2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #ifndef __included_ikev2_priv_h__
16 #define __included_ikev2_priv_h__
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ethernet/ethernet.h>
22 #include <plugins/ikev2/ikev2.h>
24 #include <vppinfra/hash.h>
25 #include <vppinfra/elog.h>
26 #include <vppinfra/error.h>
28 #include <openssl/rand.h>
29 #include <openssl/dh.h>
30 #include <openssl/hmac.h>
31 #include <openssl/evp.h>
33 #define foreach_ikev2_log_level \
36 _(0x02, LOG_WARNING) \
42 typedef enum ikev2_log_level_t_
44 #define _(n,f) IKEV2_##f = n,
45 foreach_ikev2_log_level
50 /* dataplane logging */
51 #define _ikev2_elog(_level, _msg) \
53 ikev2_main_t *km = &ikev2_main; \
54 if (PREDICT_FALSE (km->log_level >= _level)) \
56 ELOG_TYPE_DECLARE (e) = \
58 .format = "ikev2 " _msg, \
61 ELOG_DATA (&vlib_global_main.elog_main, e); \
65 #define ikev2_elog_sa_state(_format, _ispi) \
67 ikev2_main_t *km = &ikev2_main; \
68 if (PREDICT_FALSE (km->log_level >= IKEV2_LOG_DEBUG)) \
70 ELOG_TYPE_DECLARE (e) = \
72 .format = "ikev2: " _format, \
73 .format_args = "i8", \
79 ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
84 #define ikev2_elog_exchange_internal(_format, _ispi, _rspi, _addr) \
86 ikev2_main_t *km = &ikev2_main; \
87 if (PREDICT_FALSE (km->log_level >= IKEV2_LOG_DEBUG)) \
89 ELOG_TYPE_DECLARE (e) = \
91 .format = "ikev2: " _format, \
92 .format_args = "i8i8i1i1i1i1", \
103 ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
106 ed->oct4 = (_addr) >> 24; \
107 ed->oct3 = (_addr) >> 16; \
108 ed->oct2 = (_addr) >> 8; \
109 ed->oct1 = (_addr); \
113 #define IKE_ELOG_IP4_FMT "%d.%d.%d.%d"
114 #define IKE_ELOG_IP6_FMT "[v6]:%x%x:%x%x"
116 #define ikev2_elog_exchange(_fmt, _ispi, _rspi, _addr, _v4) \
119 ikev2_elog_exchange_internal (_fmt IKE_ELOG_IP4_FMT, _ispi, _rspi, _addr);\
121 ikev2_elog_exchange_internal (_fmt IKE_ELOG_IP6_FMT, _ispi, _rspi, _addr);\
124 #define ikev2_elog_uint(_level, _format, _val) \
126 ikev2_main_t *km = &ikev2_main; \
127 if (PREDICT_FALSE (km->log_level >= _level)) \
129 ELOG_TYPE_DECLARE (e) = \
131 .format = "ikev2: " _format, \
132 .format_args = "i8", \
138 ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
143 #define ikev2_elog_uint_peers(_level, _format, _val, _ip1, _ip2) \
145 ikev2_main_t *km = &ikev2_main; \
146 if (PREDICT_FALSE (km->log_level >= _level)) \
148 ELOG_TYPE_DECLARE (e) = \
150 .format = "ikev2: " _format, \
151 .format_args = "i8i1i1i1i1i1i1i1i1", \
153 CLIB_PACKED(struct { \
155 u8 i11; u8 i12; u8 i13; u8 i14; \
156 u8 i21; u8 i22; u8 i23; u8 i24; }) *ed; \
157 ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
159 ed->i14 = (_ip1) >> 24; \
160 ed->i13 = (_ip1) >> 16; \
161 ed->i12 = (_ip1) >> 8; \
163 ed->i24 = (_ip2) >> 24; \
164 ed->i23 = (_ip2) >> 16; \
165 ed->i22 = (_ip2) >> 8; \
170 #define ikev2_elog_error(_msg) \
171 _ikev2_elog(IKEV2_LOG_ERROR, "[error] " _msg)
172 #define ikev2_elog_warning(_msg) \
173 _ikev2_elog(IKEV2_LOG_WARNING, "[warning] " _msg)
174 #define ikev2_elog_debug(_msg) \
175 _ikev2_elog(IKEV2_LOG_DEBUG, "[debug] " _msg)
176 #define ikev2_elog_detail(_msg) \
177 _ikev2_elog(IKEV2_LOG_DETAIL, "[detail] " _msg)
179 /* logging for main thread */
180 #define ikev2_log_error(...) \
181 vlib_log(VLIB_LOG_LEVEL_ERR, ikev2_main.log_class, __VA_ARGS__)
182 #define ikev2_log_warning(...) \
183 vlib_log(VLIB_LOG_LEVEL_WARNING, ikev2_main.log_class, __VA_ARGS__)
184 #define ikev2_log_debug(...) \
185 vlib_log(VLIB_LOG_LEVEL_DEBUG, ikev2_main.log_class, __VA_ARGS__)
187 #define foreach_ikev2_state \
188 _ (0, UNKNOWN, "UNKNOWN") \
189 _ (1, SA_INIT, "SA_INIT") \
190 _ (2, DELETED, "DELETED") \
191 _ (3, AUTH_FAILED, "AUTH_FAILED") \
192 _ (4, AUTHENTICATED, "AUTHENTICATED") \
193 _ (5, NOTIFY_AND_DELETE, "NOTIFY_AND_DELETE") \
194 _ (6, TS_UNACCEPTABLE, "TS_UNACCEPTABLE") \
195 _ (7, NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN")
199 #define _(v, f, s) IKEV2_STATE_##f = v,
206 ikev2_auth_method_t method:8;
208 u8 hex; /* hex encoding of the shared secret */
214 IKEV2_DH_GROUP_MODP = 0,
215 IKEV2_DH_GROUP_ECP = 1,
220 ikev2_transform_type_t type;
224 ikev2_transform_encr_type_t encr_type:16;
225 ikev2_transform_prf_type_t prf_type:16;
226 ikev2_transform_integ_type_t integ_type:16;
227 ikev2_transform_dh_type_t dh_type:16;
228 ikev2_transform_esn_type_t esn_type:16;
240 } ikev2_sa_transform_t;
245 ikev2_protocol_id_t protocol_id:8;
247 ikev2_sa_transform_t *transforms;
248 } ikev2_sa_proposal_t;
252 ikev2_traffic_selector_type_t ts_type;
257 ip_address_t start_addr;
258 ip_address_t end_addr;
271 ikev2_transform_encr_type_t crypto_alg;
272 ikev2_transform_integ_type_t integ_alg;
273 ikev2_transform_dh_type_t dh_type;
275 } ikev2_transforms_set;
280 ikev2_id_type_t type:8;
286 /* sa proposals vectors */
287 ikev2_sa_proposal_t *i_proposals;
288 ikev2_sa_proposal_t *r_proposals;
290 /* Traffic Selectors */
307 f64 time_to_expiration;
317 u32 spi; /*for ESP and AH SPI size is 4, for IKE size is 0 */
327 ikev2_sa_proposal_t *i_proposal;
328 ikev2_sa_proposal_t *r_proposal;
345 ikev2_sa_proposal_t *i_proposals;
346 ikev2_sa_proposal_t *r_proposals;
366 ikev2_responder_t responder;
367 ikev2_transforms_set ike_ts;
368 ikev2_transforms_set esp_ts;
370 u64 lifetime_maxdata;
373 u16 ipsec_over_udp_port;
382 /* SA will switch to port 4500 when NAT is detected.
383 * This is the default. */
386 /* Do nothing when NAT is detected */
389 /* NAT was detected and port switched to 4500 */
391 } ikev2_natt_state_t;
393 #define ikev2_natt_active(_sa) ((_sa)->natt_state == IKEV2_NATT_ACTIVE)
401 u16 n_init_retransmit;
424 /* sa proposals vectors */
425 ikev2_sa_proposal_t *i_proposals;
426 ikev2_sa_proposal_t *r_proposals;
445 /* pending deletes */
448 /* pending rekeyings */
449 ikev2_rekey_t *rekey;
451 ikev2_rekey_t *new_child;
453 /* pending sa rekeyings */
454 ikev2_sa_rekey_t *sa_rekey;
457 u8 *last_sa_init_req_packet_data;
458 u8 *last_sa_init_res_packet_data;
461 /* message id expected in the request from the other peer */
463 u8 *last_res_packet_data;
466 /* last message id that was used for an initiated request */
467 u32 last_init_msg_id;
472 u16 ipsec_over_udp_port;
474 f64 old_id_expiration;
475 u32 current_remote_id_mask;
477 u8 old_remote_id_present;
478 u8 init_response_received;
480 ikev2_child_sa_t *childs;
483 f64 liveness_period_check;
488 /* is NAT traversal mode */
489 ikev2_natt_state_t natt_state;
500 CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
502 /* pool of IKEv2 Security Associations */
508 EVP_CIPHER_CTX *evp_ctx;
510 #if OPENSSL_VERSION_NUMBER < 0x10100000L
512 EVP_CIPHER_CTX _evp_ctx;
514 } ikev2_main_per_thread_data_t;
518 /* pool of IKEv2 profiles */
519 ikev2_profile_t *profiles;
521 /* vector of supported transform types */
522 ikev2_sa_transform_t *supported_transforms;
525 mhash_t profile_index_by_name;
527 /* local private key */
531 vlib_main_t *vlib_main;
532 vnet_main_t *vnet_main;
534 /* pool of IKEv2 Security Associations created in initiator mode */
539 ikev2_main_per_thread_data_t *per_thread_data;
541 /* interface indices managed by IKE */
542 uword *sw_if_indices;
544 /* API message ID base */
547 /* log class used for main thread */
548 vlib_log_class_t log_class;
551 ikev2_log_level_t log_level;
553 /* how often a liveness check will be performed */
556 /* max number of retries before considering peer dead */
557 u32 liveness_max_retries;
559 /* dead peer detection */
562 /* pointer to name resolver function in dns plugin */
563 void *dns_resolve_name_ptr;
565 /* flag indicating whether lazy init is done or not */
568 /* refcount for IKEv2 udp ports and IPsec NATT punt registration */
571 /* punt handle for IPsec NATT IPSEC_PUNT_IP4_SPI_UDP_0 reason */
572 vlib_punt_hdl_t punt_hdl;
576 extern ikev2_main_t ikev2_main;
578 void ikev2_sa_free_proposal_vector (ikev2_sa_proposal_t ** v);
579 ikev2_sa_transform_t *ikev2_sa_get_td_for_type (ikev2_sa_proposal_t * p,
580 ikev2_transform_type_t type);
583 v8 *ikev2_calc_prf (ikev2_sa_transform_t * tr, v8 * key, v8 * data);
584 u8 *ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed,
586 v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
588 int ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
589 ikev2_sa_transform_t * tr_encr, u8 * data, int len,
591 int ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
592 ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst);
593 int ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
594 ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
595 v8 * src, u8 * dst, u8 * aad,
596 u32 aad_len, u8 * tag);
597 int ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
598 ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
599 u8 * data, int data_len, u8 * aad, u32 aad_len,
600 u8 * tag, u32 * out_len);
601 void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
602 void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
603 int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
604 u8 *ikev2_calc_sign (EVP_PKEY * pkey, u8 * data);
605 EVP_PKEY *ikev2_load_cert_file (u8 * file);
606 EVP_PKEY *ikev2_load_key_file (u8 * file);
607 void ikev2_crypto_init (ikev2_main_t * km);
609 /* ikev2_payload.c */
612 u8 first_payload_type;
615 } ikev2_payload_chain_t;
617 #define ikev2_payload_new_chain(V) vec_validate (V, 0)
618 #define ikev2_payload_destroy_chain(V) do { \
619 vec_free((V)->data); \
623 void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type,
625 void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type,
626 u8 * data, ikev2_notify_t * notify);
627 void ikev2_payload_add_sa (ikev2_payload_chain_t *c,
628 ikev2_sa_proposal_t *proposals, u8 force_spi);
629 void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group,
631 void ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce);
632 void ikev2_payload_add_id (ikev2_payload_chain_t * c, ikev2_id_t * id,
634 void ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth);
635 void ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts,
637 void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d);
638 void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs);
639 void ikev2_parse_vendor_payload (ike_payload_header_t * ikep);
640 ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep,
642 ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen);
643 ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep,
645 ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep,
647 int ikev2_set_log_level (ikev2_log_level_t log_level);
648 u8 *ikev2_find_ike_notify_payload (ike_header_t * ike, u32 msg_type);
649 void ikev2_disable_dpd (void);
650 clib_error_t *ikev2_profile_natt_disable (u8 * name);
652 static_always_inline ikev2_main_per_thread_data_t *
653 ikev2_get_per_thread_data ()
655 u32 thread_index = vlib_get_thread_index ();
656 return vec_elt_at_index (ikev2_main.per_thread_data, thread_index);
658 #endif /* __included_ikev2_priv_h__ */
662 * fd.io coding-style-patch-verification: ON
665 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob