hs-test: move nginx tests into one file

[vpp.git] / src / plugins / ikev2 / ikev2_priv.h

diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h
index 68a546a..0639809 100644 (file)
--- a/src/plugins/ikev2/ikev2_priv.h
+++ b/src/plugins/ikev2/ikev2_priv.h
@@ -184,16 +184,21 @@ do {                                                                          \
 #define ikev2_log_debug(...) \
   vlib_log(VLIB_LOG_LEVEL_DEBUG, ikev2_main.log_class, __VA_ARGS__)
 
+#define foreach_ikev2_state                                                   \
+  _ (0, UNKNOWN, "UNKNOWN")                                                   \
+  _ (1, SA_INIT, "SA_INIT")                                                   \
+  _ (2, DELETED, "DELETED")                                                   \
+  _ (3, AUTH_FAILED, "AUTH_FAILED")                                           \
+  _ (4, AUTHENTICATED, "AUTHENTICATED")                                       \
+  _ (5, NOTIFY_AND_DELETE, "NOTIFY_AND_DELETE")                               \
+  _ (6, TS_UNACCEPTABLE, "TS_UNACCEPTABLE")                                   \
+  _ (7, NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN")
+
 typedef enum
 {
-  IKEV2_STATE_UNKNOWN,
-  IKEV2_STATE_SA_INIT,
-  IKEV2_STATE_DELETED,
-  IKEV2_STATE_AUTH_FAILED,
-  IKEV2_STATE_AUTHENTICATED,
-  IKEV2_STATE_NOTIFY_AND_DELETE,
-  IKEV2_STATE_TS_UNACCEPTABLE,
-  IKEV2_STATE_NO_PROPOSAL_CHOSEN,
+#define _(v, f, s) IKEV2_STATE_##f = v,
+  foreach_ikev2_state
+#undef _
 } ikev2_state_t;
 
 typedef struct
@@ -238,7 +243,7 @@ typedef struct
 {
   u8 proposal_num;
   ikev2_protocol_id_t protocol_id:8;
-  u32 spi;
+  u64 spi;
   ikev2_sa_transform_t *transforms;
 } ikev2_sa_proposal_t;
 
@@ -257,6 +262,8 @@ typedef struct
 {
   u32 sw_if_index;
   ip_address_t addr;
+  u8 *hostname;
+  u8 is_resolved;
 } ikev2_responder_t;
 
 typedef struct
@@ -300,6 +307,8 @@ typedef struct
   f64 time_to_expiration;
   u8 is_expired;
   i8 rekey_retries;
+
+  f64 timestamp;
 } ikev2_child_sa_t;
 
 typedef struct
@@ -310,6 +319,8 @@ typedef struct
 
 typedef struct
 {
+  u16 notify_type;
+  u8 kex;
   u8 protocol_id;
   u32 spi;
   u32 ispi;
@@ -319,6 +330,22 @@ typedef struct
   ikev2_ts_t *tsr;
 } ikev2_rekey_t;
 
+typedef struct
+{
+  u16 notify_type;
+  u16 dh_group;
+  u64 ispi;
+  u64 rspi;
+  u8 *i_nonce;
+  u8 *r_nonce;
+  u8 *dh_shared_key;
+  u8 *dh_private_key;
+  u8 *i_dh_data;
+  u8 *r_dh_data;
+  ikev2_sa_proposal_t *i_proposals;
+  ikev2_sa_proposal_t *r_proposals;
+} ikev2_sa_rekey_t;
+
 typedef struct
 {
   u16 msg_type;
@@ -347,8 +374,34 @@ typedef struct
 
   u32 tun_itf;
   u8 udp_encap;
+  u8 natt_disabled;
 } ikev2_profile_t;
 
+typedef enum
+{
+  /* SA will switch to port 4500 when NAT is detected.
+   * This is the default. */
+  IKEV2_NATT_ENABLED,
+
+  /* Do nothing when NAT is detected */
+  IKEV2_NATT_DISABLED,
+
+  /* NAT was detected and port switched to 4500 */
+  IKEV2_NATT_ACTIVE,
+} ikev2_natt_state_t;
+
+#define ikev2_natt_active(_sa) ((_sa)->natt_state == IKEV2_NATT_ACTIVE)
+
+typedef struct
+{
+  u16 n_keepalives;
+  u16 n_rekey_req;
+  u16 n_sa_auth_req;
+  u16 n_sa_init_req;
+  u16 n_init_retransmit;
+  u16 n_retransmit;
+} ikev2_stats_t;
+
 typedef struct
 {
   ikev2_state_t state;
@@ -395,15 +448,22 @@ typedef struct
   /* pending rekeyings */
   ikev2_rekey_t *rekey;
 
+  ikev2_rekey_t *new_child;
+
+  /* pending sa rekeyings */
+  ikev2_sa_rekey_t *sa_rekey;
+
   /* packet data */
   u8 *last_sa_init_req_packet_data;
   u8 *last_sa_init_res_packet_data;
 
   /* retransmit */
+  /* message id expected in the request from the other peer */
   u32 last_msg_id;
   u8 *last_res_packet_data;
 
   u8 is_initiator;
+  /* last message id that was used for an initiated request */
   u32 last_init_msg_id;
   u32 profile_index;
   u8 is_tun_itf_set;
@@ -426,8 +486,12 @@ typedef struct
   u32 sw_if_index;
 
   /* is NAT traversal mode */
-  u8 natt;
+  ikev2_natt_state_t natt_state;
   u8 keys_generated;
+
+  ikev2_stats_t stats;
+
+  f64 auth_timestamp;
 } ikev2_sa_t;
 
 
@@ -486,14 +550,27 @@ typedef struct
   /* logging level */
   ikev2_log_level_t log_level;
 
-  /* custom ipsec-over-udp ports managed by ike */
-  uword *udp_ports;
-
   /* how often a liveness check will be performed */
   u32 liveness_period;
 
   /* max number of retries before considering peer dead */
   u32 liveness_max_retries;
+
+  /* dead peer detection */
+  u8 dpd_disabled;
+
+  /* pointer to name resolver function in dns plugin */
+  void *dns_resolve_name_ptr;
+
+  /* flag indicating whether lazy init is done or not */
+  int lazy_init_done;
+
+  /* refcount for IKEv2 udp ports and IPsec NATT punt registration */
+  int bind_refcount;
+
+  /* punt handle for IPsec NATT IPSEC_PUNT_IP4_SPI_UDP_0 reason */
+  vlib_punt_hdl_t punt_hdl;
+
 } ikev2_main_t;
 
 extern ikev2_main_t ikev2_main;
@@ -547,8 +624,8 @@ void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type,
                               u8 * data);
 void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type,
                                 u8 * data, ikev2_notify_t * notify);
-void ikev2_payload_add_sa (ikev2_payload_chain_t * c,
-                          ikev2_sa_proposal_t * proposals);
+void ikev2_payload_add_sa (ikev2_payload_chain_t *c,
+                          ikev2_sa_proposal_t *proposals, u8 force_spi);
 void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group,
                           u8 * dh_data);
 void ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce);
@@ -568,6 +645,9 @@ ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep,
 ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep,
                                            u32 rlen);
 int ikev2_set_log_level (ikev2_log_level_t log_level);
+u8 *ikev2_find_ike_notify_payload (ike_header_t * ike, u32 msg_type);
+void ikev2_disable_dpd (void);
+clib_error_t *ikev2_profile_natt_disable (u8 * name);
 
 static_always_inline ikev2_main_per_thread_data_t *
 ikev2_get_per_thread_data ()