Code Review / vpp.git / blob
? search:


630ba1ba35146f7e4ba229307d0d986a315c7b79
[vpp.git] / src / plugins / ikev2 / ikev2_priv.h
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __included_ikev2_priv_h__
16 #define __included_ikev2_priv_h__
17
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ethernet/ethernet.h>
21
22 #include <plugins/ikev2/ikev2.h>
23
24 #include <vppinfra/hash.h>
25 #include <vppinfra/elog.h>
26 #include <vppinfra/error.h>
27
28 #include <openssl/rand.h>
29 #include <openssl/dh.h>
30 #include <openssl/hmac.h>
31 #include <openssl/evp.h>
32
33 #define IKEV2_DEBUG_PAYLOAD 1
34
35 #if IKEV2_DEBUG_PAYLOAD == 1
36 #define DBG_PLD(my_args...) clib_warning(my_args)
37 #else
38 #define DBG_PLD(my_args...)
39 #endif
40
41 typedef enum
42 {
43   IKEV2_STATE_UNKNOWN,
44   IKEV2_STATE_SA_INIT,
45   IKEV2_STATE_DELETED,
46   IKEV2_STATE_AUTH_FAILED,
47   IKEV2_STATE_AUTHENTICATED,
48   IKEV2_STATE_NOTIFY_AND_DELETE,
49   IKEV2_STATE_TS_UNACCEPTABLE,
50   IKEV2_STATE_NO_PROPOSAL_CHOSEN,
51 } ikev2_state_t;
52
53 typedef struct
54 {
55   ikev2_auth_method_t method:8;
56   u8 *data;
57   u8 hex;                       /* hex encoding of the shared secret */
58   EVP_PKEY *key;
59 } ikev2_auth_t;
60
61 typedef enum
62 {
63   IKEV2_DH_GROUP_MODP = 0,
64   IKEV2_DH_GROUP_ECP = 1,
65 } ikev2_dh_group_t;
66
67 typedef struct
68 {
69   ikev2_transform_type_t type;
70   union
71   {
72     u16 transform_id;
73     ikev2_transform_encr_type_t encr_type:16;
74     ikev2_transform_prf_type_t prf_type:16;
75     ikev2_transform_integ_type_t integ_type:16;
76     ikev2_transform_dh_type_t dh_type:16;
77     ikev2_transform_esn_type_t esn_type:16;
78   };
79   u8 *attrs;
80   u16 key_len;
81   u16 key_trunc;
82   u16 block_size;
83   u8 dh_group;
84   int nid;
85   const char *dh_p;
86   const char *dh_g;
87   const void *md;
88   const void *cipher;
89 } ikev2_sa_transform_t;
90
91 typedef struct
92 {
93   u8 proposal_num;
94   ikev2_protocol_id_t protocol_id:8;
95   u32 spi;
96   ikev2_sa_transform_t *transforms;
97 } ikev2_sa_proposal_t;
98
99 typedef struct
100 {
101   u8 ts_type;
102   u8 protocol_id;
103   u16 selector_len;
104   u16 start_port;
105   u16 end_port;
106   ip4_address_t start_addr;
107   ip4_address_t end_addr;
108 } ikev2_ts_t;
109
110 typedef struct
111 {
112   u32 sw_if_index;
113   ip4_address_t ip4;
114 } ikev2_responder_t;
115
116 typedef struct
117 {
118   ikev2_transform_encr_type_t crypto_alg;
119   ikev2_transform_integ_type_t integ_alg;
120   ikev2_transform_dh_type_t dh_type;
121   u32 crypto_key_size;
122 } ikev2_transforms_set;
123
124
125 typedef struct
126 {
127   ikev2_id_type_t type:8;
128   u8 *data;
129 } ikev2_id_t;
130
131 typedef struct
132 {
133   /* sa proposals vectors */
134   ikev2_sa_proposal_t *i_proposals;
135   ikev2_sa_proposal_t *r_proposals;
136
137   /* Traffic Selectors */
138   ikev2_ts_t *tsi;
139   ikev2_ts_t *tsr;
140
141   /* keys */
142   u8 *sk_ai;
143   u8 *sk_ar;
144   u8 *sk_ei;
145   u8 *sk_er;
146   u32 salt_ei;
147   u32 salt_er;
148
149   /* installed data */
150   u32 local_sa_id;
151   u32 remote_sa_id;
152
153   /* lifetime data */
154   f64 time_to_expiration;
155   u8 is_expired;
156   i8 rekey_retries;
157 } ikev2_child_sa_t;
158
159 typedef struct
160 {
161   u8 protocol_id;
162   u32 spi;                      /*for ESP and AH SPI size is 4, for IKE size is 0 */
163 } ikev2_delete_t;
164
165 typedef struct
166 {
167   u8 protocol_id;
168   u32 spi;
169   u32 ispi;
170   ikev2_sa_proposal_t *i_proposal;
171   ikev2_sa_proposal_t *r_proposal;
172   ikev2_ts_t *tsi;
173   ikev2_ts_t *tsr;
174 } ikev2_rekey_t;
175
176 typedef struct
177 {
178   u16 msg_type;
179   u8 protocol_id;
180   u32 spi;
181   u8 *data;
182 } ikev2_notify_t;
183
184 typedef struct
185 {
186   u8 *name;
187   u8 is_enabled;
188
189   ikev2_auth_t auth;
190   ikev2_id_t loc_id;
191   ikev2_id_t rem_id;
192   ikev2_ts_t loc_ts;
193   ikev2_ts_t rem_ts;
194   ikev2_responder_t responder;
195   ikev2_transforms_set ike_ts;
196   ikev2_transforms_set esp_ts;
197   u64 lifetime;
198   u64 lifetime_maxdata;
199   u32 lifetime_jitter;
200   u32 handover;
201 } ikev2_profile_t;
202
203 typedef struct
204 {
205   ikev2_state_t state;
206   u8 unsupported_cp;
207   u8 initial_contact;
208   ip4_address_t iaddr;
209   ip4_address_t raddr;
210   u64 ispi;
211   u64 rspi;
212   u8 *i_nonce;
213   u8 *r_nonce;
214
215   /* DH data */
216   u16 dh_group;
217   u8 *dh_shared_key;
218   u8 *dh_private_key;
219   u8 *i_dh_data;
220   u8 *r_dh_data;
221
222   /* sa proposals vectors */
223   ikev2_sa_proposal_t *i_proposals;
224   ikev2_sa_proposal_t *r_proposals;
225
226   /* keys */
227   u8 *sk_d;
228   u8 *sk_ai;
229   u8 *sk_ar;
230   u8 *sk_ei;
231   u8 *sk_er;
232   u8 *sk_pi;
233   u8 *sk_pr;
234
235   /* auth */
236   ikev2_auth_t i_auth;
237   ikev2_auth_t r_auth;
238
239   /* ID */
240   ikev2_id_t i_id;
241   ikev2_id_t r_id;
242
243   /* pending deletes */
244   ikev2_delete_t *del;
245
246   /* pending rekeyings */
247   ikev2_rekey_t *rekey;
248
249   /* packet data */
250   u8 *last_sa_init_req_packet_data;
251   u8 *last_sa_init_res_packet_data;
252
253   /* retransmit */
254   u32 last_msg_id;
255   u8 *last_res_packet_data;
256
257   u8 is_initiator;
258   u32 last_init_msg_id;
259   u8 is_profile_index_set;
260   u32 profile_index;
261
262   ikev2_child_sa_t *childs;
263 } ikev2_sa_t;
264
265
266 typedef struct
267 {
268   /* pool of IKEv2 Security Associations */
269   ikev2_sa_t *sas;
270
271   /* hash */
272   uword *sa_by_rspi;
273 } ikev2_main_per_thread_data_t;
274
275 typedef struct
276 {
277   /* pool of IKEv2 profiles */
278   ikev2_profile_t *profiles;
279
280   /* vector of supported transform types */
281   ikev2_sa_transform_t *supported_transforms;
282
283   /* hash */
284   mhash_t profile_index_by_name;
285
286   /* local private key */
287   EVP_PKEY *pkey;
288
289   /* convenience */
290   vlib_main_t *vlib_main;
291   vnet_main_t *vnet_main;
292
293   /* pool of IKEv2 Security Associations created in initiator mode */
294   ikev2_sa_t *sais;
295   /* hash */
296   uword *sa_by_ispi;
297
298   ikev2_main_per_thread_data_t *per_thread_data;
299
300   /* interface indices managed by IKE */
301   uword *sw_if_indices;
302
303   /* API message ID base */
304   u16 msg_id_base;
305 } ikev2_main_t;
306
307 extern ikev2_main_t ikev2_main;
308
309 void ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v);
310 ikev2_sa_transform_t *ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p,
311                                                 ikev2_transform_type_t type);
312
313 /* ikev2_crypto.c */
314 v8 *ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data);
315 u8 *ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed,
316                         int len);
317 v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
318                        int len);
319 v8 *ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len);
320 int ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst);
321 void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
322 void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
323 int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
324 u8 *ikev2_calc_sign (EVP_PKEY * pkey, u8 * data);
325 EVP_PKEY *ikev2_load_cert_file (u8 * file);
326 EVP_PKEY *ikev2_load_key_file (u8 * file);
327 void ikev2_crypto_init (ikev2_main_t * km);
328
329 /* ikev2_payload.c */
330 typedef struct
331 {
332   u8 first_payload_type;
333   u16 last_hdr_off;
334   u8 *data;
335 } ikev2_payload_chain_t;
336
337 #define ikev2_payload_new_chain(V) vec_validate (V, 0)
338 #define ikev2_payload_destroy_chain(V) do { \
339   vec_free((V)->data);                 \
340   vec_free(V);                         \
341 } while (0)
342
343 void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type,
344                                u8 * data);
345 void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type,
346                                  u8 * data, ikev2_notify_t * notify);
347 void ikev2_payload_add_sa (ikev2_payload_chain_t * c,
348                            ikev2_sa_proposal_t * proposals);
349 void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group,
350                            u8 * dh_data);
351 void ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce);
352 void ikev2_payload_add_id (ikev2_payload_chain_t * c, ikev2_id_t * id,
353                            u8 type);
354 void ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth);
355 void ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts,
356                            u8 type);
357 void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d);
358 void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs);
359 void ikev2_parse_vendor_payload (ike_payload_header_t * ikep);
360 ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep);
361 ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep);
362 ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep);
363 ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep);
364
365 #endif /* __included_ikev2_priv_h__ */
366
367
368 /*
369  * fd.io coding-style-patch-verification: ON
370  *
371  * Local Variables:
372  * eval: (c-set-style "gnu")
373  * End:
374  */
Vector Packet Processing