u32 profile_index = sa->profile_index;
+ const int reinitiate = (sa->is_initiator && profile_index != ~0);
vec_foreach (c, sa->childs)
{
ikev2_delete_tunnel_interface (km->vnet_main, sa, c);
if (reinitiate)
{
- p = pool_elt_at_index (km->profiles, sa->profile_index);
+ p = pool_elt_at_index (km->profiles, profile_index);
if (p)
{
- ikev2_initiate_sa_init (vm, p->name);
+ clib_error_t *e = ikev2_initiate_sa_init (vm, p->name);
+ if (e)
+ {
+ ikev2_log_error ("%U", format_clib_error, e);
+ clib_error_free (e);
+ }
}
}
}
/* process ipsec sas */
ipsec_sa_t *sa;
/* *INDENT-OFF* */
- pool_foreach (sa, im->sad, ({
- ikev2_mngr_process_ipsec_sa(sa);
- }));
- /* *INDENT-ON* */
-
- ikev2_process_pending_sa_init (km);
-
- if (req_sent)
+ pool_foreach (sa, ipsec_sa_pool)
{
- vlib_process_wait_for_event_or_clock (vm, 5);
- vlib_process_get_events (vm, NULL);
- req_sent = 0;
+ ikev2_mngr_process_ipsec_sa (sa);
}
+ /* *INDENT-ON* */
+ ikev2_process_pending_sa_init (vm, km);
}
return 0;
}
"ikev2-manager-process",
};
+static void
+ikev2_lazy_init (ikev2_main_t *km)
+{
+ vlib_thread_main_t *tm = vlib_get_thread_main ();
+ int thread_id;
+
+ if (km->lazy_init_done)
+ return;
+
+ ikev2_crypto_init (km);
+
+ mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword));
+
+ vec_validate_aligned (km->per_thread_data, tm->n_vlib_mains - 1,
+ CLIB_CACHE_LINE_BYTES);
+ for (thread_id = 0; thread_id < tm->n_vlib_mains; thread_id++)
+ {
+ ikev2_main_per_thread_data_t *ptd =
+ vec_elt_at_index (km->per_thread_data, thread_id);
+
+ ptd->sa_by_rspi = hash_create (0, sizeof (uword));
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ptd->evp_ctx = EVP_CIPHER_CTX_new ();
+ ptd->hmac_ctx = HMAC_CTX_new ();
+#else
+ EVP_CIPHER_CTX_init (&ptd->_evp_ctx);
+ ptd->evp_ctx = &ptd->_evp_ctx;
+ HMAC_CTX_init (&(ptd->_hmac_ctx));
+ ptd->hmac_ctx = &ptd->_hmac_ctx;
+#endif
+ }
+
+ km->sa_by_ispi = hash_create (0, sizeof (uword));
+ km->sw_if_indices = hash_create (0, 0);
+
+ km->punt_hdl = vlib_punt_client_register ("ikev2");
+
+ km->dns_resolve_name =
+ vlib_get_plugin_symbol ("dns_plugin.so", "dns_resolve_name");
+ if (!km->dns_resolve_name)
+ ikev2_log_error ("cannot load symbols from dns plugin");
+
+ /* wake up ikev2 process */
+ vlib_process_signal_event (vlib_get_first_main (),
+ ikev2_mngr_process_node.index, 0, 0);
+
+ km->lazy_init_done = 1;
+}
+
VLIB_PLUGIN_REGISTER () = {
.version = VPP_BUILD_VER,
.description = "Internet Key Exchange (IKEv2) Protocol",