#include <openssl/hmac.h>
#include <openssl/evp.h>
-#define IKEV2_DEBUG_PAYLOAD 1
+#define foreach_ikev2_log_level \
+ _(0x00, LOG_NONE) \
+ _(0x01, LOG_ERROR) \
+ _(0x02, LOG_WARNING) \
+ _(0x03, LOG_INFO) \
+ _(0x04, LOG_DEBUG) \
+ _(0x05, LOG_DETAIL) \
-#if IKEV2_DEBUG_PAYLOAD == 1
-#define DBG_PLD(my_args...) clib_warning(my_args)
-#else
-#define DBG_PLD(my_args...)
-#endif
+
+typedef enum ikev2_log_level_t_
+{
+#define _(n,f) IKEV2_##f = n,
+ foreach_ikev2_log_level
+#undef _
+ IKEV2_LOG_MAX
+} ikev2_log_level_t;
+
+/* dataplane logging */
+#define _ikev2_elog(_level, _msg) \
+do { \
+ ikev2_main_t *km = &ikev2_main; \
+ if (PREDICT_FALSE (km->log_level >= _level)) \
+ { \
+ ELOG_TYPE_DECLARE (e) = \
+ { \
+ .format = "ikev2 " _msg, \
+ .format_args = "", \
+ }; \
+ ELOG_DATA (&vlib_global_main.elog_main, e); \
+ } \
+} while (0)
+
+#define ikev2_elog_sa_state(_format, _ispi) \
+do { \
+ ikev2_main_t *km = &ikev2_main; \
+ if (PREDICT_FALSE (km->log_level >= IKEV2_LOG_DEBUG)) \
+ { \
+ ELOG_TYPE_DECLARE (e) = \
+ { \
+ .format = "ikev2: " _format, \
+ .format_args = "i8", \
+ }; \
+ CLIB_PACKED(struct \
+ { \
+ u64 ispi; \
+ }) *ed; \
+ ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
+ ed->ispi = _ispi; \
+ } \
+} while (0) \
+
+#define ikev2_elog_exchange_internal(_format, _ispi, _rspi, _addr) \
+do { \
+ ikev2_main_t *km = &ikev2_main; \
+ if (PREDICT_FALSE (km->log_level >= IKEV2_LOG_DEBUG)) \
+ { \
+ ELOG_TYPE_DECLARE (e) = \
+ { \
+ .format = "ikev2: " _format, \
+ .format_args = "i8i8i1i1i1i1", \
+ }; \
+ CLIB_PACKED(struct \
+ { \
+ u64 ispi; \
+ u64 rspi; \
+ u8 oct1; \
+ u8 oct2; \
+ u8 oct3; \
+ u8 oct4; \
+ }) *ed; \
+ ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
+ ed->ispi = _ispi; \
+ ed->rspi = _rspi; \
+ ed->oct4 = (_addr) >> 24; \
+ ed->oct3 = (_addr) >> 16; \
+ ed->oct2 = (_addr) >> 8; \
+ ed->oct1 = (_addr); \
+ } \
+} while (0) \
+
+#define IKE_ELOG_IP4_FMT "%d.%d.%d.%d"
+#define IKE_ELOG_IP6_FMT "[v6]:%x%x:%x%x"
+
+#define ikev2_elog_exchange(_fmt, _ispi, _rspi, _addr, _v4) \
+do { \
+ if (_v4) \
+ ikev2_elog_exchange_internal (_fmt IKE_ELOG_IP4_FMT, _ispi, _rspi, _addr);\
+ else \
+ ikev2_elog_exchange_internal (_fmt IKE_ELOG_IP6_FMT, _ispi, _rspi, _addr);\
+} while (0)
+
+#define ikev2_elog_uint(_level, _format, _val) \
+do { \
+ ikev2_main_t *km = &ikev2_main; \
+ if (PREDICT_FALSE (km->log_level >= _level)) \
+ { \
+ ELOG_TYPE_DECLARE (e) = \
+ { \
+ .format = "ikev2: " _format, \
+ .format_args = "i8", \
+ }; \
+ CLIB_PACKED(struct \
+ { \
+ u64 val; \
+ }) *ed; \
+ ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
+ ed->val = _val; \
+ } \
+} while (0)
+
+#define ikev2_elog_uint_peers(_level, _format, _val, _ip1, _ip2) \
+do { \
+ ikev2_main_t *km = &ikev2_main; \
+ if (PREDICT_FALSE (km->log_level >= _level)) \
+ { \
+ ELOG_TYPE_DECLARE (e) = \
+ { \
+ .format = "ikev2: " _format, \
+ .format_args = "i8i1i1i1i1i1i1i1i1", \
+ }; \
+ CLIB_PACKED(struct { \
+ u64 val; \
+ u8 i11; u8 i12; u8 i13; u8 i14; \
+ u8 i21; u8 i22; u8 i23; u8 i24; }) *ed; \
+ ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
+ ed->val = _val; \
+ ed->i14 = (_ip1) >> 24; \
+ ed->i13 = (_ip1) >> 16; \
+ ed->i12 = (_ip1) >> 8; \
+ ed->i11 = (_ip1); \
+ ed->i24 = (_ip2) >> 24; \
+ ed->i23 = (_ip2) >> 16; \
+ ed->i22 = (_ip2) >> 8; \
+ ed->i21 = (_ip2); \
+ } \
+} while (0)
+
+#define ikev2_elog_error(_msg) \
+ _ikev2_elog(IKEV2_LOG_ERROR, "[error] " _msg)
+#define ikev2_elog_warning(_msg) \
+ _ikev2_elog(IKEV2_LOG_WARNING, "[warning] " _msg)
+#define ikev2_elog_debug(_msg) \
+ _ikev2_elog(IKEV2_LOG_DEBUG, "[debug] " _msg)
+#define ikev2_elog_detail(_msg) \
+ _ikev2_elog(IKEV2_LOG_DETAIL, "[detail] " _msg)
+
+/* logging for main thread */
+#define ikev2_log_error(...) \
+ vlib_log(VLIB_LOG_LEVEL_ERR, ikev2_main.log_class, __VA_ARGS__)
+#define ikev2_log_warning(...) \
+ vlib_log(VLIB_LOG_LEVEL_WARNING, ikev2_main.log_class, __VA_ARGS__)
+#define ikev2_log_debug(...) \
+ vlib_log(VLIB_LOG_LEVEL_DEBUG, ikev2_main.log_class, __VA_ARGS__)
typedef enum
{
typedef struct
{
- u8 ts_type;
+ ikev2_traffic_selector_type_t ts_type;
u8 protocol_id;
u16 selector_len;
u16 start_port;
u16 end_port;
- ip4_address_t start_addr;
- ip4_address_t end_addr;
+ ip_address_t start_addr;
+ ip_address_t end_addr;
} ikev2_ts_t;
typedef struct
{
u32 sw_if_index;
- ip4_address_t ip4;
+ ip_address_t addr;
+ u8 *hostname;
+ u8 is_resolved;
} ikev2_responder_t;
typedef struct
typedef struct
{
u8 *name;
- u8 is_enabled;
ikev2_auth_t auth;
ikev2_id_t loc_id;
u64 lifetime_maxdata;
u32 lifetime_jitter;
u32 handover;
+ u16 ipsec_over_udp_port;
+
+ u32 tun_itf;
+ u8 udp_encap;
+ u8 natt_disabled;
} ikev2_profile_t;
+typedef enum
+{
+ /* SA will switch to port 4500 when NAT is detected.
+ * This is the default. */
+ IKEV2_NATT_ENABLED,
+
+ /* Do nothing when NAT is detected */
+ IKEV2_NATT_DISABLED,
+
+ /* NAT was detected and port switched to 4500 */
+ IKEV2_NATT_ACTIVE,
+} ikev2_natt_state_t;
+
+#define ikev2_natt_active(_sa) ((_sa)->natt_state == IKEV2_NATT_ACTIVE)
+
+typedef struct
+{
+ u16 n_keepalives;
+ u16 n_rekey_req;
+ u16 n_sa_auth_req;
+ u16 n_sa_init_req;
+ u16 n_init_retransmit;
+ u16 n_retransmit;
+} ikev2_stats_t;
+
typedef struct
{
ikev2_state_t state;
u8 unsupported_cp;
u8 initial_contact;
- ip4_address_t iaddr;
- ip4_address_t raddr;
+ ip_address_t iaddr;
+ ip_address_t raddr;
u64 ispi;
u64 rspi;
u8 *i_nonce;
/* pending rekeyings */
ikev2_rekey_t *rekey;
+ ikev2_rekey_t *new_child;
+
/* packet data */
u8 *last_sa_init_req_packet_data;
u8 *last_sa_init_res_packet_data;
/* retransmit */
+ /* message id expected in the request from the other peer */
u32 last_msg_id;
u8 *last_res_packet_data;
u8 is_initiator;
+ /* last message id that was used for an initiated request */
u32 last_init_msg_id;
- u8 is_profile_index_set;
u32 profile_index;
+ u8 is_tun_itf_set;
+ u32 tun_itf;
+ u8 udp_encap;
+ u16 ipsec_over_udp_port;
+
+ f64 old_id_expiration;
+ u32 current_remote_id_mask;
+ u32 old_remote_id;
+ u8 old_remote_id_present;
+ u8 init_response_received;
ikev2_child_sa_t *childs;
+
+ u8 liveness_retries;
+ f64 liveness_period_check;
+
+ u16 dst_port;
+ u32 sw_if_index;
+
+ /* is NAT traversal mode */
+ ikev2_natt_state_t natt_state;
+ u8 keys_generated;
+
+ ikev2_stats_t stats;
} ikev2_sa_t;
typedef struct
{
+ CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+
/* pool of IKEv2 Security Associations */
ikev2_sa_t *sas;
/* hash */
uword *sa_by_rspi;
+
+ EVP_CIPHER_CTX *evp_ctx;
+ HMAC_CTX *hmac_ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX _hmac_ctx;
+ EVP_CIPHER_CTX _evp_ctx;
+#endif
} ikev2_main_per_thread_data_t;
typedef struct
/* API message ID base */
u16 msg_id_base;
+
+ /* log class used for main thread */
+ vlib_log_class_t log_class;
+
+ /* logging level */
+ ikev2_log_level_t log_level;
+
+ /* how often a liveness check will be performed */
+ u32 liveness_period;
+
+ /* max number of retries before considering peer dead */
+ u32 liveness_max_retries;
+
+ /* dead peer detection */
+ u8 dpd_disabled;
+
+ /* pointer to name resolver function in dns plugin */
+ int (*dns_resolve_name) ();
} ikev2_main_t;
extern ikev2_main_t ikev2_main;
int len);
v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
int len);
-v8 *ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len);
-int ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst);
+int ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+ ikev2_sa_transform_t * tr_encr, u8 * data, int len,
+ u32 * out_len);
+int ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+ ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst);
+int ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
+ ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
+ v8 * src, u8 * dst, u8 * aad,
+ u32 aad_len, u8 * tag);
+int ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
+ ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
+ u8 * data, int data_len, u8 * aad, u32 aad_len,
+ u8 * tag, u32 * out_len);
void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d);
void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs);
void ikev2_parse_vendor_payload (ike_payload_header_t * ikep);
-ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep);
-ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep);
-ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep);
-ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep);
-
+ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep,
+ u32 rlen);
+ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen);
+ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep,
+ u32 rlen);
+ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep,
+ u32 rlen);
+int ikev2_set_log_level (ikev2_log_level_t log_level);
+u8 *ikev2_find_ike_notify_payload (ike_header_t * ike, u32 msg_type);
+void ikev2_disable_dpd (void);
+clib_error_t *ikev2_profile_natt_disable (u8 * name);
+
+static_always_inline ikev2_main_per_thread_data_t *
+ikev2_get_per_thread_data ()
+{
+ u32 thread_index = vlib_get_thread_index ();
+ return vec_elt_at_index (ikev2_main.per_thread_data, thread_index);
+}
#endif /* __included_ikev2_priv_h__ */
Code Review / vpp.git / blobdiff